diff --git a/CHANGELOG.md b/CHANGELOG.md index b9bdfe168d..855ee044d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,43 @@ * AADAccessReviewDefinition * Initial release. +* AADAuthenticationMethodPolicyExternal + * Initial release. +* AADCustomSecurityAttributeDefinition + * Fixed missing permissions in settings.json +* AADIdentityB2XUserFlow + * Initial release. * AADIdentityGovernanceProgram * Initial release. +* AADIdentityAPIConnector + * Initial release. +* AADOrganizationCertificateBasedAuthConfiguration + * Initial release. +* AADSocialIdentityProvider + * Fixed missing permissions in settings.json +* EXOMailboxAuditBypassAssociation + * Initial release. +* Intune workload + * Fixed missing permissions in settings.json +* SentinelAlertRule + * Initial release. +* SentinelThreatIntelligenceIndicator + * Initial release. +* SPOTenantSettings + * Added support for AllowSelectSGsInODBListInTenant, + DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, + AllowSelectSecurityGroupsInSPSitesList, + ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. + * TenantDefaultTimezone changed to String instead of Array. * M365DSCDRGUtil * Fixes an issue where non-unique properties were not combined properly with their respective parent setting. +* DEPENDENCIES + * Updated ExchangeOnlineManagement to version 3.6.0. + * Updated Microsoft.Graph to version 2.24.0. + * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. + * Updated MSCloudLoginAssistant to version 1.1.27 + * Updated MicrosoftTeams to version 6.6.0. # 1.24.1016.1 @@ -24,6 +56,8 @@ * Initial release. * AADConnectorGroupApplicationProxy * Initial release. +* AADCustomAuthenticationExtension + * Initial release. * AADCustomSecurityAttributeDefinition * Initial release. * AADDeviceRegistrationPolicy @@ -35,7 +69,8 @@ * AADLifecycleWorkflowSettings * Initial release. * AADServicePrincipal - * Adding Delegated Permission Classification Property + * Added Delegated Permission Classification Property + * Added Custom Security Attributes Property * ADOPermissionGroupSettings * Initial release. * EXOATPBuiltInProtectionRule @@ -77,6 +112,8 @@ * TeamsUpgradePolicy * Added support for tenant wide changes using the * value for users. FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) +* TeamsGroupPolicyAssignments + * FIXES [#5179](https://github.com/microsoft/Microsoft365DSC/issues/5179) * M365DSCDRGUtil * Fixes an issue for the handling of skipped one-property elements in the Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 new file mode 100644 index 0000000000..18533817f8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 @@ -0,0 +1,678 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + else + { + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Authentication Method Policy External with DisplayName {$DisplayName}" + return $nullResult + } + + Write-Verbose -Message "An Azure AD Authentication Method Policy External with displayName {$DisplayName} was found." + + #region resource generator code + $complexExcludeTargets = @() + foreach ($currentExcludeTargets in $getValue.excludeTargets) + { + $myExcludeTargets = @{} + if ($currentExcludeTargets.id -ne 'all_users'){ + $myExcludeTargetsDisplayName = get-MgGroup -GroupId $currentExcludeTargets.id + $myExcludeTargets.Add('Id', $myExcludeTargetsDisplayName.DisplayName) + } + else{ + $myExcludeTargets.Add('Id', $currentExcludeTargets.id) + } + if ($null -ne $currentExcludeTargets.targetType) + { + $myExcludeTargets.Add('TargetType', $currentExcludeTargets.targetType.toString()) + } + if ($myExcludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexExcludeTargets += $myExcludeTargets + } + } + #endregion + + $complexincludeTargets = @() + foreach ($currentincludeTargets in $getValue.includeTargets) + { + $myincludeTargets = @{} + if ($currentIncludeTargets.id -ne 'all_users'){ + $myIncludeTargetsDisplayName = get-MgGroup -GroupId $currentIncludeTargets.id + $myIncludeTargets.Add('Id', $myIncludeTargetsDisplayName.DisplayName) + } + else{ + $myIncludeTargets.Add('Id', $currentIncludeTargets.id) + } + if ($null -ne $currentincludeTargets.targetType) + { + $myincludeTargets.Add('TargetType', $currentincludeTargets.targetType.toString()) + } + if ($myincludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexincludeTargets += $myincludeTargets + } + } + + $complexOpenIdConnectSetting = @{ + clientId = $getValue.OpenIdConnectSetting.ClientId + discoveryUrl = $getValue.OpenIdConnectSetting.DiscoveryUrl + } + + #region resource generator code + $enumState = $null + if ($null -ne $getValue.State) + { + $enumState = $getValue.State.ToString() + } + #endregion + + $results = @{ + #region resource generator code + ExcludeTargets = $complexExcludeTargets + IncludeTargets = $complexincludeTargets + OpenIdConnectSetting = $complexOpenIdConnectSetting + State = $enumState + AppId = $getValue.appId + DisplayName = $getValue.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $params = ([Hashtable]$BoundParameters).clone() + $params = Rename-M365DSCCimInstanceParameter -Properties $params + + $params = Get-UpdatedTargetProperty($params) + + $params.Add('@odata.type', '#microsoft.graph.externalAuthenticationMethodConfiguration') + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$DisplayName}" + + $newobj = New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -BodyParameter $params + + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$($newObj.displayName)}" + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Authentication Method Policy External with name {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + $params.Remove('displayName') | Out-Null + + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` + -AuthenticationMethodConfigurationId $getValue.Id ` + -BodyParameter $params + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Authentication Method Policy External with Id {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $getValue.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Authentication Method Policy External with Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $desiredType = "#microsoft.graph.externalAuthenticationMethodConfiguration" + $getPolicy = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $getPolicy.AuthenticationMethodConfigurations | Where-Object -FilterScript {$_.'@odata.type' -eq $desiredType} + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.displayName + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ExcludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ExcludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalExcludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ExcludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('ExcludeTargets') | Out-Null + } + } + + if ($null -ne $Results.IncludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalIncludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('IncludeTargets') | Out-Null + } + } + + if ($null -ne $Results.OpenIdConnectSetting) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.OpenIdConnectSetting ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalOpenIdConnectSetting' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.OpenIdConnectSetting = $complexTypeStringResult + } + else + { + $Results.Remove('OpenIdConnectSetting') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ExcludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ExcludeTargets' -IsCIMArray:$True + } + if ($Results.IncludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncludeTargets' -IsCIMArray:$True + } + if ($Results.OpenIdConnectSetting) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'OpenIdConnectSetting' -IsCIMArray:$False + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-UpdatedTargetProperty +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $params + ) + + $keys = (([Hashtable]$params).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $params.$key -and $params.$key.getType().Name -like '*cimInstance*') + { + $params.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $params.$key + } + if ($key -eq 'IncludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + if ($key -eq 'ExcludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + } + + return $params +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof new file mode 100644 index 0000000000..00077c4287 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting +{ + [Write, Description("The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID.")] String ClientId; + [Write, Description("The host URL of the external identity provider's OIDC discovery endpoint.")] String DiscoveryUrl; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADAuthenticationMethodPolicyExternal")] +class MSFT_AADAuthenticationMethodPolicyExternal : OMI_BaseResource +{ + [Write, Description("Displayname of the groups of users that are excluded from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget")] String ExcludeTargets[]; + [Write, Description("Displayname of the groups of users that are included from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget")] String IncludeTargets[]; + [Write, Description("Open ID Connection settings used by this external authentication method."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting")] String OpenIdConnectSetting; + [Write, Description("The state of the policy. Possible values are: enabled, disabled."), ValueMap{"enabled","disabled"}, Values{"enabled","disabled"}] String State; + [Write, Description("The appId for the app registration in Microsoft Entra ID representing the integration with the external provider.")] String AppId; + [Key, Description("The displayName of the authentication policy configuration. Read-only.")] String DisplayName; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md new file mode 100644 index 0000000000..7dfd5268e3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md @@ -0,0 +1,6 @@ + +# AADAuthenticationMethodPolicyExternal + +## Description + +Azure AD Authentication Method Policy External diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json new file mode 100644 index 0000000000..8257c0365e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json @@ -0,0 +1,52 @@ +{ + "resourceName": "AADAuthenticationMethodPolicyExternal", + "description": "This resource configures an Azure AD Authentication Method Policy External.", + "roles": { + "read": [ + "Security Reader" + ], + "update": [ + "Authentication Policy Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 new file mode 100644 index 0000000000..8cb16f56e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 @@ -0,0 +1,669 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + Write-Verbose -Message "Fetching result...." + try + { + # check for export. + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + # check with Id first + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + # check with display name next. + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id ` + -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + if ($null -eq $instance) + { + return $nullResult + } + + Write-Verbose "Instance found for the resource. Calculating result...." + + $results = @{ + DisplayName = $instance.DisplayName + Id = $instance.Id + Description = $instance.Description + Ensure = 'Present' + } + + if ($instance.AdditionalProperties -ne $null) + { + $results.Add('CustomAuthenticationExtensionType', $instance.AdditionalProperties["@odata.type"]) + } + + if ($instance.AuthenticationConfiguration -ne $null) + { + $results.Add('AuthenticationConfigurationType', $instance.AuthenticationConfiguration["@odata.type"]) + $results.Add('AuthenticationConfigurationResourceId', $instance.AuthenticationConfiguration["resourceId"]) + } + + if ($instance.ClientConfiguration -ne $null) + { + $results.Add('ClientConfigurationTimeoutMilliseconds', $instance.ClientConfiguration.TimeoutInMilliseconds) + $results.Add('ClientConfigurationMaximumRetries', $instance.ClientConfiguration.MaximumRetries) + } + + $endpointConfigurationInstance = @{} + if ($instance.EndPointConfiguration -ne $null -and $instance.EndPointConfiguration.AdditionalProperties -ne $null) + { + $endpointConfigurationInstance.Add("EndpointType", $instance.EndPointConfiguration.AdditionalProperties["@odata.type"]) + + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.httpRequestEndpoint') + { + $endpointConfigurationInstance.Add("TargetUrl", $instance.EndPointConfiguration.AdditionalProperties["targetUrl"]) + } + + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.logicAppTriggerEndpointConfiguration') + { + $endpointConfigurationInstance.Add("SubscriptionId", $instance.EndPointConfiguration.AdditionalProperties["subscriptionId"]) + $endpointConfigurationInstance.Add("ResourceGroupName", $instance.EndPointConfiguration.AdditionalProperties["resourceGroupName"]) + $endpointConfigurationInstance.Add("LogicAppWorkflowName", $instance.EndPointConfiguration.AdditionalProperties["logicAppWorkflowName"]) + } + } + + $ClaimsForTokenConfigurationInstance = @() + if ($instance.AdditionalProperties -ne $null -and $instance.AdditionalProperties["claimsForTokenConfiguration"] -ne $null) + { + foreach ($claim in $instance.AdditionalProperties["claimsForTokenConfiguration"]) + { + $c = @{ + ClaimIdInApiResponse = $claim.claimIdInApiResponse + } + + $ClaimsForTokenConfigurationInstance += $c + } + } + + $results.Add('EndPointConfiguration', $endpointConfigurationInstance) + $results.Add('ClaimsForTokenConfiguration', $ClaimsForTokenConfigurationInstance) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $params = @{ + "@odata.type" = $setParameters.CustomAuthenticationExtensionType + displayName = $setParameters.DisplayName + description = $setParameters.Description + endpointConfiguration = @{ + "@odata.type" = $setParameters.EndPointConfiguration.EndpointType + } + authenticationConfiguration = @{ + "@odata.type" = $setParameters.AuthenticationConfigurationType + resourceId = $setParameters.AuthenticationConfigurationResourceId + } + clientConfiguration = @{ + timeoutInMilliseconds = $setParameters["ClientConfigurationTimeoutMilliseconds"] + maximumRetries = $setParameters["ClientConfigurationMaximumRetries"] + } + } + + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.httpRequestEndpoint") + { + Write-Verbose -Message "{$setParameters.EndPointConfiguration.TargetUrl}" + $params.endpointConfiguration["targetUrl"] = $setParameters.EndPointConfiguration.TargetUrl + } + + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.logicAppTriggerEndpointConfiguration") + { + $params.endpointConfiguration["subscriptionId"] = $setParameters.EndPointConfiguration["SubscriptionId"] + $params.endpointConfiguration["resourceGroupName"] = $setParameters.EndPointConfiguration["ResourceGroupName"] + $params.endpointConfiguration["logicAppWorkflowName"] = $setParameters.EndPointConfiguration["LogicAppWorkflowName"] + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $params.Add("claimsForTokenConfiguration", @()) + foreach ($claim in $setParameters.claimsForTokenConfiguration) + { + $val = $claim.claimIdInApiResponse + Write-Verbose -Message "{$val}" + $c = @{ + "claimIdInApiResponse" = $claim.claimIdInApiResponse + } + + $params.claimsForTokenConfiguration += $c + } + + $params.Remove('Id') | Out-Null + $type = $params["@odata.type"] + Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName} and type {$type}" + New-MgBetaIdentityCustomAuthenticationExtension -BodyParameter $params + } + + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating custom authentication extension {$DisplayName}" + $params.Add('CustomAuthenticationExtensionId', $currentInstance.Id) + $params.Remove('Id') | Out-Null + + $params.Add("AdditionalProperties", @{}) + $params["AdditionalProperties"].Add("ClaimsForTokenConfiguration", @()) + + foreach ($claim in $setParameters["ClaimsForTokenConfiguration"]) + { + $c = @{ + "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + } + + $params["AdditionalProperties"]["claimsForTokenConfiguration"] += $c + } + + Write-Verbose -Message "{$params['@odata.type']}" + Update-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id -BodyParameter $params + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing custom authentication extension {$DisplayName}." + Remove-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityCustomAuthenticationExtension -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + $endpointConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EndpointConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionEndPointConfiguration' + + $ClaimsForTokenConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ClaimsForTokenConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration' + + $Results.EndPointConfiguration = $endpointConfigurationCimString + $Results.ClaimsForTokenConfiguration = $ClaimsForTokenConfigurationCimString + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EndPointConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "EndPointConfiguration" + } + + if ($Results.ClaimsForTokenConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ClaimsForTokenConfiguration" -IsCIMArray $true + } + + $dscContent += $currentDSCBlock + + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof new file mode 100644 index 0000000000..6382d10037 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof @@ -0,0 +1,38 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionEndPointConfiguration +{ + [Write, Description("Defines the type of the endpoint configuration")] String EndpointType; + [Write, Description("Defines the workflow name for the logic app")] String LogicAppWorkflowName; + [Write, Description("Defines the resource group name for the logic app")] String ResourceGroupName; + [Write, Description("Defines the subscription id for the logic app")] String SubscriptionId; + [Write, Description("Defines the target url for the http endpoint")] String TargetUrl; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration +{ + [Write, Description("Defines the claim id in api response.")] String ClaimIdInApiResponse; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtension")] +class MSFT_AADCustomAuthenticationExtension : OMI_BaseResource +{ + [Key, Description("Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive.")] String DisplayName; + [Write, Description("Unique identifier of the Attribute Definition.")] String Id; + [Write, Description("Defines the custom authentication extension type.")] String CustomAuthenticationExtensionType; + [Write, Description("Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. ")] String Description; + [Write, Description("Defines the authentication configuration type")] String AuthenticationConfigurationType; + [Write, Description("Defines the authentication configuration resource id")] String AuthenticationConfigurationResourceId; + [Write, Description("Defines the client configuration timeout in milliseconds")] UInt32 ClientConfigurationTimeoutMilliseconds; + [Write, Description("Defines the client configuration max retries")] UInt32 ClientConfigurationMaximumRetries; + [Write, Description("Defines the endpoint configuration"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String EndpointConfiguration; + [Write, Description("Defines the list of claims for token configurations"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration")] String ClaimsForTokenConfiguration[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md new file mode 100644 index 0000000000..d22077d7e6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md @@ -0,0 +1,6 @@ + +# AADCustomAuthenticationExtension + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json new file mode 100644 index 0000000000..ae6d5a8707 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADCustomAuthenticationExtension", + "description": "Custom authentication extensions define interactions with external systems during a user authentication session. ", + "roles": { + "read": [ + "Attribute Definition Reader" + ], + "update": [ + "Attribute Definition Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 index e8090ba85e..1e7e5822ab 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 @@ -57,6 +57,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -132,6 +136,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -209,6 +214,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -325,6 +334,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -447,6 +460,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof index f440bccc52..566b9bfcfb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof @@ -10,11 +10,11 @@ class MSFT_AADCustomSecurityAttributeDefinition : OMI_BaseResource [Write, Description("Specifies whether the custom security attribute is active or deactivated. Acceptable values are Available and Deprecated. Can be changed later.")] String Status; [Write, Description("Data type for the custom security attribute values. Supported types are: Boolean, Integer, and String. Can't be changed later.")] String Type; [Write, Description("Indicates whether only predefined values can be assigned to the custom security attribute. If set to false, free-form values are allowed. Can later be changed from true to false, but can't be changed from false to true. If type is set to Boolean, usePreDefinedValuesOnly can't be set to true.")] Boolean UsePreDefinedValuesOnly; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json index 9381adbf42..a35e974098 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json @@ -12,8 +12,16 @@ "permissions": { "graph": { "delegated": { - "read": [], - "update": [] + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] }, "application": { "read": [ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 index 6237de9617..eff7ae01fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 @@ -61,6 +61,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -114,6 +118,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -195,6 +200,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -342,6 +351,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -462,6 +475,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof index bef859a557..c2b6cab026 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof @@ -11,11 +11,11 @@ class MSFT_AADDomain : OMI_BaseResource [Write, Description("Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.")] UInt32 PasswordNotificationWindowInDays; [Write, Description("Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.")] UInt32 PasswordValidityPeriodInDays; [Write, Description("The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.")] String SupportedServices[]; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 new file mode 100644 index 0000000000..04f48ad77f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -0,0 +1,732 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityAPIConnector -IdentityApiConnectorId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity A P I Connector with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaIdentityAPIConnector ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity API Connector with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity API Connector with Id {$Id} and DisplayName {$DisplayName} was found" + + #region resource generator code + $complexAuthenticationConfiguration = @{} + + if($null -ne $getValue.AuthenticationConfiguration.AdditionalProperties.password) { + $securePassword = ConvertTo-SecureString $getValue.AuthenticationConfiguration.AdditionalProperties.password -AsPlainText -Force + + $Password = New-Object System.Management.Automation.PSCredential ('Password', $securePassword) + } + + + $complexCertificates = @() + foreach ($currentCertificate in $getValue.AuthenticationConfiguration.AdditionalProperties.certificateList) + { + $myCertificate= @{} + $myCertificate.Add('Pkcs12Value', "Please insert a valid Pkcs12Value") + $myCertificate.Add('Thumbprint', $currentCertificate.thumbprint) + $myCertificate.Add('Password', "Please insert a valid Password for the certificate") + $myCertificate.Add('IsActive', $currentCertificate.isActive) + + if ($myCertificate.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificates += $myCertificate + } + } + #endregion + + $results = @{ + #region resource generator code + DisplayName = $getValue.DisplayName + TargetUrl = $getValue.TargetUrl + Id = $getValue.Id + Username = $getValue.AuthenticationConfiguration.AdditionalProperties.username + Password = $Password + Certificates = $complexCertificates + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # If the certificates array is not empty, then we need to create a new instance of New-MgBetaAADIdentityAPIConnector + + $needToUpdateCertificates = $false + if($null -ne $Certificates -and $Certificates.Count -gt 0) { + $needToUpdateCertificates = $true + } + + if($needToUpdateCertificates -eq $false) { + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + if($username -ne $null) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + } + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $updateParameters.Remove('Password') | Out-Null + $updateParameters.Remove('Pkcs12Value') | Out-Null + + $updateParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + + $UpdateParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + Update-MgBetaIdentityAPIConnector ` + -IdentityApiConnectorId $currentInstance.Id ` + -BodyParameter $UpdateParameters + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } + } + else { + + # Remove the existing instance if already present + if($currentInstance.Ensure -ne 'Absent') { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } + + # Create a new instance with the certificates + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + # Get the active and inactive certificates + $activeCertificates = @() + $inactiveCertificates = @() + foreach ($currentCertificate in $Certificates) + { + $myCertificate = @{} + $myCertificate.Add('Pkcs12Value', ($currentCertificate.Pkcs12Value).Password) + $myCertificate.Add('Password', ($currentCertificate.Password).Password) + + if($currentCertificate.IsActive -eq $true) { + $activeCertificates += $myCertificate + } + else { + $inactiveCertificates += $myCertificate + } + } + + # Only one certificate can be active + if($activeCertificates.Count -ne 1) { + Write-Error "There should be one active certificate" + throw + } + + if($inactiveCertificates.Count -eq 0) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $activeCertificates[0].Password + "pkcs12Value" = $activeCertificates[0].Pkcs12Value + }) + $activeCertificates = $activeCertificates[1..$activeCertificates.Count] + } + else { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $inactiveCertificates[0].Password + "pkcs12Value" = $inactiveCertificates[0].Pkcs12Value + }) + # remove the first element from the inactive certificates + $inactiveCertificates = $inactiveCertificates[1..$inactiveCertificates.Count] + } + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + + + # Upload the inactive certificates + foreach ($currentCertificate in $inactiveCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + + # Upload active certificate + foreach ($currentCertificate in $activeCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity A P I Connector with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + + # create a list of thumbprints from the source list + $sourceThumbprints = @() + foreach ($item in $source) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $sourceThumbprints += $myCertificate + } + + # create a list of thumbprints from the target list + $targetThumbprints = @() + foreach ($item in $target) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $targetThumbprints += $myCertificate + } + # sort the lists + $sourceThumbprints = $sourceThumbprints | Sort-Object -Property { $_.Thumbprint } + $targetThumbprints = $targetThumbprints | Sort-Object -Property { $_.Thumbprint } + + # print the list in verbose logs + foreach ($item in $sourceThumbprints) + { + Write-Verbose -Message "Source Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } + + foreach ($item in $targetThumbprints) + { + Write-Verbose -Message "Target Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } + + # check if the lists are identical + $compareResult = $true + if ($sourceThumbprints.Count -ne $targetThumbprints.Count) + { + $compareResult = $false + } + else + { + for ($i = 0; $i -lt $sourceThumbprints.Count; $i++) + { + if ($sourceThumbprints[$i].Thumbprint -ne $targetThumbprints[$i].Thumbprint) + { + $compareResult = $false + Write-Verbose -Message "Thumbprint mismatch: $($sourceThumbprints[$i].Thumbprint) - $($targetThumbprints[$i].Thumbprint)" + break + } + } + } + + if($compareResult -eq $true) + { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Remove('Password') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityAPIConnector ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results.Password = "Please insert a valid Password" + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + + if ($null -ne $Results.Certificates) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Certificates` + -CIMInstanceName 'AADIdentityAPIConnectionCertificate' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Certificates = $complexTypeStringResult + } + else + { + $Results.Remove('Certificates') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + + if ($Results.Certificates) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Certificates" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof new file mode 100644 index 0000000000..447b39d00d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -0,0 +1,28 @@ +[ClassVersion("1.0.0")] +class MSFT_AADIdentityAPIConnectionCertificate +{ + [Write, Description("Pkcs12Value of the certificate as a secure string in Base64 encoding"), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; + [Write, Description("Thumbprint of the certificate in Base64 encoding")] String Thumbprint; + [Write, Description("Password of the certificate as a secure string"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("Tells if the certificate is in use or not")] Boolean IsActive; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityAPIConnector")] +class MSFT_AADIdentityAPIConnector : OMI_BaseResource +{ + [Required, Description("The name of the API connector.")] String DisplayName; + [Write, Description("The URL of the API endpoint to call.")] String TargetUrl; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The username of the password")] String Username; + [Write, Description("The password of certificate/basic auth"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("List of certificates to be used in the API connector"), EmbeddedInstance("MSFT_AADIdentityAPIConnectionCertificate")] String Certificates[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md new file mode 100644 index 0000000000..cfafce7110 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityAPIConnector + +## Description + +Azure AD Identity API Connector diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json new file mode 100644 index 0000000000..327fd87153 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json @@ -0,0 +1,25 @@ +{ + "resourceName": "AADIdentityAPIConnector", + "description": "This resource configures an Azure AD Identity A P I Connector.", + "permissions": { + "graph": { + "delegated": { + "read": [ + + ], + "update": [ + + ] + }, + "application": { + "read": [ + + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 new file mode 100644 index 0000000000..c6dac92a02 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 @@ -0,0 +1,719 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity B2 X User Flow with Id {$Id}" + return $nullResult + } + #endregion + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity B2 X User Flow with Id {$Id} was found" + + #region Get ApiConnectorConfiguration + $connectorConfiguration = Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -B2xIdentityUserFlowId $Id -ExpandProperty "postFederationSignup,postAttributeCollection" + + $complexApiConnectorConfiguration = @{ + postFederationSignupConnectorName = Get-ConnectorName($connectorConfiguration.PostFederationSignup.DisplayName) + postAttributeCollectionConnectorName = Get-ConnectorName($connectorConfiguration.PostAttributeCollection.DisplayName) + } + #endregion + + #region Get IdentityProviders + $getIdentityProviders = (Get-MgBetaIdentityB2XUserFlowIdentityProvider -B2XIdentityUserFlowId $Id).id + if ($getIdentityProviders.Count -eq 0) + { + $getIdentityProviders = @() + } + #endregion + + $complexUserAttributeAssignments = @() + $getUserAttributeAssignments = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $Id -ExpandProperty UserAttribute + foreach ($getUserAttributeAssignment in $getUserAttributeAssignments) + { + $getuserAttributeValues = @() + foreach ($getUserAttributeAssignmentAttributeValue in $getUserAttributeAssignment.UserAttributeValues) + { + $getuserAttributeValues += @{ + Name = $getUserAttributeAssignmentAttributeValue.Name + Value = $getUserAttributeAssignmentAttributeValue.Value + IsDefault = $getUserAttributeAssignmentAttributeValue.IsDefault + } + } + $complexUserAttributeAssignments += @{ + Id = $getUserAttributeAssignment.Id + DisplayName = $getUserAttributeAssignment.DisplayName + IsOptional = $getUserAttributeAssignment.IsOptional + UserInputType = $getUserAttributeAssignment.UserInputType + UserAttributeValues = $getuserAttributeValues + } + } + + $results = @{ + #region resource generator code + ApiConnectorConfiguration = $complexApiConnectorConfiguration + Id = $getValue.Id + IdentityProviders = $getIdentityProviders + UserAttributeAssignments = $complexUserAttributeAssignments + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity B2 X User Flow with Id {$Id}" + + #region Create ApiConnectorConfiguration object + $newApiConnectorConfiguration = @{} + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $newApiConnectorConfiguration['PostFederationSignup'] = @{ + 'Id' = $getConnector.Id + } + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $newApiConnectorConfiguration['PostAttributeCollection'] = @{ + 'Id' = $getConnector.Id + } + } + #endregion + + $params = @{ + id = $Id + userFlowType = "signUpOrSignIn" + userFlowTypeVersion = 1 + apiConnectorConfiguration = $newApiConnectorConfiguration + } + + $newObj = New-MgBetaIdentityB2XUserFlow -BodyParameter $params + + #region Add IdentityProvider objects to the newly created object + foreach ($provider in $IdentityProviders) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + + #region Add UserAtrributeAssignments to the newly created object + $currentAttributes = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id | Select-Object -ExpandProperty Id + $attributesToAdd = $UserAttributeAssignments | Where-Object {$_.Id -notin $currentAttributes} + + foreach ($userAttributeAssignment in $attributesToAdd) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + userAttribute = @{ + id = $userAttributeAssignment.Id + } + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + #region Update ApiConnectorConfiguration object + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Federation Signup connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Attribute Collection connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + #endregion + + #region Add or Remove Identity Providers on the current instance + $providersToAdd = $IdentityProviders | Where-Object {$_ -notin $currentInstance.IdentityProviders} + foreach ($provider in $providersToAdd) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + $providersToRemove = $currentInstance.IdentityProviders | Where-Object {$_ -notin $IdentityProviders} + foreach ($provider in $providersToRemove) + { + Write-Verbose -Message "Removing the Identity Provider with Id {$provider} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -IdentityProviderBaseId $provider + } + #endregion + + #region Add, remove or update User Attribute Assignments on the current instance + $attributesToRemove = $currentInstance.UserAttributeAssignments | Where-Object {$_.Id -notin $UserAttributeAssignments.Id} + + #Remove + foreach ($userAttributeAssignment in $attributesToRemove) + { + Write-Verbose -Message "Removing the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id + } + + #Add/Update + foreach ($userAttributeAssignment in $UserAttributeAssignments) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + if ($userAttributeAssignment.Id -notin $currentInstance.UserAttributeAssignments.Id) + { + $params["userAttribute"] = @{ + id = $userAttributeAssignment.Id + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + else + { + Write-Verbose -Message "Updating the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} in the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2xIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id -BodyParameter $params + } + } + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity B2 X User Flow with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity B2 X User Flow with Id {$Id}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($ValuesToCheck.Count -gt 0 -and $testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityB2XUserFlow ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ApiConnectorConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ApiConnectorConfiguration ` + -CIMInstanceName 'MicrosoftGraphuserFlowApiConnectorConfiguration' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ApiConnectorConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('ApiConnectorConfiguration') | Out-Null + } + } + + if ($null -ne $Results.UserAttributeAssignments) + { + $complexMapping = @( + @{ + Name = 'UserAttributeValues' + CimInstanceName = 'MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserAttributeAssignments ` + -CIMInstanceName 'MicrosoftGraphuserFlowUserAttributeAssignment' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserAttributeAssignments = $complexTypeStringResult + } + else + { + $Results.Remove('UserAttributeAssignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ApiConnectorConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ApiConnectorConfiguration" -IsCIMArray:$False + } + if ($Results.UserAttributeAssignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserAttributeAssignments" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-ConnectorName($connectorName) { + if ($null -ne $connectorName) { + return $connectorName + } else { + return "" + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof new file mode 100644 index 0000000000..4ea315f134 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof @@ -0,0 +1,41 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration +{ + [Write, Description("The name of the connector used for post federation signup step.")] String postFederationSignupConnectorName; + [Write, Description("The name of the connector used for post attribute collection step.")] String postAttributeCollectionConnectorName; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues +{ + [Write, Description("The display name of the property displayed to the end user in the user flow.")] String Name; + [Write, Description("The value that is set when this item is selected.")] String Value; + [Write, Description("Used to set the value as the default.")] Boolean IsDefault; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignment +{ + [Write, Description("The unique identifier of identityUserFlowAttributeAssignment.")] String Id; + [Write, Description("The display name of the identityUserFlowAttribute within a user flow.")] String DisplayName; + [Write, Description("Determines whether the identityUserFlowAttribute is optional.")] Boolean IsOptional; + [Write, Description("User Flow Attribute Input Type."), ValueMap{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}, Values{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}] String UserInputType; + [Write, Description("The list of user attribute values for this assignment."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues")] String UserAttributeValues[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityB2XUserFlow")] +class MSFT_AADIdentityB2XUserFlow : OMI_BaseResource +{ + [Write, Description("Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration")] String ApiConnectorConfiguration; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The identity providers included in the user flow.")] String IdentityProviders[]; + [Write, Description("The user attribute assignments included in the user flow."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignment")] String UserAttributeAssignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md new file mode 100644 index 0000000000..c81de81f9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityB2XUserFlow + +## Description + +Azure AD Identity B2 X User Flow diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json new file mode 100644 index 0000000000..d6df4d957a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADIdentityB2XUserFlow", + "description": "This resource configures an Azure AD Identity B2 X User Flow.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 index 1e3a213421..1995d3719c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 @@ -49,6 +49,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -112,6 +116,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -181,6 +186,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -346,6 +355,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -494,6 +507,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof index 6af12f51bb..1fd0221206 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof @@ -56,6 +56,7 @@ class MSFT_AADIdentityGovernanceLifecycleWorkflow : OMI_BaseResource [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 new file mode 100644 index 0000000000..47b7da56f4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 @@ -0,0 +1,484 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganizationCertificateBasedAuthConfiguration ` + -CertificateBasedAuthConfigurationId $CertificateBasedAuthConfigurationId ` + -OrganizationId $OrganizationId -ErrorAction SilentlyContinue + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Organization Certificate Based Auth Configuration with Id {$Id}." + return $nullResult + } + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Organization Certificate Based Auth Configuration with Id {$Id} was found" + + #region resource generator code + $complexCertificateAuthorities = @() + foreach ($currentCertificateAuthorities in $getValue.certificateAuthorities) + { + $myCertificateAuthorities = @{} + $myCertificateAuthorities.Add('Certificate', [System.Convert]::ToBase64String($currentCertificateAuthorities.certificate)) + $myCertificateAuthorities.Add('CertificateRevocationListUrl', $currentCertificateAuthorities.certificateRevocationListUrl) + $myCertificateAuthorities.Add('DeltaCertificateRevocationListUrl', $currentCertificateAuthorities.deltaCertificateRevocationListUrl) + $myCertificateAuthorities.Add('IsRootAuthority', $currentCertificateAuthorities.isRootAuthority) + if ($myCertificateAuthorities.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificateAuthorities += $myCertificateAuthorities + } + } + #endregion + + $results = @{ + #region resource generator code + CertificateAuthorities = $complexCertificateAuthorities + OrganizationId = $OrganizationId + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + # Delete the old configuration + Write-Verbose -Message "Removing the current Azure AD Organization Certificate Based Auth Configuration." + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/$CertificateBasedAuthConfigurationId" -Method DELETE + + if ($Ensure -eq 'Present') + { + Write-Verbose -Message "Creating an Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('OrganizationId') | Out-Null + + $createCertAuthorities = @() + foreach ($CertificateAuthority in $CertificateAuthorities) + { + $createCertAuthorities += @{ + certificate = $CertificateAuthority.Certificate + certificateRevocationListUrl = $CertificateAuthority.CertificateRevocationListUrl + deltaCertificateRevocationListUrl = $CertificateAuthority.DeltaCertificateRevocationListUrl + isRootAuthority = $CertificateAuthority.IsRootAuthority + } + } + $params = @{ + certificateAuthorities = $createCertAuthorities + } + + $policy = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/" -Method POST -Body $params + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + Write-Verbose -Message "Testing configuration of the Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganization + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = "CertificateBasedAuthConfigurations for $($getValue.DisplayName)" + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Ensure = 'Present' + OrganizationId = $getValue.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.CertificateAuthorities) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CertificateAuthorities ` + -CIMInstanceName 'MicrosoftGraphcertificateAuthority' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CertificateAuthorities = $complexTypeStringResult + } + else + { + $Results.Remove('CertificateAuthorities') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.CertificateAuthorities) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "CertificateAuthorities" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof new file mode 100644 index 0000000000..1331883aea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof @@ -0,0 +1,23 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphCertificateAuthority +{ + [Write, Description("Required. The base64 encoded string representing the public certificate.")] String Certificate; + [Write, Description("The URL of the certificate revocation list.")] String CertificateRevocationListUrl; + [Write, Description("The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created.")] String DeltaCertificateRevocationListUrl; + [Write, Description("Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority.")] Boolean IsRootAuthority; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADOrganizationCertificateBasedAuthConfiguration")] +class MSFT_AADOrganizationCertificateBasedAuthConfiguration : OMI_BaseResource +{ + [Write, Description("Collection of certificate authorities which creates a trusted certificate chain."), EmbeddedInstance("MSFT_MicrosoftGraphcertificateAuthority")] String CertificateAuthorities[]; + [Key, Description("The Organization ID. Read-only.")] String OrganizationId; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md new file mode 100644 index 0000000000..9f7447d1d9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md @@ -0,0 +1,6 @@ + +# AADOrganizationCertificateBasedAuthConfiguration + +## Description + +Azure AD Organization Certificate Based Auth Configuration diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json new file mode 100644 index 0000000000..df50b61fde --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADOrganizationCertificateBasedAuthConfiguration", + "description": "This resource configures an Azure AD Organization Certificate Based Auth Configuration.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index 5640892910..cee000347d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -226,6 +230,11 @@ function Get-TargetResource $complexDelegatedPermissionClassifications += $hashtable } + $complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -AppId $AppId) + if ($null -eq $complexCustomSecurityAttributes) { + $complexCustomSecurityAttributes = @() + } + $result = @{ AppId = $AADServicePrincipal.AppId AppRoleAssignedTo = $AppRoleAssignedToValues @@ -234,6 +243,7 @@ function Get-TargetResource AlternativeNames = $AADServicePrincipal.AlternativeNames AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired + CustomSecurityAttributes = $complexCustomSecurityAttributes DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications ErrorUrl = $AADServicePrincipal.ErrorUrl Homepage = $AADServicePrincipal.Homepage @@ -304,6 +314,10 @@ function Set-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -410,6 +424,13 @@ function Set-TargetResource $currentParameters.Remove('ApplicationSecret') | Out-Null $currentParameters.Remove('AccessTokens') | Out-Null + # update the custom security attributes to be cmdlet comsumable + if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) { + $currentParameters.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentParameters.CustomSecurityAttributes + } else { + $currentParameters.Remove('CustomSecurityAttributes') + } + # ServicePrincipal should exist but it doesn't if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Absent') { @@ -467,6 +488,16 @@ function Set-TargetResource $currentParameters.Remove('AppRoleAssignedTo') | Out-Null $currentParameters.Remove('Owners') | Out-Null $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null + + #removing the current custom security attributes + if ($currentAADServicePrincipal.CustomSecurityAttributes.Count -gt 0) { + $currentAADServicePrincipal.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentAADServicePrincipal.CustomSecurityAttributes -GetForDelete $true + $CSAParams = @{ + customSecurityAttributes = $currentAADServicePrincipal.CustomSecurityAttributes + } + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($currentParameters.AppId)')" -Method Patch -Body $CSAParams + } + Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters if ($AppRoleAssignedTo) @@ -642,6 +673,10 @@ function Test-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -743,6 +778,7 @@ function Test-TargetResource { $source = $PSBoundParameters.$key $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` @@ -873,6 +909,10 @@ function Export-TargetResource { $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications } + if ($Results.CustomSecurityAttributes.Count -gt 0) + { + $Results.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString -CustomSecurityAttributes $Results.CustomSecurityAttributes + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -888,6 +928,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'DelegatedPermissionClassifications' } + if ($null -ne $Results.CustomSecurityAttributes) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'CustomSecurityAttributes' + } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -912,6 +957,195 @@ function Export-TargetResource } } +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes, + + [Parameter()] + [System.Boolean] + $GetForDelete = $false + ) + + # logic to update the custom security attributes to be cmdlet comsumable + $updatedCustomSecurityAttributes = @{} + foreach ($attributeSet in $CustomSecurityAttributes) { + $attributeSetKey = $attributeSet.AttributeSetName + + $valuesHashtable = @{} + $valuesHashtable.Add('@odata.type', '#Microsoft.DirectoryServices.CustomSecurityAttributeValue') + foreach ($attribute in $attributeSet.AttributeValues) { + $attributeKey = $attribute.AttributeName + # supply attributeName = $null in the body, if you want to delete this attribute + if ($GetForDelete -eq $true) { + $valuesHashtable.Add($attributeKey, $null) + continue + } + + $odataKey = $attributeKey + '@odata.type' + + if ($null -ne $attribute.StringArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(String)") + $attributeValue = $attribute.StringArrayValue + } + elseif ($null -ne $attribute.IntArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(Int32)") + $attributeValue = $attribute.IntArrayValue + } + elseif ($null -ne $attribute.StringValue) { + $valuesHashtable.Add($odataKey, "#String") + $attributeValue = $attribute.StringValue + } + elseif ($null -ne $attribute.IntValue) { + $valuesHashtable.Add($odataKey, "#Int32") + $attributeValue = $attribute.IntValue + } + elseif ($null -ne $attribute.BoolValue) { + $attributeValue = $attribute.BoolValue + } + + $valuesHashtable.Add($attributeKey, $attributeValue) + } + $updatedCustomSecurityAttributes.Add($attributeSetKey, $valuesHashtable) + } + return $updatedCustomSecurityAttributes +} + +# Function to create MSFT_AttributeValue +function Create-AttributeValue { + param ( + [string]$AttributeName, + [object]$Value + ) + + $attributeValue = @{ + AttributeName = $AttributeName + StringArrayValue = $null + IntArrayValue = $null + StringValue = $null + IntValue = $null + BoolValue = $null + } + + # Handle different types of values + if ($Value -is [string]) { + $attributeValue.StringValue = $Value + } + elseif ($Value -is [System.Int32] -or $Value -is [System.Int64]) { + $attributeValue.IntValue = $Value + } + elseif ($Value -is [bool]) { + $attributeValue.BoolValue = $Value + } + elseif ($Value -is [array]) { + if ($Value[0] -is [string]) { + $attributeValue.StringArrayValue = $Value + } + elseif ($Value[0] -is [System.Int32] -or $Value[0] -is [System.Int64]) { + $attributeValue.IntArrayValue = $Value + } + } + + return $attributeValue +} + + +function Get-CustomSecurityAttributes { + [OutputType([System.Array])] + param ( + [String]$AppId + ) + + $customSecurityAttributes = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$AppId')`?`$select=customSecurityAttributes" -Method Get + $customSecurityAttributes = $customSecurityAttributes.customSecurityAttributes + $newCustomSecurityAttributes = @() + + foreach ($key in $customSecurityAttributes.Keys) { + $attributeSet = @{ + AttributeSetName = $key + AttributeValues = @() + } + + foreach ($attribute in $customSecurityAttributes[$key].Keys) { + # Skip properties that end with '@odata.type' + if ($attribute -like "*@odata.type") { + continue + } + + $value = $customSecurityAttributes[$key][$attribute] + $attributeName = $attribute # Keep the attribute name as it is + + # Create the attribute value and add it to the set + $attributeSet.AttributeValues += Create-AttributeValue -AttributeName $attributeName -Value $value + } + + #Add the attribute set to the final structure + $newCustomSecurityAttributes += $attributeSet + } + + # Display the new structure + return [Array]$newCustomSecurityAttributes +} + +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes + ) + + $StringContent = "@(`r`n" + foreach ($customSecurityAttribute in $CustomSecurityAttributes) + { + $StringContent += " MSFT_AADServicePrincipalAttributeSet {`r`n" + $StringContent += " AttributeSetName = '" + $customSecurityAttribute.AttributeSetName + "'`r`n" + if ($customSecurityAttribute.AttributeValues.Length -gt 0) + { + $StringContent += " AttributeValues = @(`r`n" + foreach ($attributeValue in $customSecurityAttribute.AttributeValues) + { + $StringContent += " MSFT_AADServicePrincipalAttributeValue {`r`n" + $StringContent += " AttributeName = '" + $attributeValue.AttributeName + "'`r`n" + if ($null -ne $attributeValue.BoolValue){ + $StringContent += " BoolValue = $" + $attributeValue.BoolValue + "`r`n" + } + elseif ($null -ne $attributeValue.StringValue){ + $StringContent += " StringValue = '" + $attributeValue.StringValue + "'`r`n" + } + elseif ($null -ne $attributeValue.IntValue){ + $StringContent += " IntValue = " + $attributeValue.IntValue + "`r`n" + } + elseif ($null -ne $attributeValue.StringArrayValue){ + $StringContent += " StringArrayValue = @(" + $StringContent += ($attributeValue.StringArrayValue | ForEach-Object { "'$_'" }) -join "," + $StringContent += ")`r`n" + } + elseif ($null -ne $attributeValue.IntArrayValue){ + $StringContent += " IntArrayValue = @(" + $StringContent += $attributeValue.IntArrayValue -join "," + $StringContent += ")`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += " )`r`n" + } + else + { + $StringContent += " AttributeValues = @()`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + function Get-M365DSCAzureADServicePrincipalAssignmentAsString { [CmdletBinding()] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 717b2e569f..3b2c37bc14 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -12,6 +12,24 @@ class MSFT_AADServicePrincipalDelegatedPermissionClassification [Write, Description("Name of the permission")] String PermissionName; }; +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeValue +{ + [Write, Description("Name of the Attribute")] String AttributeName; + [Write, Description("If the attribute has a string array value")] String StringArrayValue[]; + [Write, Description("If the attribute has a int array value")] UInt32 IntArrayValue[]; + [Write, Description("If the attribute has a string value")] String StringValue; + [Write, Description("If the attribute has a int value")] UInt32 IntValue; + [Write, Description("If the attribute has a boolean value")] Boolean BoolValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeSet +{ + [Write, Description("Attribute Set Name.")] String AttributeSetName; + [Write, Description("List of attribute values."), EmbeddedInstance("MSFT_AADServicePrincipalAttributeValue")] String AttributeValues[]; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")] class MSFT_AADServicePrincipal : OMI_BaseResource { @@ -33,6 +51,7 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("The type of the service principal.")] String ServicePrincipalType; [Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[]; [Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[]; + [Write, Description("The list of custom security attributes attached to this SPN"), EmbeddedInstance("MSFT_AADServicePrincipalAttributeSet")] String CustomSecurityAttributes[]; [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json index 18de6335a5..858c10b94f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json @@ -13,8 +13,14 @@ "graph": { "delegated": { "read": [ + { + "name": "IdentityProvider.Read.All" + } ], "update": [ + { + "name": "IdentityProvider.ReadWrite.All" + } ] }, "application": { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 new file mode 100644 index 0000000000..0d2fc291bf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 @@ -0,0 +1,326 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $instance = Get-MailboxAuditBypassAssociation -Identity $Identity -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = [System.String]$Identity + AuditBypassEnabled = [System.Boolean]$instance.AuditBypassEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + Set-MailboxAuditBypassAssociation @SetParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MailboxAuditBypassAssociation -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Identity + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof new file mode 100644 index 0000000000..318977aa0b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOMailboxAuditBypassAssociation")] +class MSFT_EXOMailboxAuditBypassAssociation : OMI_BaseResource +{ + [Key, Description("The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property.")] String Identity; + [Write, Description("The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer.")] Boolean AuditBypassEnabled; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md new file mode 100644 index 0000000000..092c6a9914 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md @@ -0,0 +1,5 @@ +# EXOMailboxAuditBypassAssociation + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json new file mode 100644 index 0000000000..476fa8a84d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json @@ -0,0 +1,36 @@ +{ + "resourceName": "EXOMailboxAuditBypassAssociation", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Compliance Admin", + "View-Only Configuration", + "Journaling" + ], + "requiredrolegroups": [ + "Organization Management", + "Compliance Management", + "Records Management" + ] + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json index 0250bfc33a..e3c1d8a2ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json index 7f3c9f6cc3..8e0c3442a4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json index d6aeda8c71..1c2a8b1d80 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json index 1d0cdf0573..7fb501a21b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json index a20915a6b7..7e45256fd1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json index 307c2f8403..0489d61a43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json index fe0c097e79..6f8ca8d487 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json index 9e60b9ada3..57be974d43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json index e5bfa4dcaf..b6d0af3e02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json index 10e50f1081..315a58a821 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json index 270c79777d..ec5cecf736 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json index 0bd2d39195..de96e82e6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json index 5f0f5f1c8b..6057c5b021 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json index 6ce0bedcec..568542e5bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json index d32693cec5..83fe077865 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json index ab503e6e12..2a02222c6a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json index bd59e189c5..d426ac83cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json index 876c98b3c1..f99b98df4a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json index 4f70de0036..d08714575d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json index 4636671998..88bde5e09c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json index 59369d197b..1309114462 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json index 1ec45e354d..a9710165fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json index ad18510898..7bee7e4a38 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json index 2ebe5a545e..7f3828149e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json @@ -28,6 +28,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json index 7f59aea637..a9514693a2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json index eb9da4aa9e..3acddb9169 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json index 0ff407f836..9e4b185543 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json index 876ce379ca..98abdb2c2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json index d5d83f0b7f..d30f15580a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json index 7853f50eb7..7bc21f184f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json index 66190b15e9..4b9ef1bb53 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json index f08c5923b0..5b45219916 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json index c592a86cab..a89fd6923c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json index 2923dc7038..2e66e44c69 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -13,6 +16,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -23,6 +29,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -31,6 +40,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json index 8851545142..b01c36ed5d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json index d3a3c44787..d101037f68 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json index ea7bf4e312..e6117602b1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json index 1c86cfd292..bc1a6d1b7f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json index 9113736e64..99867d0c33 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json index 13e3014ede..25310db748 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json index 81fb935ab5..2ecb0e308d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json index d7181b6d6d..85b689c6d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json index 854402cc59..8812b2ccd2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json index 5b10130496..db1d9e82e6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json index e65c087644..052b0d3143 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json index d9683c421c..68a260efb4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json index bc61bbaa65..e5bc5b667d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json index e2fa434298..905ce1cdc7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json index 750c8444e2..942c440c54 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json index 14d53ad6c0..ce6301407a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json index 0c1c8f9933..9ad80f0947 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -16,6 +19,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -29,6 +35,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -40,6 +49,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json index 1b08179b72..d2f13930e3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -20,11 +26,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json index cacdc9cd53..404582571b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json index 861f452495..c0b019f8fb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json index 84a108a641..33f7eaeed0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json index e948d6df87..73dac608fe 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json index 204badf15c..252f77a1aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json index babe2f5775..a859ae39a8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json index 74e36b3081..293b222bff 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,11 +23,17 @@ }, "application": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof index ce7f2b865f..ec3e29882d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof @@ -57,12 +57,12 @@ class MSFT_IntuneMobileAppsMacOSLobApp : OMI_BaseResource [Write, Description("The owner of the app. Inherited from mobileApp.")] String Owner; [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; [Write, Description("The publisher of the app. Inherited from mobileApp.")] String Publisher; - [Write, Description("The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp."), ValueMap{"notPublished", "processing","published"}, Values{"notPublished", "processing", "published"}] String PublishingState; [Write, Description("The bundleId of the app.")] String BundleId; [Write, Description("The build number of the app.")] String BuildNumber; [Write, Description("The version number of the app.")] String VersionNumber; [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; [Write, Description("Whether to ignore the version of the app or not.")] Boolean IgnoreVersionDetection; + [Write, Description("Install the app as managed. Requires macOS 11.0.")] Boolean InstallAsManaged; [Write, Description("The icon for this app."), EmbeddedInstance("MSFT_DeviceManagementMimeContent")] String LargeIcon; [Write, Description("The minimum supported operating system to install the app."), EmbeddedInstance("MSFT_DeviceManagementMinimumOperatingSystem")] String MinimumSupportedOperatingSystem; [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json index 3e70ad560b..38c9bf4cd7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json index a9bd04b5fa..16e9c3c07d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json index d554d6a3d1..4439bab90a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json @@ -5,22 +5,38 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json index d0b58f2960..3e0874d1bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json index 4bda1f09ca..0906af650b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json index 67b62b373e..25e6e71739 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json index b13be8da58..8545fd14cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json index dcbdf86350..c29e518ded 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json index 29a31d1028..d97cec5ff2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json index 18c0618cda..73fbade06c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json index 4267d74c45..3418a6b113 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json index 74ae1c2be6..d9b467444e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json index 9b9968c82c..5584392a17 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json index e229470448..f4bc5e9e20 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json index e2103fd3aa..f83e95e9c8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json index c7365f3655..2ba6389c60 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json index 47581b03eb..c742e7a27c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json index 4139c67ca6..b6286b0fe9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json index 6becde2ab8..46a9440921 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json index ceffeec248..57c4bcc23a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json index ba73714015..40740285ca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json index 26b6907b55..836f8affe2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json index 918161498c..5eeb656602 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 21414fb375..b52a11dd1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -106,6 +106,26 @@ function Get-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -184,41 +204,56 @@ function Get-TargetResource $MaxCompat = $CompatibilityRange[1] } + # Additional Properties via REST + $parametersToRetrieve = @('ExemptNativeUsersFromTenantLevelRestricedAccessControl', + 'AllowSelectSGsInODBListInTenant', + 'DenySelectSGsInODBListInTenant', + 'DenySelectSecurityGroupsInSPSitesList', + 'AllowSelectSecurityGroupsInSPSitesList') + + $response = Invoke-PnPSPRestMethod -Method Get ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant?`$select=$($parametersToRetrieve -join ',')" + + return @{ - IsSingleInstance = 'Yes' - MinCompatibilityLevel = $MinCompat - MaxCompatibilityLevel = $MaxCompat - SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN - OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled - LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled - SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain - UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView - #UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled - PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled - PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes - UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker - NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled - OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification - ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients - FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled - HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes - HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite - MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault - DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds - SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled - CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled - EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration - TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificatePassword = $CertificatePassword - CertificatePath = $CertificatePath - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - Ensure = 'Present' - AccessTokens = $AccessTokens + IsSingleInstance = 'Yes' + ExemptNativeUsersFromTenantLevelRestricedAccessControl = $response.ExemptNativeUsersFromTenantLevelRestricedAccessControl + AllowSelectSGsInODBListInTenant = $response.AllowSelectSGsInODBListInTenant + DenySelectSGsInODBListInTenant = $response.DenySelectSGsInODBListInTenant + DenySelectSecurityGroupsInSPSitesList = $response.DenySelectSecurityGroupsInSPSitesList + AllowSelectSecurityGroupsInSPSitesList = $response.AllowSelectSecurityGroupsInSPSitesList + MinCompatibilityLevel = $MinCompat + MaxCompatibilityLevel = $MaxCompat + SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN + OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled + LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled + SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain + UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView + PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled + PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes + UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker + NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled + OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification + ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients + FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled + HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes + HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite + MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault + DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds + SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled + CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled + EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration + TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificatePassword = $CertificatePassword + CertificatePath = $CertificatePath + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + Ensure = 'Present' + AccessTokens = $AccessTokens } } catch @@ -341,6 +376,26 @@ function Set-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -416,6 +471,11 @@ function Set-TargetResource $CurrentParameters.Remove('ManagedIdentity') | Out-Null $CurrentParameters.Remove('ApplicationSecret') | Out-Null $CurrentParameters.Remove('AccessTokens') | Out-Null + $CurrentParameters.Remove('ExemptNativeUsersFromTenantLevelRestricedAccessControl') | Out-Null + $CurrentParameters.Remove('AllowSelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSecurityGroupsInSPSitesList') | Out-Null + $CurrentParameters.Remove('AllowSelectSecurityGroupsInSPSitesList') | Out-Null $CurrentParameters.Remove('TenantDefaultTimezone') | Out-Null # this one is updated separately using Graph if ($CurrentParameters.Keys.Contains('UserVoiceForFeedbackEnabled')) @@ -435,6 +495,62 @@ function Set-TargetResource { $tenantGraph = Update-MgAdminSharepointSetting -TenantDefaultTimezone $TenantDefaultTimezone -ErrorAction Stop } + + # Updating via REST + try + { + $paramsToUpdate = @{} + $needToUpdate = $false + + if ($null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + { + $needToUpdate = $true + $paramsToUpdate.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + } + + if ($null -ne $AllowSelectSGsInODBListInTenant) + { + $needToUpdate = $true + $paramsToUpdate.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) + } + + if ($null -ne $DenySelectSGsInODBListInTenant) + { + $needToUpdate = $true + $paramsToUpdate.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) + } + + if ($null -ne $DenySelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $paramsToUpdate.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) + } + + if ($null -ne $AllowSelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $paramsToUpdate.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) + } + + if ($needToUpdate) + { + Write-Verbose -Message "Updating properties via REST PATCH call." + Invoke-PnPSPRestMethod -Method PATCH ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant" ` + -Content $paramsToUpdate + } + } + catch + { + if ($_.Exception.Message.Contains("The requested operation is part of an experimental feature that is not supported in the current environment.")) + { + Write-Verbose -Message "Updating via REST: The associated feature is not available in the given tenant." + } + else + { + throw $_ + } + } } function Test-TargetResource @@ -541,6 +657,26 @@ function Test-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof index 45d9efdd69..9f9fca89d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof @@ -24,6 +24,11 @@ class MSFT_SPOTenantSettings : OMI_BaseResource [Write, Description("Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page.")] boolean SocialBarOnSitePagesDisabled; [Write, Description("Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature.")] boolean CommentsOnSitePagesDisabled; [Write, Description("Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant.")] boolean EnableAIPIntegration; + [Write, Description("Determines whether or not we need to include external participants in shared channels for SharePoint access restriction.")] Boolean ExemptNativeUsersFromTenantLevelRestricedAccessControl; + [Write, Description("List of security groups to include in OneDrive access restrictions")] String AllowSelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in OneDrive access restrictions")] String DenySelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in SharePoint access restrictions")] String DenySelectSecurityGroupsInSPSitesList[]; + [Write, Description("List of security groups to include in SharePoint access restrictions.")] String AllowSelectSecurityGroupsInSPSitesList[]; [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 new file mode 100644 index 0000000000..77911ab204 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 @@ -0,0 +1,1389 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + $instances = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + # EventGroupingSettings + $EventGroupingValueSettingsValue = $null + if ($null -ne $instance.properties.eventGroupingSettings) + { + $EventGroupingValueSettingsValue = @{ + aggregationKind = $instance.properties.eventGroupingSettings.aggregationKind + } + } + + # CustomDetails + $CustomDetailsValue = @() + if ($null -ne $instance.properties.customDetails) + { + $detailAsHash = @{} + $instance.properties.customDetails.psobject.properties | foreach { $detailAsHash[$_.Name] = $_.Value } + foreach ($key in $detailAsHash.Keys) + { + $CustomDetailsValue += @{ + DetailKey = $key + DetailValue = $detailAsHash.$key + } + } + } + + #EntityMappings + $EntityMappingsValue = @() + if ($null -ne $instance.properties.entityMappings) + { + foreach ($mapping in $instance.properties.entityMappings) + { + $entity = @{ + entityType = $mapping.entityType + fieldMappings = @() + } + + foreach ($fieldMapping in $mapping.fieldMappings) + { + $entity.fieldMappings += @{ + identifier = $fieldMapping.identifier + columnName = $fieldMapping.columnName + } + } + + $EntityMappingsValue += $entity + } + } + + #AlertDetailsOverride + if ($null -ne $instance.properties.alertDetailsOverride) + { + $info = $instance.properties.alertDetailsOverride + $AlertDetailsOverrideValue = @{ + alertDisplayNameFormat = $info.alertDisplayNameFormat + alertDescriptionFormat = $info.alertDescriptionFormat + alertDynamicProperties = @() + } + + foreach ($propertyEntry in $info.alertDynamicProperties) + { + $AlertDetailsOverrideValue.alertDynamicProperties += @{ + alertProperty = $propertyEntry.alertProperty + alertPropertyValue = $propertyEntry.value + } + } + } + + #IncidentConfiguration + if ($null -ne $instance.properties.incidentConfiguration) + { + $info = $instance.properties.incidentConfiguration + $IncidentConfigurationValue = @{ + createIncident = [Boolean]::Parse($info.createIncident.ToString()) + groupingConfiguration = @{ + enabled = $info.groupingConfiguration.enabled + reopenClosedIncident = $info.groupingConfiguration.reopenClosedIncident + lookbackDuration = $info.groupingConfiguration.lookbackDuration + matchingMethod = $info.groupingConfiguration.matchingMethod + groupByEntities = $info.groupingConfiguration.groupByEntities + groupByAlertDetails = $info.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $info.groupingConfiguration.groupByCustomDetails + } + } + } + + $results = @{ + ProductFilter = $instance.properties.ProductFilter + Enabled = $instance.properties.Enabled + Severity = $instance.properties.Severity + Tactics = $instance.properties.Tactics + Techniques = $instance.properties.Techniques + SubTechniques = $instance.properties.SubTechniques + Query = $instance.properties.Query + QueryFrequency = $instance.properties.QueryFrequency + QueryPeriod = $instance.properties.QueryPeriod + TriggerOperator = $instance.properties.TriggerOperator + TriggerThreshold = $instance.properties.TriggerThreshold + SuppressionDuration = $instance.properties.SuppressionDuration + SuppressionEnabled = $instance.properties.SuppressionEnabled + AlertRuleTemplateName = $instance.properties.AlertRuleTemplateName + DisplayNamesExcludeFilter = $instance.properties.DisplayNamesExcludeFilter + DisplayNamesFilter = $instance.properties.DisplayNamesFilter + SeveritiesFilter = $instance.properties.SeveritiesFilter + DisplayName = $instance.properties.displayName + EventGroupingSettings = $EventGroupingValueSettingsValue + CustomDetails = $CustomDetailsValue + EntityMappings = $EntityMappingsValue + AlertDetailsOverride = $AlertDetailsOverrideValue + IncidentConfiguration = $IncidentConfigurationValue + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Kind = $instance.kind + Description = $instance.properties.description + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + $instance = @{} + if ($Kind -eq 'Fusion') + { + $instance = @{ + kind = $Kind + properties = @{ + alertRuleTemplateName = $AlertRuleTemplateName + enabled = $Enabled + } + } + } + elseif ($Kind -eq 'MicrosoftSecurityIncidentCreation') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + description = $Description + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + enabled = $Enabled + severitiesFilter = $AlertSeverity + } + } + } + elseif ($Kind -eq 'Scheduled') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + queryFrequency = $QueryFrequency + queryPeriod = $QueryPeriod + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + triggerOperator = $TriggerOperator + triggerThreshold = $TriggerThreshold + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + customDetails = @{} + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + severitiesFilter = $AlertSeverity + } + } + + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } + elseif ($Kind -eq 'NRT') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + customDetails = @{} + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + techniques = $Techniques + subTechniques = $SubTechniques + tactics = $Tactics + } + } + + if ($null -eq $EntityMappings -or $EntityMappings.Length -eq 0) + { + $instance.properties.Remove('entityMappings') | Out-Null + } + else + { + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance + } + # UPDATE + elseif($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance ` + -Id $currentInstance.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Alert Rule {$DisplayName}" + Remove-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $rules = Get-M365DSCSentinelAlertRule -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($rule in $rules) + { + $displayedKey = $rule.properties.DisplayName + Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $rule.properties.displayName + Id = $rule.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ( $null -ne $Results.EventGroupingSettings) + { + $complexMapping = @( + @{ + Name = 'EventGroupingSettings' + CimInstanceName = 'SentinelAlertRuleEventGroupingSettings' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EventGroupingSettings ` + -CIMInstanceName 'SentinelAlertRuleEventGroupingSettings' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EventGroupingSettings = $complexTypeStringResult + } + else + { + $Results.Remove('EventGroupingSettings') | Out-Null + } + } + + if ($null -ne $Results.CustomDetails) + { + $complexMapping = @( + @{ + Name = 'CustomDetails' + CimInstanceName = 'SentinelAlertRuleCustomDetails' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CustomDetails ` + -CIMInstanceName 'SentinelAlertRuleCustomDetails' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CustomDetails = $complexTypeStringResult + } + else + { + $Results.Remove('CustomDetails') | Out-Null + } + } + + if ( $null -ne $Results.EntityMappings) + { + $complexMapping = @( + @{ + Name = 'EntityMappings' + CimInstanceName = 'SentinelAlertRuleEntityMapping' + IsRequired = $False + }, + @{ + Name = 'fieldMappings' + CimInstanceName = 'SentinelAlertRuleEntityMappingFieldMapping' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EntityMappings ` + -CIMInstanceName 'SentinelAlertRuleEntityMapping' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EntityMappings = $complexTypeStringResult + } + else + { + $Results.Remove('EntityMappings') | Out-Null + } + } + + if ($null -ne $Results.AlertDetailsOverride) + { + $complexMapping = @( + @{ + Name = 'AlertDetailsOverride' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverride' + IsRequired = $False + }, + @{ + Name = 'alertDynamicProperties' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.AlertDetailsOverride ` + -CIMInstanceName 'SentinelAlertRuleAlertDetailsOverride' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.AlertDetailsOverride = $complexTypeStringResult + } + else + { + $Results.Remove('AlertDetailsOverride') | Out-Null + } + } + + if ($null -ne $Results.IncidentConfiguration) + { + $complexMapping = @( + @{ + Name = 'IncidentConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfiguration' + IsRequired = $False + }, + @{ + Name = 'groupingConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfiguration' + IsRequired = $False + } + @{ + Name = 'groupByAlertDetails' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncidentConfiguration ` + -CIMInstanceName 'SentinelAlertRuleIncidentConfiguration' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncidentConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('IncidentConfiguration') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EventGroupingSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EventGroupingSettings' -IsCIMArray:$False + } + if ($Results.CustomDetails) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CustomDetails' -IsCIMArray:$False + } + if ($Results.EntityMappings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EntityMappings' -IsCIMArray:$True + } + if ($Results.AlertDetailsOverride) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AlertDetailsOverride' -IsCIMArray:$True + } + if ($Results.IncidentConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncidentConfiguration' -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + if ($null -eq $Id) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$((New-GUID).ToString())?api-version=2024-04-01-preview" + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2024-04-01-preview" + } + $payload = ConvertTo-Json $Body -Depth 10 -Compress + Write-Verbose -Message "Creating new rule against URL:`r`n$($uri)`r`nWith payload:`r`n$payload" + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + Write-Verbose -Message $response.Content + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertRules/$($Id)?api-version=2024-04-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof new file mode 100644 index 0000000000..e7fa79a05e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof @@ -0,0 +1,111 @@ +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEventGroupingSettings +{ + [Write, Description("The event grouping aggregation kinds")] String aggregationKind; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleCustomDetails +{ + [Write, Description("Key of the custom detail.")] String DetailKey; + [Write, Description("Associated value with the custom detail.")] String DetailValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMapping +{ + [Write, Description("Type of entity.")] String entityType; + [Write, Description("List of field mappings."), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMappingFieldMapping")] String fieldMappings[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMappingFieldMapping +{ + [Write, Description("Name of the column")] String columnName; + [Write, Description("Identifier of the associated field.")] String identifier; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverride +{ + [Write, Description("The format containing columns name(s) to override the alert description")] String alertDescriptionFormat; + [Write, Description("The format containing columns name(s) to override the alert name")] String alertDisplayNameFormat; + [Write, Description("The column name to take the alert severity from")] String alertSeverityColumnName; + [Write, Description("The column name to take the alert tactics from")] String alertTacticsColumnName; + [Write, Description("List of additional dynamic properties to override"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty +{ + [Write, Description("Dynamic property key.")] String alertProperty; + [Write, Description("Dynamic property value.")] String alertPropertyValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfiguration +{ + [Write, Description("Create incidents from alerts triggered by this analytics rule")] Boolean createIncident; + [Write, Description("Set how the alerts that are triggered by this analytics rule, are grouped into incidents"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration")] String groupingConfiguration; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration +{ + [Write, Description("Grouping enabled")] Boolean enabled; + [Write, Description("A list of alert details to group by (when matchingMethod is Selected)"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] String groupByAlertDetails[]; + [Write, Description("A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.")] String groupByCustomDetails[]; + [Write, Description("A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.")] String groupByEntities[]; + [Write, Description("Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)")] String lookbackDuration; + [Write, Description("Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.")] String matchingMethod; + [Write, Description("Re-open closed matching incidents")] Boolean reopenClosedIncident; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail +{ + [Write, Description("Display name of the alert detail.")] String DisplayName; + [Write, Description("Severity level associated with the alert detail.")] String Severity; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("SentinelAlertRule")] +class MSFT_SentinelAlertRule : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("The alerts' productName on which the cases will be generated")] String ProductFilter; + [Write, Description("Determines whether this alert rule is enabled or disabled.")] Boolean Enabled; + [Write, Description("The severity for alerts created by this alert rule.")] String Severity; + [Write, Description("The tactics of the alert rule")] String Tactics[]; + [Write, Description("The techniques of the alert rule")] String Techniques[]; + [Write, Description("The sub-techniques of the alert rule")] String SubTechniques[]; + [Write, Description("The query that creates alerts for this rule.")] String Query; + [Write, Description("The frequency (in ISO 8601 duration format) for this alert rule to run.")] String QueryFrequency; + [Write, Description("The period (in ISO 8601 duration format) that this alert rule looks at.")] String QueryPeriod; + [Write, Description("The operation against the threshold that triggers alert rule.")] String TriggerOperator; + [Write, Description("The threshold triggers this alert rule.")] UInt32 TriggerThreshold; + [Write, Description("The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.")] String SuppressionDuration; + [Write, Description("Determines whether the suppression for this alert rule is enabled or disabled.")] String SuppressionEnabled; + [Write, Description("The Name of the alert rule template used to create this rule.")] String AlertRuleTemplateName; + [Write, Description("The alerts' displayNames on which the cases will not be generated.")] String DisplayNamesExcludeFilter[]; + [Write, Description("The alerts' displayNames on which the cases will be generated.")] String DisplayNamesFilter[]; + [Write, Description("The alerts' severities on which the cases will be generated")] String SeveritiesFilter[]; + [Write, Description("The event grouping settings."), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupingSettings")] String EventGroupingSettings; + [Write, Description("Dictionary of string key-value pairs of columns to be attached to the alert"), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails[]; + [Write, Description("Array of the entity mappings of the alert rule"), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; + [Write, Description("The alert details override settings"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; + [Write, Description("The settings of the incidents that created from alerts triggered by this analytics rule"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; + [Write, Description("The kind of the alert rule")] String Kind; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md new file mode 100644 index 0000000000..2bdf6ede04 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md @@ -0,0 +1,6 @@ + +# SentinelAlertRule + +## Description + +Configures alert rules in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json new file mode 100644 index 0000000000..d01973dfcf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelAlertRule", + "description": "Configures alert rules in Azure Sentinel.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 new file mode 100644 index 0000000000..5f7e93dfba --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 @@ -0,0 +1,853 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + try + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving indicator by id {$Id}" + $instance = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving indicator by DisplayName {$DisplayName}" + $instances = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + DisplayName = $instance.properties.displayName + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Description = $instance.properties.description + PatternType = $instance.properties.patternType + Pattern = $instance.properties.pattern + Revoked = $instance.properties.revoked + ValidFrom = $instance.properties.validFrom + ValidUntil = $instance.properties.validUntil + Labels = $instance.properties.labels + ThreatIntelligenceTags = $instance.properties.threatIntelligenceTags + ThreatTypes = $instance.properties.threatTypes + KillChainPhases = $instance.properties.KillChainPhases.phaseName + Confidence = $instance.properties.confidence + Source = $instance.properties.source + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParameters = @{ + kind = 'indicator' + properties = @{ + confidence = $Confidence + description = $Description + displayName = $DisplayName + labels = $Labels + pattern = $Pattern + patternType = $patternType + revoked = $revoked + source = $Source + threatIntelligenceTags = $ThreatIntelligenceTags + threatTypes = $ThreatTypes + validFrom = $ValidFrom + validUntil = $ValidUntil + } + } + + if ($null -ne $KillChainPhases) + { + $values = @() + foreach ($phase in $KillChainPhases) + { + $values += @{ + killChainName = 'lockheed-martin-cyber-kill-chain' + phaseName = $phase.phaseName + } + } + $instanceParameters.properties.Add('KillChainPhases', $values) + } + + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating a new indicator {$DisplayName}" + New-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating indicator {$DisplayName}" + Set-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters ` + -Id $currentInstance.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing indicator {$DisplayName}" + Remove-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $indicators = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($indicator in $indicators) + { + $displayedKey = $indicator.properties.DisplayName + Write-Host " |---[$j/$($indicators.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $indicator.properties.displayName + Id = $indicator.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'POST' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Set-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof new file mode 100644 index 0000000000..8dd7b86807 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof @@ -0,0 +1,29 @@ +[ClassVersion("1.0.0.0"), FriendlyName("SentinelThreatIntelligenceIndicator")] +class MSFT_SentinelThreatIntelligenceIndicator : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("Pattern type of a threat intelligence entity")] String PatternType; + [Write, Description("Pattern of a threat intelligence entity")] String Pattern; + [Write, Description("Is threat intelligence entity revoked")] String Revoked; + [Write, Description("Valid from")] String ValidFrom; + [Write, Description("Valid until")] String ValidUntil; + [Write, Description("Source type.")] String Source; + [Write, Description("Labels of threat intelligence entity")] String Labels[]; + [Write, Description("List of tags")] String ThreatIntelligenceTags[]; + [Write, Description("Threat types")] String ThreatTypes[]; + [Write, Description("Kill chain phases")] String KillChainPhases[]; + [Write, Description("Confidence of threat intelligence entity")] UInt32 Confidence; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md new file mode 100644 index 0000000000..1d4a233d39 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md @@ -0,0 +1,6 @@ + +# SentinelThreatIntelligenceIndicator + +## Description + +Configures threat intelligence indicators in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json new file mode 100644 index 0000000000..87040bf176 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelThreatIntelligenceIndicator", + "description": "Configures threat intelligence indicators in Azure Sentinel.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 index 4aa4d6a7c2..ebfd75aaa1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 @@ -75,8 +75,12 @@ function Get-TargetResource try { Write-Verbose -Message "Getting Group with Id {$GroupId}" - $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue - + if ($GroupId -match '\b[A-Fa-f0-9]{8}(?:-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}\b' -and $GroupId -ne '00000000-0000-0000-0000-000000000000'){ + $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue + } + else { + $Group = $null + } if ($null -eq $Group) { Write-Verbose -Message "Could not find Group with Id {$GroupId}, searching with DisplayName {$GroupDisplayName}" diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 7fd6bbe7fe..bfb5342628 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -26,103 +26,103 @@ }, @{ ModuleName = 'ExchangeOnlineManagement' - RequiredVersion = '3.4.0' + RequiredVersion = '3.6.0' }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Applications' - Requiredversion = '2.23.0' + Requiredversion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Search' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Sites' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' - RequiredVersion = '2.0.191' + RequiredVersion = '2.0.199' }, @{ ModuleName = 'MicrosoftTeams' - RequiredVersion = '6.5.0' + RequiredVersion = '6.6.0' }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.25" + RequiredVersion = "1.1.27" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 new file mode 100644 index 0000000000..37d14becd2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 new file mode 100644 index 0000000000..d74c1bc156 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 new file mode 100644 index 0000000000..baa1dcf897 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 new file mode 100644 index 0000000000..1b48def3ec --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 new file mode 100644 index 0000000000..7382692428 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 new file mode 100644 index 0000000000..d123d0151f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 new file mode 100644 index 0000000000..926a36404f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 new file mode 100644 index 0000000000..ca33cc25d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 new file mode 100644 index 0000000000..ca33cc25d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 new file mode 100644 index 0000000000..295893f499 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 new file mode 100644 index 0000000000..b2b618aa5c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 new file mode 100644 index 0000000000..46030224d5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 new file mode 100644 index 0000000000..ede62c46c9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 index f7746f29b1..4bb88786ac 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 @@ -38,7 +38,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 new file mode 100644 index 0000000000..48bcd14ca7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 @@ -0,0 +1,75 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 new file mode 100644 index 0000000000..f2ce0ff25e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 @@ -0,0 +1,75 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 new file mode 100644 index 0000000000..9d40a7633d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 new file mode 100644 index 0000000000..8af0d7f657 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 new file mode 100644 index 0000000000..91919b455d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 new file mode 100644 index 0000000000..e2cbe36a01 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 913a83d34b..b1d3c54e71 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -462,6 +462,11 @@ "Name": "ApplicationId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantId", @@ -1839,6 +1844,126 @@ } ] }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClientId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DiscoveryUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternal", + "Parameters": [ + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[]", + "Name": "ExcludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[]", + "Name": "IncludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Name": "OpenIdConnectSetting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphFido2KeyRestrictions", "Parameters": [ @@ -3500,151 +3625,101 @@ ] }, { - "ClassName": "MSFT_AADCustomSecurityAttributeDefinition", + "ClassName": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "Name", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "AttributeSet", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsCollection", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsSearchable", + "Name": "EndpointType", "Option": "Write" }, { "CIMType": "String", - "Name": "Status", + "Name": "LogicAppWorkflowName", "Option": "Write" }, { "CIMType": "String", - "Name": "Type", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "UsePreDefinedValuesOnly", - "Option": "Write" - }, - { - "CIMType": "string", - "Name": "Ensure", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "Name": "ResourceGroupName", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "SubscriptionId", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "TargetUrl", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration", + "Parameters": [ { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "ClaimIdInApiResponse", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADDeviceRegistrationPolicy", + "ClassName": "MSFT_AADCustomAuthenticationExtension", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AzureADJoinIsAdminConfigurable", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "UserDeviceQuota", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "AzureADAllowedToJoin", + "Name": "CustomAuthenticationExtensionType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AzureADAllowedToJoinUsers", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AzureADAllowedToJoinGroups", + "CIMType": "String", + "Name": "AuthenticationConfigurationType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MultiFactorAuthConfiguration", + "CIMType": "String", + "Name": "AuthenticationConfigurationResourceId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalAdminsEnableGlobalAdmins", + "CIMType": "UInt32", + "Name": "ClientConfigurationTimeoutMilliseconds", "Option": "Write" }, { - "CIMType": "String", - "Name": "AzureAdJoinLocalAdminsRegisteringMode", + "CIMType": "UInt32", + "Name": "ClientConfigurationMaximumRetries", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AzureAdJoinLocalAdminsRegisteringGroups", + "CIMType": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", + "Name": "EndpointConfiguration", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AzureAdJoinLocalAdminsRegisteringUsers", + "CIMType": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[]", + "Name": "ClaimsForTokenConfiguration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalAdminPasswordIsEnabled", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -3662,11 +3737,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -3685,56 +3755,51 @@ ] }, { - "ClassName": "MSFT_AADDomain", + "ClassName": "MSFT_AADCustomSecurityAttributeDefinition", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "Name", "Option": "Key" }, { "CIMType": "String", - "Name": "AuthenticationType", - "Option": "Write" + "Name": "AttributeSet", + "Option": "Key" }, { "CIMType": "String", - "Name": "AvailabilityStatus", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsAdminManaged", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefault", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsRoot", + "Name": "IsCollection", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsVerified", + "Name": "IsSearchable", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordNotificationWindowInDays", + "CIMType": "String", + "Name": "Status", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordValidityPeriodInDays", + "CIMType": "String", + "Name": "Type", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SupportedServices", + "CIMType": "Boolean", + "Name": "UsePreDefinedValuesOnly", "Option": "Write" }, { @@ -3757,6 +3822,206 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADDeviceRegistrationPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AzureADJoinIsAdminConfigurable", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "UserDeviceQuota", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AzureADAllowedToJoin", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureADAllowedToJoinUsers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureADAllowedToJoinGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MultiFactorAuthConfiguration", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LocalAdminsEnableGlobalAdmins", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AzureAdJoinLocalAdminsRegisteringMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureAdJoinLocalAdminsRegisteringGroups", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureAdJoinLocalAdminsRegisteringUsers", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LocalAdminPasswordIsEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADDomain", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "AuthenticationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AvailabilityStatus", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsAdminManaged", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRoot", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsVerified", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordNotificationWindowInDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordValidityPeriodInDays", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SupportedServices", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -5295,156 +5560,61 @@ ] }, { - "ClassName": "MSFT_IdentityGovernanceScope", - "Parameters": [ - { - "CIMType": "String", - "Name": "OdataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Rule", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IdentityGovernanceTrigger", + "ClassName": "MSFT_AADIdentityAPIConnectionCertificate", "Parameters": [ { - "CIMType": "String", - "Name": "OdataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TimeBasedAttribute", + "CIMType": "MSFT_Credential", + "Name": "Pkcs12Value", "Option": "Write" }, - { - "CIMType": "SInt32", - "Name": "OffsetInDays", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IdentityGovernanceWorkflowExecutionConditions", - "Parameters": [ { "CIMType": "String", - "Name": "OdataType", + "Name": "Thumbprint", "Option": "Write" }, { - "CIMType": "MSFT_IdentityGovernanceScope", - "Name": "ScopeValue", - "Option": "Write" - }, - { - "CIMType": "MSFT_IdentityGovernanceTrigger", - "Name": "TriggerValue", + "CIMType": "MSFT_Credential", + "Name": "Password", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADIdentityGovernanceTaskArguments", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Value", + "CIMType": "Boolean", + "Name": "IsActive", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADIdentityGovernanceTask", + "ClassName": "MSFT_AADIdentityAPIConnector", "Parameters": [ { "CIMType": "String", "Name": "DisplayName", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Category", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsEnabled", - "Option": "Write" - }, - { - "CIMType": "SInt32", - "Name": "ExecutionSequence", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ContinueOnError", - "Option": "Write" + "Option": "Required" }, { "CIMType": "String", - "Name": "TaskDefinitionId", + "Name": "TargetUrl", "Option": "Write" }, - { - "CIMType": "MSFT_AADIdentityGovernanceTaskArguments[]", - "Name": "Arguments", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflow", - "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", + "Name": "Id", "Option": "Key" }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Category", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsSchedulingEnabled", + "Name": "Username", "Option": "Write" }, { - "CIMType": "MSFT_AADIdentityGovernanceTask[]", - "Name": "Tasks", + "CIMType": "MSFT_Credential", + "Name": "Password", "Option": "Write" }, { - "CIMType": "MSFT_IdentityGovernanceWorkflowExecutionConditions", - "Name": "ExecutionConditions", + "CIMType": "MSFT_AADIdentityAPIConnectionCertificate[]", + "Name": "Certificates", "Option": "Write" }, { @@ -5467,6 +5637,336 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "postFederationSignupConnectorName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "postAttributeCollectionConnectorName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsOptional", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UserInputType", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[]", + "Name": "UserAttributeValues", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityB2XUserFlow", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration", + "Name": "ApiConnectorConfiguration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "IdentityProviders", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[]", + "Name": "UserAttributeAssignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceScope", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Rule", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceTrigger", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TimeBasedAttribute", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "OffsetInDays", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceScope", + "Name": "ScopeValue", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceTrigger", + "Name": "TriggerValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceTaskArguments", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceTask", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Category", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ExecutionSequence", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ContinueOnError", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TaskDefinitionId", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceTaskArguments[]", + "Name": "Arguments", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflow", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Category", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsSchedulingEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceTask[]", + "Name": "Tasks", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Name": "ExecutionConditions", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -5684,6 +6184,86 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphCertificateAuthority", + "Parameters": [ + { + "CIMType": "String", + "Name": "Certificate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeltaCertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRootAuthority", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADOrganizationCertificateBasedAuthConfiguration", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphcertificateAuthority[]", + "Name": "CertificateAuthorities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OrganizationId", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADPasswordRuleSettings", "Parameters": [ @@ -6444,6 +7024,56 @@ } ] }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeValue", + "Parameters": [ + { + "CIMType": "String", + "Name": "AttributeName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "StringArrayValue", + "Option": "Write" + }, + { + "CIMType": "UInt32[]", + "Name": "IntArrayValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StringValue", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "IntValue", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BoolValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeSet", + "Parameters": [ + { + "CIMType": "String", + "Name": "AttributeSetName", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADServicePrincipalAttributeValue[]", + "Name": "AttributeValues", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADServicePrincipal", "Parameters": [ @@ -6537,6 +7167,11 @@ "Name": "DelegatedPermissionClassifications", "Option": "Write" }, + { + "CIMType": "MSFT_AADServicePrincipalAttributeSet[]", + "Name": "CustomSecurityAttributes", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -11914,6 +12549,51 @@ } ] }, + { + "ClassName": "MSFT_EXOMailboxAuditBypassAssociation", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AuditBypassEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOMailboxAutoReplyConfiguration", "Parameters": [ @@ -36382,11 +37062,6 @@ "Name": "Publisher", "Option": "Write" }, - { - "CIMType": "String", - "Name": "PublishingState", - "Option": "Write" - }, { "CIMType": "String", "Name": "BundleId", @@ -36412,6 +37087,11 @@ "Name": "IgnoreVersionDetection", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "InstallAsManaged", + "Option": "Write" + }, { "CIMType": "MSFT_DeviceManagementMimeContent", "Name": "LargeIcon", @@ -48454,182 +49134,532 @@ }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCSupervisoryReviewPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Comment", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Reviewers", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCSupervisoryReviewRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Policy", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Condition", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "SamplingRate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCUnifiedAuditLogRetentionPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "Operations", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecordTypes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RetentionDuration", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UserIds", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Parameters": [ { "CIMType": "String", - "Name": "CertificatePath", + "Name": "aggregationKind", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleCustomDetails", + "Parameters": [ + { + "CIMType": "String", + "Name": "DetailKey", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "DetailValue", "Option": "Write" } ] }, { - "ClassName": "MSFT_SCSupervisoryReviewPolicy", + "ClassName": "MSFT_SentinelAlertRuleEntityMapping", "Parameters": [ { "CIMType": "String", - "Name": "Name", - "Option": "Key" + "Name": "entityType", + "Option": "Write" }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMappingFieldMapping[]", + "Name": "fieldMappings", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEntityMappingFieldMapping", + "Parameters": [ { "CIMType": "String", - "Name": "Comment", + "Name": "columnName", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Reviewers", - "Option": "Required" + "CIMType": "String", + "Name": "identifier", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Parameters": [ + { + "CIMType": "String", + "Name": "alertDescriptionFormat", + "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "alertDisplayNameFormat", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "alertSeverityColumnName", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "alertTacticsColumnName", "Option": "Write" }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[]", + "Name": "alertDynamicProperties", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty", + "Parameters": [ { "CIMType": "String", - "Name": "TenantId", + "Name": "alertProperty", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "alertPropertyValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "createIncident", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Name": "groupingConfiguration", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[]", + "Name": "groupByAlertDetails", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "groupByCustomDetails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "groupByEntities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "lookbackDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "matchingMethod", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "reopenClosedIncident", "Option": "Write" } ] }, { - "ClassName": "MSFT_SCSupervisoryReviewRule", + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail", "Parameters": [ { "CIMType": "String", - "Name": "Name", - "Option": "Key" + "Name": "DisplayName", + "Option": "Write" }, { "CIMType": "String", - "Name": "Policy", + "Name": "Severity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "Condition", + "Name": "SubscriptionId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SamplingRate", + "CIMType": "String", + "Name": "ResourceGroupName", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "WorkspaceName", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "ProductFilter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Severity", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String[]", + "Name": "Tactics", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "String[]", + "Name": "Techniques", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "SubTechniques", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_SCUnifiedAuditLogRetentionPolicy", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "Query", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", - "Option": "Key" + "Name": "QueryFrequency", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Operations", + "CIMType": "String", + "Name": "QueryPeriod", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TriggerOperator", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "Priority", + "Name": "TriggerThreshold", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecordTypes", + "CIMType": "String", + "Name": "SuppressionDuration", "Option": "Write" }, { "CIMType": "String", - "Name": "RetentionDuration", + "Name": "SuppressionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AlertRuleTemplateName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "UserIds", + "Name": "DisplayNamesExcludeFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DisplayNamesFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SeveritiesFilter", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Name": "EventGroupingSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleCustomDetails[]", + "Name": "CustomDetails", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMapping[]", + "Name": "EntityMappings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Name": "AlertDetailsOverride", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Name": "IncidentConfiguration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Kind", "Option": "Write" }, { @@ -48658,8 +49688,13 @@ "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] @@ -48734,6 +49769,131 @@ } ] }, + { + "ClassName": "MSFT_SentinelThreatIntelligenceIndicator", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PatternType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pattern", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Revoked", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidFrom", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidUntil", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Source", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Labels", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatIntelligenceTags", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatTypes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "KillChainPhases", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Confidence", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SentinelWatchlist", "Parameters": [ @@ -50707,6 +51867,31 @@ "Name": "EnableAIPIntegration", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "ExemptNativeUsersFromTenantLevelRestricedAccessControl", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantDefaultTimezone", diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index 932f7012a2..9cd5544639 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -967,7 +967,15 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments -Workload $Workload ` -CmdLetNoun $CmdLetNoun ` -ApiVersion $ApiVersion ` - -UpdateVerb $updateVerb).permissions | ConvertTo-Json -Depth 20 + -UpdateVerb $updateVerb).permissions + if ($ResourceName -like "Intune*") + { + $resourcePermissions.application.read += @{ name = 'Group.Read.All' } + $resourcePermissions.application.update += @{ name = 'Group.Read.All' } + $resourcePermissions.delegated.read += @{ name = 'Group.Read.All' } + $resourcePermissions.delegated.update += @{ name = 'Group.Read.All' } + } + $resourcePermissions = $resourcePermissions | ConvertTo-Json -Depth 20 $resourcePermissions = ' ' + $resourcePermissions Write-TokenReplacement -Token '' -Value $ResourceName -FilePath $settingsFilePath Write-TokenReplacement -Token '' -Value $resourceDescription -FilePath $settingsFilePath diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 1b8db2b05d..5d87e99d81 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -209,6 +209,32 @@ Id = "c3"; IsAvailable = $True; } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationStrengthPolicy 'AADAuthenticationStrengthPolicy-Example' { AllowedCombinations = @("windowsHelloForBusiness","fido2","x509CertificateMultiFactor","deviceBasedPush"); @@ -282,6 +308,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -451,6 +504,71 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; @@ -512,6 +630,27 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } AADRoleDefinition 'AADRoleDefinition1' { DisplayName = "DSCRole1" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 8c9f5796a0..77b24db586 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -88,6 +88,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { Ensure = "Absent"; @@ -177,6 +185,14 @@ Ensure = "Absent"; PartnerTenantId = "12345-12345-12345-12345-12345"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -296,6 +312,25 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; @@ -353,6 +388,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } AADRoleDefinition 'AADRoleDefinition1' { IsEnabled = $true diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index 01fcfd4435..a7082349e2 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -357,6 +357,32 @@ ); State = "enabled"; # Updated Property } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { ApplicationId = $ApplicationId @@ -732,6 +758,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -952,6 +1005,71 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index 30dc923214..d5ef0c950b 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -607,6 +607,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMailboxAuditBypassAssociation 'EXOMailboxAuditBypassAssociation-Test' + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOMailboxAutoReplyConfiguration 'EXOMailboxAutoReplyConfiguration' { AutoDeclineFutureRequestsWhenOOF = $False; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 new file mode 100644 index 0000000000..ec4f10ace8 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 @@ -0,0 +1,365 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADAuthenticationMethodPolicyExternal" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADAuthenticationMethodPolicyExternal should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Absent" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + Context -Name "The AADAuthenticationMethodPolicyExternal Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000003" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 new file mode 100644 index 0000000000..828ee261ff --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 @@ -0,0 +1,186 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADCustomAuthenticationExtension" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $False + } + + # Test Contexts + Context -Name "The AADCustomAuthenticationExtension should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityCustomAuthenticationExtension -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists but it should not' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Absent" + Credential = $Credential + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/a5352e69-55c0-4160-b4b5-03d034d842f" + ClientConfigurationTimeoutMilliseconds = 2000 + ClientConfigurationMaximumRetries = 1 + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + ClaimsForTokenConfiguration = @() + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the app from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description modified" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 new file mode 100644 index 0000000000..d8484eef0b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 @@ -0,0 +1,312 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityAPIConnector" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityAPIConnector should exist but it DOES NOT" -Fixture { + BeforeAll { + + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + Context -Name "The AADIdentityAPIConnector exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + Ensure = 'Absent' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityAPIConnector -Exactly 1 + } + } + Context -Name "The AADIdentityAPIConnector Exists and Values are already in the desired state" -Fixture { + BeforeAll { + + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityAPIConnector exists and values are NOT in the desired state" -Fixture { + + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue2' #drift + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + + Context -Name "The AADIdentityAPIConnector with certificates exists and values are in the desired state" -Fixture { + + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + certificateList = @( + @{ + Thumbprint = 'FakeStringValue' + IsActive = $true + } + ) + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 new file mode 100644 index 0000000000..b0dd2cbd56 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 @@ -0,0 +1,502 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityB2XUserFlow" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityB2XUserFlow should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlow -Exactly 1 + Should -Invoke -CommandName Get-MgBetaIdentityApiConnector -Exactly 2 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 2 + Should -Invoke -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name "The AADIdentityB2XUserFlow exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlow -Exactly 1 + } + } + Context -Name "The AADIdentityB2XUserFlow Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityB2XUserFlow exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'Z' + Value = '2' + } -ClientOnly + ) + } -ClientOnly), + (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Surname' + Id = 'surname' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 new file mode 100644 index 0000000000..0f0800c5a8 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 @@ -0,0 +1,271 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADOrganizationCertificateBasedAuthConfiguration" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + } + } + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + + Mock -CommandName Get-MgBetaOrganization -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 new file mode 100644 index 0000000000..8e71aa877c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 @@ -0,0 +1,123 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-MailboxAuditBypassAssociation -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name 'Settings are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $True; #Drift + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MailboxAuditBypassAssociation -Exactly 1 + } + } + + Context -Name 'Settings are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 index abfda47b65..0e5552d5fd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 @@ -138,7 +138,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() IgnoreVersionDetection = $True AdditionalProperties = @{ @@ -204,7 +203,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' @@ -260,7 +258,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' minimumSupportedOperatingSystem = @{ @@ -307,7 +304,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 index 30eb96c585..de2f686924 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 @@ -36,6 +36,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return $null } + Mock -CommandName Invoke-PnPSPRestMethod -MockWith { + return $null + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 new file mode 100644 index 0000000000..90786e49f9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 @@ -0,0 +1,459 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName New-M365DSCSentinelAlertRule -MockWith { + + } + + Mock -CommandName Remove-M365DSCSentinelAlertRule -MockWith { + + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Absent"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = + [PSCustomObject]@{ + Color = 'TenantId' + } + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $False; #Drift + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 0000000000..24bc9959c9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,264 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; #Drift + validUntil = "2024-10-23T19:03:57.24Z"; #Drift + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; + validUntil = "2024-10-23T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 index 7942363114..25a45d76f9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 @@ -38,7 +38,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Find-CsGroup -MockWith { return @( @{ - Id= '00000000-0000-0000-0000-000000000000' Displayname = 'TestGroup' } ) diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 985abaa28d..f2481bb673 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -30,6 +30,7 @@ function Get-MgBetaPolicyAdminConsentRequestPolicy param() } + #region Microsoft.Graph.Beta.Applications function Get-MgBetaApplication { @@ -2768,6 +2769,19 @@ function Get-Mailbox $IncludeEmailAddressDisplayNames ) } +function Get-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $ResultSize + ) +} function Get-MailboxAutoReplyConfiguration { [CmdletBinding()] @@ -12123,6 +12137,19 @@ function Set-Mailbox $MessageTrackingReadStatusEnabled ) } +function Set-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Object] + $Identity + ) +} function Set-MailboxAutoReplyConfiguration { [CmdletBinding()] @@ -17378,6 +17405,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -18023,6 +18054,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -18283,12 +18318,39 @@ function Invoke-MgGraphRequest $Headers ) } -#endregion -#region Microsoft.Graph.Beta.DeviceManagement -function Get-MgBetaDeviceManagement + +function New-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $ClientConfiguration, + [Parameter()] [PSObject] $HttpPipelinePrepend, @@ -18298,85 +18360,97 @@ function Get-MgBetaDeviceManagement $Proxy, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Collections.Hashtable] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $Id, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [System.String[]] - $Property, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementAssignmentFilter +function Update-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, + [PSObject] + $ClientConfiguration, [Parameter()] [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - [Parameter()] [System.String] - $CountVariable, + $CustomAuthenticationExtensionId, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [System.Collections.Hashtable] + $BodyParameter, [Parameter()] [System.String] - $DeviceAndAppManagementAssignmentFilterId, + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, + $Confirm, [Parameter()] [System.Management.Automation.PSCredential] @@ -18384,22 +18458,22 @@ function Get-MgBetaDeviceManagementAssignmentFilter [Parameter()] [System.String] - $Search, + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicy +function Get-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( @@ -18427,6 +18501,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicy [System.Int32] $Skip, + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + [Parameter()] [System.Int32] $Top, @@ -18459,6 +18537,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicy [System.String] $Search, + [Parameter()] + [System.String] + $ResponseHeadersVariable, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18468,30 +18550,123 @@ function Get-MgBetaDeviceManagementConfigurationPolicy $ExpandProperty, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyAssignment +function Remove-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +#region Microsoft.Graph.Beta.DeviceManagement +function Get-MgBetaDeviceManagement +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + [Parameter()] [System.String[]] $ExpandProperty, + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDeviceManagementAssignmentFilter +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, @@ -18524,6 +18699,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyAssignment [System.String[]] $Sort, + [Parameter()] + [System.String] + $DeviceAndAppManagementAssignmentFilterId, + [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -18536,28 +18715,24 @@ function Get-MgBetaDeviceManagementConfigurationPolicyAssignment [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - [Parameter()] [System.String] $Search, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyAssignmentId, + [System.String[]] + $ExpandProperty, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicySetting +function Get-MgBetaDeviceManagementConfigurationPolicy { [CmdletBinding()] param( @@ -18573,10 +18748,6 @@ function Get-MgBetaDeviceManagementConfigurationPolicySetting [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, - [Parameter()] - [System.String] - $DeviceManagementConfigurationSettingId, - [Parameter()] [System.Int32] $PageSize, @@ -18617,28 +18788,28 @@ function Get-MgBetaDeviceManagementConfigurationPolicySetting [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - [Parameter()] [System.String] $Search, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String[]] $ExpandProperty, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyId, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyTemplate +function Get-MgBetaDeviceManagementConfigurationPolicyAssignment { [CmdletBinding()] param( @@ -18650,6 +18821,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplate [PSObject] $InputObject, + [Parameter()] + [System.String[]] + $ExpandProperty, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, @@ -18695,34 +18870,30 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplate $ProxyCredential, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String] - $DeviceManagementConfigurationPolicyTemplateId, + $Search, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $DeviceManagementConfigurationPolicyId, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.String] + $DeviceManagementConfigurationPolicyAssignmentId, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate +function Get-MgBetaDeviceManagementConfigurationPolicySetting { [CmdletBinding()] param( - [Parameter()] - [System.String] - $DeviceManagementConfigurationSettingTemplateId, - [Parameter()] [System.String[]] $Property, @@ -18735,6 +18906,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.String] + $DeviceManagementConfigurationSettingId, + [Parameter()] [System.Int32] $PageSize, @@ -18776,16 +18951,16 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate $ProxyCredential, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String] - $DeviceManagementConfigurationPolicyTemplateId, + $Search, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $DeviceManagementConfigurationPolicyId, [Parameter()] [System.String[]] @@ -18796,7 +18971,7 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCategory +function Get-MgBetaDeviceManagementConfigurationPolicyTemplate { [CmdletBinding()] param( @@ -18804,10 +18979,6 @@ function Get-MgBetaDeviceManagementDeviceCategory [System.String[]] $Property, - [Parameter()] - [System.String] - $DeviceCategoryId, - [Parameter()] [PSObject] $InputObject, @@ -18860,6 +19031,10 @@ function Get-MgBetaDeviceManagementDeviceCategory [System.String] $Search, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyTemplateId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18873,10 +19048,14 @@ function Get-MgBetaDeviceManagementDeviceCategory $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCompliancePolicy +function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate { [CmdletBinding()] param( + [Parameter()] + [System.String] + $DeviceManagementConfigurationSettingTemplateId, + [Parameter()] [System.String[]] $Property, @@ -18933,6 +19112,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicy [System.String] $Search, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyTemplateId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18943,14 +19126,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicy [Parameter()] [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyId + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment +function Get-MgBetaDeviceManagementDeviceCategory { [CmdletBinding()] param( @@ -18958,6 +19137,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment [System.String[]] $Property, + [Parameter()] + [System.String] + $DeviceCategoryId, + [Parameter()] [PSObject] $InputObject, @@ -18987,17 +19170,13 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment $CountVariable, [Parameter()] - [System.String] - $DeviceCompliancePolicyAssignmentId, + [System.Uri] + $Proxy, [Parameter()] [System.String[]] $Sort, - [Parameter()] - [System.Uri] - $Proxy, - [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -19024,14 +19203,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment [Parameter()] [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyId + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceConfiguration +function Get-MgBetaDeviceManagementDeviceCompliancePolicy { [CmdletBinding()] param( @@ -19055,10 +19230,6 @@ function Get-MgBetaDeviceManagementDeviceConfiguration [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $DeviceConfigurationId, - [Parameter()] [System.Int32] $Skip, @@ -19105,10 +19276,14 @@ function Get-MgBetaDeviceManagementDeviceConfiguration [Parameter()] [PSObject] - $HttpPipelineAppend + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId ) } -function Get-MgBetaDeviceManagementDeviceConfigurationAssignment +function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment { [CmdletBinding()] param( @@ -19132,10 +19307,6 @@ function Get-MgBetaDeviceManagementDeviceConfigurationAssignment [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $DeviceConfigurationId, - [Parameter()] [System.Int32] $Skip, @@ -19149,16 +19320,16 @@ function Get-MgBetaDeviceManagementDeviceConfigurationAssignment $CountVariable, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DeviceCompliancePolicyAssignmentId, [Parameter()] [System.String[]] $Sort, [Parameter()] - [System.String] - $DeviceConfigurationAssignmentId, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -19186,10 +19357,14 @@ function Get-MgBetaDeviceManagementDeviceConfigurationAssignment [Parameter()] [PSObject] - $HttpPipelineAppend + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId ) } -function Get-MgBetaDeviceManagementGroupPolicyConfiguration +function Get-MgBetaDeviceManagementDeviceConfiguration { [CmdletBinding()] param( @@ -19213,6 +19388,10 @@ function Get-MgBetaDeviceManagementGroupPolicyConfiguration [PSObject] $HttpPipelinePrepend, + [Parameter()] + [System.String] + $DeviceConfigurationId, + [Parameter()] [System.Int32] $Skip, @@ -19249,10 +19428,6 @@ function Get-MgBetaDeviceManagementGroupPolicyConfiguration [System.String] $Search, - [Parameter()] - [System.String] - $GroupPolicyConfigurationId, - [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -19266,7 +19441,7 @@ function Get-MgBetaDeviceManagementGroupPolicyConfiguration $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment +function Get-MgBetaDeviceManagementDeviceConfigurationAssignment { [CmdletBinding()] param( @@ -19282,10 +19457,6 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, - [Parameter()] - [System.String] - $GroupPolicyConfigurationAssignmentId, - [Parameter()] [System.Int32] $PageSize, @@ -19294,6 +19465,10 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment [PSObject] $HttpPipelinePrepend, + [Parameter()] + [System.String] + $DeviceConfigurationId, + [Parameter()] [System.Int32] $Skip, @@ -19314,6 +19489,10 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment [System.String[]] $Sort, + [Parameter()] + [System.String] + $DeviceConfigurationAssignmentId, + [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -19330,10 +19509,6 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment [System.String] $Search, - [Parameter()] - [System.String] - $GroupPolicyConfigurationId, - [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -19347,279 +19522,84 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment $HttpPipelineAppend ) } - -function New-MgBetaDeviceManagementDerivedCredential { - - [CmdletBinding()] - param ( - [Parameter()] - [System.String] - $Id, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $HelpUrl, - - [Parameter()] - [ValidateSet('intercede', 'entrustData', 'purebred')] - [System.String] - $Issuer, - - [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] - [System.String] - $NotificationType = 'none' - ) -} - -function Get-MgBetaDeviceManagementDerivedCredential { - [CmdletBinding()] - param ( - [Parameter()] - [System.String] - $DeviceManagementDerivedCredentialSettingsId, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $HelpUrl, - - [Parameter()] - [ValidateSet('intercede', 'entrustData', 'purebred')] - [System.String] - $Issuer, - - [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] - [System.String] - $NotificationType = 'none' - ) -} - -function Remove-MgBetaDeviceManagementDerivedCredential +function Get-MgBetaDeviceManagementGroupPolicyConfiguration { [CmdletBinding()] param( - [Parameter()] - [System.String] - $DeviceManagementDerivedCredentialSettingsId, - - [Parameter()] - [System.Boolean] - $Confirm - ) -} - -function New-MgBetaDeviceAppManagementMobileApp { - [CmdletBinding()] - param ( - [Parameter()] - [System.String] - $DeviceManagementDerivedCredentialSettingsId, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $Developer, - - [Parameter()] - [System.String] - $InformationUrl, - - [Parameter()] - [System.Boolean] - $IsFeatured, - - [Parameter()] - [System.String] - $Notes, - - [Parameter()] - [System.String] - $Owner, - - [Parameter()] - [System.String] - $PrivacyInformationUrl, - - [Parameter()] - [System.String] - $Publisher, - - [Parameter()] - [System.String] - [ValidateSet('notPublished', 'processing','published')] - $PublishingState, - - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance[]] - $Categories, - - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance[]] - $Assignments, - - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance[]] - $ChildApps, - [Parameter()] [System.String[]] - $RoleScopeTagIds - ) -} - -function Get-MgBetaDeviceAppManagementMobileApp { - [CmdletBinding()] - param ( - [Parameter()] - [System.String] - $MobileAppId, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $Developer, + $Property, [Parameter()] - [System.String] - $InformationUrl, + [PSObject] + $InputObject, [Parameter()] - [System.Boolean] - $IsFeatured, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [System.Boolean] - $IgnoreVersionDetection, + [System.Int32] + $PageSize, [Parameter()] - [System.String] - $Notes, + [PSObject] + $HttpPipelinePrepend, [Parameter()] - [System.String] - $Owner, + [System.Int32] + $Skip, [Parameter()] - [System.String] - $PrivacyInformationUrl, + [System.Int32] + $Top, [Parameter()] [System.String] - $Publisher, + $CountVariable, [Parameter()] - [System.String] - [ValidateSet('notPublished', 'processing','published')] - $PublishingState, + [System.Uri] + $Proxy, [Parameter()] [System.String[]] - $RoleScopeTagIds - ) -} -function Update-MgBetaDeviceAppManagementMobileApp { - [CmdletBinding()] - param ( - [Parameter()] - [System.String] - $MobileAppId, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $Developer, - - [Parameter()] - [System.String] - $InformationUrl, - - [Parameter()] - [System.Boolean] - $IsFeatured, + $Sort, [Parameter()] - [System.String] - $Notes, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] [System.String] - $Owner, + $Filter, [Parameter()] - [System.String] - $PrivacyInformationUrl, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.String] - $Publisher, + $Search, [Parameter()] [System.String] - [ValidateSet('notPublished', 'processing','published')] - $PublishingState, - - [Parameter()] - [System.Object[]] - $Categories, - - [Parameter()] - [System.Object[]] - $Assignments, - - [Parameter()] - [System.Object[]] - $ChildApps, + $GroupPolicyConfigurationId, [Parameter()] - [System.Object[]] - $RoleScopeTagIds - ) -} + [System.Management.Automation.SwitchParameter] + $Break, -function Remove-MgBetaDeviceAppManagementMobileApp { - [CmdletBinding()] - param ( [Parameter()] - [System.String] - $MobileAppId, + [System.String[]] + $ExpandProperty, [Parameter()] - [System.Boolean] - $Confirm + [PSObject] + $HttpPipelineAppend ) } - -function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue +function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment { [CmdletBinding()] param( @@ -19635,6 +19615,10 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.String] + $GroupPolicyConfigurationAssignmentId, + [Parameter()] [System.Int32] $PageSize, @@ -19643,10 +19627,359 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $GroupPolicyDefinitionValueId, - + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $GroupPolicyConfigurationId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function New-MgBetaDeviceManagementDerivedCredential { + + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none' + ) +} + +function Get-MgBetaDeviceManagementDerivedCredential { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $DeviceManagementDerivedCredentialSettingsId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none' + ) +} + +function Remove-MgBetaDeviceManagementDerivedCredential +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DeviceManagementDerivedCredentialSettingsId, + + [Parameter()] + [System.Boolean] + $Confirm + ) +} + +function New-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $DeviceManagementDerivedCredentialSettingsId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ChildApps, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds + ) +} + +function Get-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $MobileAppId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.Boolean] + $IgnoreVersionDetection, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds + ) +} +function Update-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $MobileAppId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [System.Object[]] + $Categories, + + [Parameter()] + [System.Object[]] + $Assignments, + + [Parameter()] + [System.Object[]] + $ChildApps, + + [Parameter()] + [System.Object[]] + $RoleScopeTagIds + ) +} + +function Remove-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $MobileAppId, + + [Parameter()] + [System.Boolean] + $Confirm + ) +} + +function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $GroupPolicyDefinitionValueId, + [Parameter()] [System.Int32] $Skip, @@ -50110,6 +50443,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -50755,6 +51092,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -97621,3 +97962,1069 @@ function Stop-MgBetaIdentityGovernanceAccessReviewDefinition #endregion +function Invoke-PnPSPRestMethod +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Method, + + [Parameter()] + [System.String] + $Url, + + [Parameter()] + [System.Object] + $Content + ) +} + +#region MgBetaIdentityB2XUserFlow +function Get-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowApiConnectorConfiguration +function Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowUserAttributeAssignment +function Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId + ) +} + +#endregion + +#region MgBetaIdentityB2XUserFlowIdentityProvider +function Get-MgBetaIdentityB2XUserFlowIdentityProvider +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityProviderBaseId + ) +} +#endregion + +function Get-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} +#region MgBetaOrganizationCertificateBasedAuthConfiguration +function Get-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function New-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function Remove-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} + +function Invoke-MgBetaUploadIdentityApiConnectorClientCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Password, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Pkcs12Value, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +#endregion diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md new file mode 100644 index 0000000000..275115ee02 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md @@ -0,0 +1,228 @@ +# AADAuthenticationMethodPolicyExternal + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ExcludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | | +| **IncludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[] | Displayname of the groups of users that are included from a policy. | | +| **OpenIdConnectSetting** | Write | MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting | Open ID Connection settings used by this external authentication method. | | +| **State** | Write | String | The state of the policy. Possible values are: enabled, disabled. | `enabled`, `disabled` | +| **AppId** | Write | String | The appId for the app registration in Microsoft Entra ID representing the integration with the external provider. | | +| **DisplayName** | Key | String | The displayName of the authentication policy configuration. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClientId** | Write | String | The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID. | | +| **DiscoveryUrl** | Write | String | The host URL of the external identity provider's OIDC discovery endpoint. | | + + +## Description + +Azure AD Authentication Method Policy External + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +#### Application permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md new file mode 100644 index 0000000000..ad3f66cda2 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md @@ -0,0 +1,224 @@ +# AADCustomAuthenticationExtension + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive. | | +| **Id** | Write | String | Unique identifier of the Attribute Definition. | | +| **CustomAuthenticationExtensionType** | Write | String | Defines the custom authentication extension type. | | +| **Description** | Write | String | Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. | | +| **AuthenticationConfigurationType** | Write | String | Defines the authentication configuration type | | +| **AuthenticationConfigurationResourceId** | Write | String | Defines the authentication configuration resource id | | +| **ClientConfigurationTimeoutMilliseconds** | Write | UInt32 | Defines the client configuration timeout in milliseconds | | +| **ClientConfigurationMaximumRetries** | Write | UInt32 | Defines the client configuration max retries | | +| **EndpointConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionEndPointConfiguration | Defines the endpoint configuration | | +| **ClaimsForTokenConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[] | Defines the list of claims for token configurations | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADCustomAuthenticationExtensionEndPointConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EndpointType** | Write | String | Defines the type of the endpoint configuration | | +| **LogicAppWorkflowName** | Write | String | Defines the workflow name for the logic app | | +| **ResourceGroupName** | Write | String | Defines the resource group name for the logic app | | +| **SubscriptionId** | Write | String | Defines the subscription id for the logic app | | +| **TargetUrl** | Write | String | Defines the target url for the http endpoint | | + +### MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClaimIdInApiResponse** | Write | String | Defines the claim id in api response. | | + + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - CustomSecAttributeDefinition.Read.All + +- **Update** + + - CustomSecAttributeDefinition.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md index 0c447db556..6cdf6b96b3 100644 --- a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md +++ b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md @@ -17,6 +17,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | @@ -36,11 +37,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - CustomSecAttributeDefinition.Read.All - **Update** - - None + - CustomSecAttributeDefinition.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/azure-ad/AADDomain.md b/docs/docs/resources/azure-ad/AADDomain.md index 01a98d0d24..1e11b20532 100644 --- a/docs/docs/resources/azure-ad/AADDomain.md +++ b/docs/docs/resources/azure-ad/AADDomain.md @@ -18,6 +18,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | diff --git a/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md new file mode 100644 index 0000000000..914b4b7df6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md @@ -0,0 +1,185 @@ +# AADIdentityAPIConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Required | String | The name of the API connector. | | +| **TargetUrl** | Write | String | The URL of the API endpoint to call. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Username** | Write | String | The username of the password | | +| **Password** | Write | PSCredential | The password of certificate/basic auth | | +| **Certificates** | Write | MSFT_AADIdentityAPIConnectionCertificate[] | List of certificates to be used in the API connector | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADIdentityAPIConnectionCertificate + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pkcs12Value** | Write | PSCredential | Pkcs12Value of the certificate as a secure string in Base64 encoding | | +| **Thumbprint** | Write | String | Thumbprint of the certificate in Base64 encoding | | +| **Password** | Write | PSCredential | Password of the certificate as a secure string | | +| **IsActive** | Write | Boolean | Tells if the certificate is in use or not | | + + +## Description + +Azure AD Identity API Connector + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md new file mode 100644 index 0000000000..d0b06feda8 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md @@ -0,0 +1,283 @@ +# AADIdentityB2XUserFlow + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ApiConnectorConfiguration** | Write | MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration | Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **IdentityProviders** | Write | StringArray[] | The identity providers included in the user flow. | | +| **UserAttributeAssignments** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[] | The user attribute assignments included in the user flow. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **postFederationSignupConnectorName** | Write | String | The name of the connector used for post federation signup step. | | +| **postAttributeCollectionConnectorName** | Write | String | The name of the connector used for post attribute collection step. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | The display name of the property displayed to the end user in the user flow. | | +| **Value** | Write | String | The value that is set when this item is selected. | | +| **IsDefault** | Write | Boolean | Used to set the value as the default. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The unique identifier of identityUserFlowAttributeAssignment. | | +| **DisplayName** | Write | String | The display name of the identityUserFlowAttribute within a user flow. | | +| **IsOptional** | Write | Boolean | Determines whether the identityUserFlowAttribute is optional. | | +| **UserInputType** | Write | String | User Flow Attribute Input Type. | `textBox`, `dateTimeDropdown`, `radioSingleSelect`, `dropdownSingleSelect`, `emailBox`, `checkboxMultiSelect` | +| **UserAttributeValues** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[] | The list of user attribute values for this assignment. | | + + +## Description + +Azure AD Identity B2 X User Flow + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md index 14afcf7a7f..4eb16af7ab 100644 --- a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md @@ -15,6 +15,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | diff --git a/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md new file mode 100644 index 0000000000..7a795004c0 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md @@ -0,0 +1,148 @@ +# AADOrganizationCertificateBasedAuthConfiguration + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **CertificateAuthorities** | Write | MSFT_MicrosoftGraphcertificateAuthority[] | Collection of certificate authorities which creates a trusted certificate chain. | | +| **OrganizationId** | Key | String | The Organization ID. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphCertificateAuthority + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Certificate** | Write | String | Required. The base64 encoded string representing the public certificate. | | +| **CertificateRevocationListUrl** | Write | String | The URL of the certificate revocation list. | | +| **DeltaCertificateRevocationListUrl** | Write | String | The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created. | | +| **IsRootAuthority** | Write | Boolean | Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority. | | + + +## Description + +Azure AD Organization Certificate Based Auth Configuration + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index fc48241314..6e564a95c8 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -22,6 +22,7 @@ | **ServicePrincipalType** | Write | String | The type of the service principal. | | | **Tags** | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp} | | | **DelegatedPermissionClassifications** | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | | +| **CustomSecurityAttributes** | Write | MSFT_AADServicePrincipalAttributeSet[] | The list of custom security attributes attached to this SPN | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -49,6 +50,28 @@ | **Classification** | Write | String | Classification of the delegated permission | `low`, `medium`, `high` | | **PermissionName** | Write | String | Name of the permission | | +### MSFT_AADServicePrincipalAttributeValue + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeName** | Write | String | Name of the Attribute | | +| **StringArrayValue** | Write | StringArray[] | If the attribute has a string array value | | +| **IntArrayValue** | Write | UInt32Array[] | If the attribute has a int array value | | +| **StringValue** | Write | String | If the attribute has a string value | | +| **IntValue** | Write | UInt32 | If the attribute has a int value | | +| **BoolValue** | Write | Boolean | If the attribute has a boolean value | | + +### MSFT_AADServicePrincipalAttributeSet + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeSetName** | Write | String | Attribute Set Name. | | +| **AttributeValues** | Write | MSFT_AADServicePrincipalAttributeValue[] | List of attribute values. | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. diff --git a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md index 2472e76d61..3f219780b6 100644 --- a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md +++ b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md @@ -34,11 +34,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - IdentityProvider.Read.All - **Update** - - None + - IdentityProvider.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md new file mode 100644 index 0000000000..cb604b3bed --- /dev/null +++ b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md @@ -0,0 +1,73 @@ +# EXOMailboxAuditBypassAssociation + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property. | | +| **AuditBypassEnabled** | Write | Boolean | The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Compliance Admin, View-Only Configuration, Journaling + +#### Role Groups + +- Organization Management, Compliance Management, Records Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md index 0134626168..a2a8e9febb 100644 --- a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md @@ -70,7 +70,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -80,7 +80,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index 9736f856f2..7f39e3c94a 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -71,7 +71,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 25709f754b..1287d250e4 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md index 2da74fb4a8..6c8c2806ec 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md @@ -65,7 +65,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -75,7 +75,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md index 8a3356509d..0eef097e57 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md @@ -85,21 +85,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md index 15667b067a..83653bc0e8 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md @@ -124,7 +124,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -134,7 +134,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md index 31b41d628a..7282b36bb0 100644 --- a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md @@ -65,21 +65,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md index 319165e8e6..79e0395881 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md @@ -75,21 +75,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md index c82c22102d..cea7be67b5 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md @@ -59,7 +59,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -69,7 +69,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md index d3a1ef135e..2aac0e36e1 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md @@ -76,7 +76,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -86,7 +86,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md index 3f09651531..d35a55f973 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md @@ -84,7 +84,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -94,7 +94,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md index a45a81497f..9dd1be00fd 100644 --- a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md @@ -51,7 +51,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md index 205075bc84..b307c64c4a 100644 --- a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md +++ b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md @@ -68,21 +68,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md index f80985d6ae..c3052f5d90 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md @@ -240,7 +240,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -250,7 +250,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md index 5077132b8a..674e6e1ce3 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md @@ -183,7 +183,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -193,7 +193,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md index 0ac8a37438..be23f3a17d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md @@ -192,7 +192,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -202,7 +202,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md index 1dbafd1602..62ed0cb6a2 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md @@ -149,7 +149,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -159,7 +159,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md index 540cb06564..c5213a4659 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md @@ -275,7 +275,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -285,7 +285,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md index b52a7bcd11..108291075d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md @@ -78,7 +78,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -88,7 +88,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md index b40d25a38c..eea55ebd46 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md @@ -106,7 +106,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -116,7 +116,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md index 37558493b4..1905c60a5e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md @@ -67,7 +67,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -77,7 +77,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md index 4cb1a2d2a3..0f4534a56e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md @@ -56,7 +56,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -66,7 +66,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md index 0bf2db5749..00f76e0a2f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md @@ -112,7 +112,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -122,7 +122,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md index a705947392..c1e6c2166f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md @@ -64,7 +64,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md index d798e86d27..560d2b0695 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md index 46db453044..580b09ee95 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md @@ -412,7 +412,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -422,7 +422,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md index 6ec96ea63a..2ae37fd998 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md index b22ae76162..9679aeb85c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md index 2d9c1e50bd..45082593bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md index cb9e49e688..34a6e4f5bb 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md index 998029d885..3104bea335 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md @@ -176,21 +176,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md index 756039e8b5..64eaedfc79 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md @@ -82,21 +82,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md index 150c6e599a..d6c299b557 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md @@ -77,21 +77,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md index 00ee60fb40..a4049bc531 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md index 0c8d6a404f..00a71444f3 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md @@ -107,21 +107,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md index 599a916218..62d2dd381c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md @@ -278,21 +278,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md index 4052c23262..cc5b36011b 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md index 830ea4f2f4..ca514643c2 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md index 44ac6ea8b4..3c13057576 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md @@ -160,21 +160,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md index 076052931f..2902d595a1 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md @@ -378,21 +378,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md index 56ff63330b..cb796d8f23 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md @@ -335,21 +335,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md index 9f84dbc720..e12a9b17d0 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md index f864dc4e88..b17818c54e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md @@ -53,21 +53,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md index 443fb8dac9..6c17828e42 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md index 90261573a7..6d4624b074 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md index f677318176..a4a4da3902 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md @@ -185,21 +185,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md index 93cceec8d8..d128159cae 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md @@ -66,21 +66,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md index ab63011a7a..6269122839 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md index 39762924d8..5d5854b665 100644 --- a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md index 30dcaf901c..d262958eee 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md @@ -73,21 +73,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md index 231aff3635..9a1c3bb492 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md @@ -59,21 +59,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md index f9763f951e..b68f9395bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceRemediation.md +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -99,21 +99,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md index f4289f16e9..27a43c72ee 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md index b359738f21..30ea1cc6ef 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md @@ -101,21 +101,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md index dcce4db30c..3e214c55ea 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md index d7f9f57a4b..b7440d0972 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md index 92a2428a6d..7ab1d07c4a 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md index 17b0440a3d..bc0860cef2 100644 --- a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md index f9ad6cee2b..c09a160b70 100644 --- a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md @@ -123,21 +123,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md index cdb64c20a7..da90863d02 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md @@ -14,12 +14,12 @@ | **Owner** | Write | String | The owner of the app. Inherited from mobileApp. | | | **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | | **Publisher** | Write | String | The publisher of the app. Inherited from mobileApp. | | -| **PublishingState** | Write | String | The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp. | `notPublished`, `processing`, `published` | | **BundleId** | Write | String | The bundleId of the app. | | | **BuildNumber** | Write | String | The build number of the app. | | | **VersionNumber** | Write | String | The version number of the app. | | | **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | | **IgnoreVersionDetection** | Write | Boolean | Whether to ignore the version of the app or not. | | +| **InstallAsManaged** | Write | Boolean | Install the app as managed. Requires macOS 11.0. | | | **LargeIcon** | Write | MSFT_DeviceManagementMimeContent | The icon for this app. | | | **MinimumSupportedOperatingSystem** | Write | MSFT_DeviceManagementMinimumOperatingSystem | The minimum supported operating system to install the app. | | | **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | @@ -110,21 +110,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples @@ -234,7 +234,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' diff --git a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md index 52bfea559e..ca844c4abd 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntunePolicySets.md b/docs/docs/resources/intune/IntunePolicySets.md index d1bb683e0a..ddc91dc234 100644 --- a/docs/docs/resources/intune/IntunePolicySets.md +++ b/docs/docs/resources/intune/IntunePolicySets.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneRoleAssignment.md b/docs/docs/resources/intune/IntuneRoleAssignment.md index ab0133db1c..0ca60f3e19 100644 --- a/docs/docs/resources/intune/IntuneRoleAssignment.md +++ b/docs/docs/resources/intune/IntuneRoleAssignment.md @@ -38,21 +38,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md index 78a3f1969a..3c60a47ae5 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md @@ -499,21 +499,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md index 439264f0bc..858d62840b 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md index b565f3f12c..90d9ba2ebd 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md index fb7b396272..9962ba0a3c 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md @@ -137,21 +137,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md index 8f3324c65a..7483c4710f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md index a2d42ba204..b3861e4351 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md @@ -57,21 +57,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md index 3b93f6cb7f..8fafa7ecab 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md index 01e681328d..3eb7f1c1b2 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md index ef98411a57..f5c81807de 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md index ddcf26325a..241082231f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md index 57e8731161..d542ae3f65 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md @@ -55,21 +55,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md index 23ba85724c..f4ed4299f5 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md index 43d2e26d9f..348408777b 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md @@ -81,21 +81,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md index 526656617c..fee1d8eb6c 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md index e581a1dcc1..75f98f153f 100644 --- a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md +++ b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md @@ -140,21 +140,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md index edb5abbe42..6b8532fcc2 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md index 2c6cec626d..da5c950514 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md index 413892c638..edeac97ca8 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md index 46d2e49c70..b12b125578 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md @@ -91,21 +91,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/security-compliance/SentinelAlertRule.md b/docs/docs/resources/security-compliance/SentinelAlertRule.md new file mode 100644 index 0000000000..89da026080 --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelAlertRule.md @@ -0,0 +1,361 @@ +# SentinelAlertRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **ProductFilter** | Write | String | The alerts' productName on which the cases will be generated | | +| **Enabled** | Write | Boolean | Determines whether this alert rule is enabled or disabled. | | +| **Severity** | Write | String | The severity for alerts created by this alert rule. | | +| **Tactics** | Write | StringArray[] | The tactics of the alert rule | | +| **Techniques** | Write | StringArray[] | The techniques of the alert rule | | +| **SubTechniques** | Write | StringArray[] | The sub-techniques of the alert rule | | +| **Query** | Write | String | The query that creates alerts for this rule. | | +| **QueryFrequency** | Write | String | The frequency (in ISO 8601 duration format) for this alert rule to run. | | +| **QueryPeriod** | Write | String | The period (in ISO 8601 duration format) that this alert rule looks at. | | +| **TriggerOperator** | Write | String | The operation against the threshold that triggers alert rule. | | +| **TriggerThreshold** | Write | UInt32 | The threshold triggers this alert rule. | | +| **SuppressionDuration** | Write | String | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | | +| **SuppressionEnabled** | Write | String | Determines whether the suppression for this alert rule is enabled or disabled. | | +| **AlertRuleTemplateName** | Write | String | The Name of the alert rule template used to create this rule. | | +| **DisplayNamesExcludeFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will not be generated. | | +| **DisplayNamesFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will be generated. | | +| **SeveritiesFilter** | Write | StringArray[] | The alerts' severities on which the cases will be generated | | +| **EventGroupingSettings** | Write | MSFT_SentinelAlertRuleEventGroupingSettings | The event grouping settings. | | +| **CustomDetails** | Write | MSFT_SentinelAlertRuleCustomDetails[] | Dictionary of string key-value pairs of columns to be attached to the alert | | +| **EntityMappings** | Write | MSFT_SentinelAlertRuleEntityMapping[] | Array of the entity mappings of the alert rule | | +| **AlertDetailsOverride** | Write | MSFT_SentinelAlertRuleAlertDetailsOverride | The alert details override settings | | +| **IncidentConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | | +| **Kind** | Write | String | The kind of the alert rule | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_SentinelAlertRuleEventGroupingSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **aggregationKind** | Write | String | The event grouping aggregation kinds | | + +### MSFT_SentinelAlertRuleCustomDetails + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DetailKey** | Write | String | Key of the custom detail. | | +| **DetailValue** | Write | String | Associated value with the custom detail. | | + +### MSFT_SentinelAlertRuleEntityMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **entityType** | Write | String | Type of entity. | | +| **fieldMappings** | Write | MSFT_SentinelAlertRuleEntityMappingFieldMapping[] | List of field mappings. | | + +### MSFT_SentinelAlertRuleEntityMappingFieldMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **columnName** | Write | String | Name of the column | | +| **identifier** | Write | String | Identifier of the associated field. | | + +### MSFT_SentinelAlertRuleAlertDetailsOverride + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertDescriptionFormat** | Write | String | The format containing columns name(s) to override the alert description | | +| **alertDisplayNameFormat** | Write | String | The format containing columns name(s) to override the alert name | | +| **alertSeverityColumnName** | Write | String | The column name to take the alert severity from | | +| **alertTacticsColumnName** | Write | String | The column name to take the alert tactics from | | +| **alertDynamicProperties** | Write | MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] | List of additional dynamic properties to override | | + +### MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertProperty** | Write | String | Dynamic property key. | | +| **alertPropertyValue** | Write | String | Dynamic property value. | | + +### MSFT_SentinelAlertRuleIncidentConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **createIncident** | Write | Boolean | Create incidents from alerts triggered by this analytics rule | | +| **groupingConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **enabled** | Write | Boolean | Grouping enabled | | +| **groupByAlertDetails** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] | A list of alert details to group by (when matchingMethod is Selected) | | +| **groupByCustomDetails** | Write | StringArray[] | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | | +| **groupByEntities** | Write | StringArray[] | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | | +| **lookbackDuration** | Write | String | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | | +| **matchingMethod** | Write | String | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | | +| **reopenClosedIncident** | Write | Boolean | Re-open closed matching incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Display name of the alert detail. | | +| **Severity** | Write | String | Severity level associated with the alert detail. | | + + +## Description + +Configures alert rules in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + diff --git a/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md new file mode 100644 index 0000000000..cfed84166e --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md @@ -0,0 +1,202 @@ +# SentinelThreatIntelligenceIndicator + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **PatternType** | Write | String | Pattern type of a threat intelligence entity | | +| **Pattern** | Write | String | Pattern of a threat intelligence entity | | +| **Revoked** | Write | String | Is threat intelligence entity revoked | | +| **ValidFrom** | Write | String | Valid from | | +| **ValidUntil** | Write | String | Valid until | | +| **Source** | Write | String | Source type. | | +| **Labels** | Write | StringArray[] | Labels of threat intelligence entity | | +| **ThreatIntelligenceTags** | Write | StringArray[] | List of tags | | +| **ThreatTypes** | Write | StringArray[] | Threat types | | +| **KillChainPhases** | Write | StringArray[] | Kill chain phases | | +| **Confidence** | Write | UInt32 | Confidence of threat intelligence entity | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures threat intelligence indicators in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + diff --git a/docs/docs/resources/sharepoint/SPOTenantSettings.md b/docs/docs/resources/sharepoint/SPOTenantSettings.md index a9527057ce..4baad6486b 100644 --- a/docs/docs/resources/sharepoint/SPOTenantSettings.md +++ b/docs/docs/resources/sharepoint/SPOTenantSettings.md @@ -27,6 +27,11 @@ | **SocialBarOnSitePagesDisabled** | Write | Boolean | Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page. | | | **CommentsOnSitePagesDisabled** | Write | Boolean | Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature. | | | **EnableAIPIntegration** | Write | Boolean | Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant. | | +| **ExemptNativeUsersFromTenantLevelRestricedAccessControl** | Write | Boolean | Determines whether or not we need to include external participants in shared channels for SharePoint access restriction. | | +| **AllowSelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to include in OneDrive access restrictions | | +| **DenySelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to exclude in OneDrive access restrictions | | +| **DenySelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to exclude in SharePoint access restrictions | | +| **AllowSelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to include in SharePoint access restrictions. | | | **TenantDefaultTimezone** | Write | String | The default timezone of a tenant for newly created sites. | | | **Ensure** | Write | String | Only accepted value is 'Present'. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the account to authenticate with. | |