From 422d565674b4cf212903affe75f346dbf46b143f Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Fri, 11 Oct 2024 09:57:45 +0200 Subject: [PATCH 01/98] Fixes #5179 --- .../MSFT_TeamsGroupPolicyAssignment.psm1 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 index 4aa4d6a7c2..80e6b269ba 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 @@ -75,8 +75,12 @@ function Get-TargetResource try { Write-Verbose -Message "Getting Group with Id {$GroupId}" - $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue - + if ($GroupId -match '\b[A-Fa-f0-9]{8}(?:-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}\b' -and $GroupId -ne '00000000-0000-0000-0000-000000000000'){ + $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue + } + else { + $GroupId = $null + } if ($null -eq $Group) { Write-Verbose -Message "Could not find Group with Id {$GroupId}, searching with DisplayName {$GroupDisplayName}" From 66d089e16b9796479154e2ce9a71fb819b90a5ca Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Fri, 11 Oct 2024 10:05:01 +0200 Subject: [PATCH 02/98] Group is null also with a 0 guid --- .../MSFT_TeamsGroupPolicyAssignment.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 index 80e6b269ba..ebfd75aaa1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 @@ -79,7 +79,7 @@ function Get-TargetResource $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue } else { - $GroupId = $null + $Group = $null } if ($null -eq $Group) { From 42c6d0d34892925dc4c04e2bdc11e094b3d7bbb9 Mon Sep 17 00:00:00 2001 From: Sandro Lanfranchi Date: Fri, 11 Oct 2024 10:34:03 +0200 Subject: [PATCH 03/98] fix pester test --- CHANGELOG.md | 2 ++ .../Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df501deccd..976a134bd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,8 @@ * Migrate to new Settings Catalog cmdlets. * IntuneMobileAppsMacOSLobApp * Initial release +* TeamsGroupPolicyAssignments + * FIXES [#5179](https://github.com/microsoft/Microsoft365DSC/issues/5179) * M365DSCDRGUtil * Fixes an issue for the handling of skipped one-property elements in the Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 index 7942363114..25a45d76f9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 @@ -38,7 +38,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Find-CsGroup -MockWith { return @( @{ - Id= '00000000-0000-0000-0000-000000000000' Displayname = 'TestGroup' } ) From eb4d182565b22030f61b7b10b2af044f65558d3a Mon Sep 17 00:00:00 2001 From: Sai Rohit Date: Thu, 17 Oct 2024 10:52:06 +0530 Subject: [PATCH 04/98] added mof and psm1 for Custom authentication extension --- ...MSFT_AADCustomAuthenticationExtension.psm1 | 590 ++++++++++++++++++ ...ADCustomAuthenticationExtension.schema.mof | 37 ++ .../readme.md | 6 + .../settings.json | 32 + 4 files changed, 665 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 new file mode 100644 index 0000000000..a81c729192 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 @@ -0,0 +1,590 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMillisesonds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + # check for export. + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + # check with Id first + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + # check with display name next. + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension --CustomAuthenticationExtensionId $Id ` + -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + DisplayName = $instance.DisplayName + Id = $instance.Id + Description = $instance.Description + } + + if ($instance.AdditionalProperties -ne $null) + { + $results.Add('CustomAuthenticationExtensionType', $instance.AdditionalProperties["@odata.type"]) + } + + if ($instance.AuthenticationConfiguration -ne $null) + { + $results.Add('AuthenticationConfigurationType', $instance.AuthenticationConfiguration["@odata.type"]) + $results.Add('AuthenticationConfigurationResourceId', $instance.AuthenticationConfiguration["resourceId"]) + } + + if ($instance.ClientConfiguration -ne $null) + { + $results.Add('ClientConfigurationTimeoutMilliseconds', $instance.ClientConfiguration.TimeoutInMilliseconds) + $results.Add('ClientConfigurationMaximumRetries', $instance.ClientConfiguration.MaximumRetries) + } + + $endpointConfiguration = @{} + if ($instance.EndPointConfiguration -ne $null -and $instance.EndPointConfiguration.AdditionalProperties -ne $null) + { + $endpointConfiguration.Add("EndpointType", $instance.EndPointConfiguration.AdditionalProperties["@odata.type"]) + + if ($endpointConfiguration["EndpointType"] -eq '#microsoft.graph.httpRequestEndpoint') + { + $endpointConfiguration.Add("TargetUrl", $instance.EndPointConfiguration.AdditionalProperties["targetUrl"]) + } + + if ($endpointConfiguration["EndpointType"] -eq '#microsoft.graph.logicAppTriggerEndpointConfiguration') + { + $endpointConfiguration.Add("SubscriptionId", $instance.EndPointConfiguration.AdditionalProperties["subscriptionId"]) + $endpointConfiguration.Add("ResourceGroupName", $instance.EndPointConfiguration.AdditionalProperties["resourceGroupName"]) + $endpointConfiguration.Add("LogicAppWorkflowName", $instance.EndPointConfiguration.AdditionalProperties["logicAppWorkflowName"]) + } + } + + $claimsForTokenConfguration = @() + if ($instance.AdditionalProperties -ne $null -and $instance.AdditionalProperties["claimsForTokenConfiguration"] -ne $null) + { + foreach ($claim in $instance.AdditionalProperties["claimsForTokenConfiguration"]) + { + $c = @{ + ClaimIdInApiResponse = $claim.claimIdInApiResponse + } + + $claimsForTokenConfguration += $c + } + } + + $results.Add('EndPointConfiguration', $endpointConfiguration) + $results.Add('ClaimsForTokenConfguration', $claimsForTokenConfguration) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMillisesonds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $params = @{ + "@odata.type" = $setParameters["CustomAuthenticationExtensionType"] + displayName = $setParameters["DisplayName"] + description = $setParameters["Description"] + endpointConfiguration = @{ + "@odata.type" = $setParameters["EndpointType"] + targetUrl = $setParameters["TargetUrl"] + subscriptionId = $setParameters["SubscriptionId"] + resourceGroupName = $setParameters["ResourceGroupName"] + logicAppWorkflowName = $setParameters["LogicAppWorkflowName"] + } + authenticationConfiguration = @{ + "@odata.type" = $setParameters["AuthenticationConfigurationType"] + resourceId = $setParameters["AuthenticationConfigurationResourceId"] + } + clientConfiguration = @{ + timeoutInMilliseconds = $setParameters["ClientConfigurationTimeoutMilliseconds"] + maximumRetries = $setParameters["ClientConfigurationMaximumRetries"] + } + claimsForTokenConfguration = @() + } + + foreach ($claim in $setParameters["ClaimsForTokenConfguration"]) + { + $c = @{ + "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + } + + $params["claimsForTokenConfiguration"] += $c + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $params.Remove('Id') | Out-Null + Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName}" + New-MgBetaIdentityCustomAuthenticationExtension @params + } + + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating custom authentication extension {$DisplayName}" + $params.Add('CustomAuthenticationExtensionId', $currentInstance.Id) + $params.Remove('Id') | Out-Null + Update-MgBetaIdentityCustomAuthenticationExtension @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing custom authentication extension {$DisplayName}." + Remove-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMillisesonds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityCustomAuthenticationExtension -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayNames = $config.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof new file mode 100644 index 0000000000..4d34f0d3ef --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof @@ -0,0 +1,37 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtension")] +class MSFT_AADCustomAuthenticationExtension : OMI_BaseResource +{ + [Key, Description("Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive.")] String DisplayName; + [Write, Description("Unique identifier of the Attribute Definition.")] String Id; + [Write, Description("Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. ")] String Description; + [Write, Description("Defines the authentication configuration type")] String AuthenticationConfigurationType; + [Write, Description("Defines the authentication configuration resource id")] String AuthenticationConfigurationResourceId; + [Write, Description("Defines the client configuration timeout in milliseconds")] UInt32 ClientConfigurationTimeoutMullisesonds; + [Write, Description("Defines the client configuration max retries")] UInt32 ClientConfigurationMaximumRetries; + [Write, Description("Defines the endpoint configuration"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String EndpointConfiguration; + [Write, Description("Defines the list of claims for token configurations"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String ClaimsForTokenConfguration[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtensionEndPointConfiguration")] +class MSFT_AADCustomAuthenticationExtensionEndPointConfiguration +{ + [Write, Description("Defines the type of the endpoint configuration")] String EndpointType; + [Write, Description("Defines the workflow name for the logic app")] String LogicAppWorkflowName; + [Write, Description("Defines the resource group name for the logic app")] String ResourceGroupName; + [Write, Description("Defines the subscription id for the logic app")] String SubscriptionId; + [Write, Description("Defines the target url for the http endpoint")] String TargetUrl; +} + +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtensionClaimForTokenConfguration")] +class MSFT_AADCustomAuthenticationExtensionClaimForTokenConfguration +{ + [Write, Description("Defines the claim id in api response.")] String ClaimIdInApiResponse; +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md new file mode 100644 index 0000000000..d22077d7e6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md @@ -0,0 +1,6 @@ + +# AADCustomAuthenticationExtension + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json new file mode 100644 index 0000000000..ae6d5a8707 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADCustomAuthenticationExtension", + "description": "Custom authentication extensions define interactions with external systems during a user authentication session. ", + "roles": { + "read": [ + "Attribute Definition Reader" + ], + "update": [ + "Attribute Definition Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] + } + } + } +} From d759564d226caf698c0d6bdb27e76712c0ca751e Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 17 Oct 2024 16:35:36 -0400 Subject: [PATCH 05/98] SPOTenantSettings --- CHANGELOG.md | 8 + .../MSFT_SPOTenantSettings.psm1 | 143 +++++++++++++----- .../MSFT_SPOTenantSettings.schema.mof | 7 +- 3 files changed, 123 insertions(+), 35 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ed21867f..730764ed80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* SPOTenantSettings + * Added support for AllowSelectSGsInODBListInTenant, + DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, + AllowSelectSecurityGroupsInSPSitesList, + ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. + # 1.24.1016.1 * AADAdminConsentRequestPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 21414fb375..825f563bc6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -106,6 +106,26 @@ function Get-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -184,41 +204,56 @@ function Get-TargetResource $MaxCompat = $CompatibilityRange[1] } + # Additional Properties via REST + $parametersToRetrieve = @('ExemptNativeUsersFromTenantLevelRestricedAccessControl', + 'AllowSelectSGsInODBListInTenant', + 'DenySelectSGsInODBListInTenant', + 'DenySelectSecurityGroupsInSPSitesList', + 'AllowSelectSecurityGroupsInSPSitesList') + + $response = Invoke-PnPSPRestMethod -Method Get ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant?`$select=$($parametersToRetrieve -join ',')" + + return @{ - IsSingleInstance = 'Yes' - MinCompatibilityLevel = $MinCompat - MaxCompatibilityLevel = $MaxCompat - SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN - OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled - LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled - SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain - UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView - #UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled - PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled - PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes - UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker - NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled - OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification - ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients - FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled - HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes - HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite - MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault - DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds - SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled - CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled - EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration - TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificatePassword = $CertificatePassword - CertificatePath = $CertificatePath - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - Ensure = 'Present' - AccessTokens = $AccessTokens + IsSingleInstance = 'Yes' + ExemptNativeUsersFromTenantLevelRestricedAccessControl = $response.ExemptNativeUsersFromTenantLevelRestricedAccessControl + AllowSelectSGsInODBListInTenant = $response.AllowSelectSGsInODBListInTenant + DenySelectSGsInODBListInTenant = $response.DenySelectSGsInODBListInTenant + DenySelectSecurityGroupsInSPSitesList = $response.DenySelectSecurityGroupsInSPSitesList + AllowSelectSecurityGroupsInSPSitesList = $response.AllowSelectSecurityGroupsInSPSitesList + MinCompatibilityLevel = $MinCompat + MaxCompatibilityLevel = $MaxCompat + SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN + OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled + LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled + SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain + UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView + PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled + PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes + UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker + NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled + OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification + ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients + FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled + HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes + HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite + MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault + DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds + SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled + CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled + EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration + TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificatePassword = $CertificatePassword + CertificatePath = $CertificatePath + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + Ensure = 'Present' + AccessTokens = $AccessTokens } } catch @@ -341,6 +376,26 @@ function Set-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -541,6 +596,26 @@ function Test-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof index 45d9efdd69..6c71fd1025 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof @@ -24,7 +24,12 @@ class MSFT_SPOTenantSettings : OMI_BaseResource [Write, Description("Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page.")] boolean SocialBarOnSitePagesDisabled; [Write, Description("Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature.")] boolean CommentsOnSitePagesDisabled; [Write, Description("Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant.")] boolean EnableAIPIntegration; - [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone; + [Write, Description("Determines whether or not we need to include external participants in shared channels for SharePoint access restriction.")] Boolean ExemptNativeUsersFromTenantLevelRestricedAccessControl; + [Write, Description("List of security groups to include in OneDrive access restrictions")] String AllowSelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in OneDrive access restrictions")] String DenySelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in SharePoint access restrictions")] String DenySelectSecurityGroupsInSPSitesList[]; + [Write, Description("List of security groups to include in SharePoint access restrictions.")] String AllowSelectSecurityGroupsInSPSitesList[]; + [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone[]; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From 81c127043664b4fa4c64d18e61b7a0b3aa6a4889 Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Fri, 18 Oct 2024 14:55:08 +0530 Subject: [PATCH 06/98] first commit --- .../MSFT_AADServicePrincipal.psm1 | 248 +++++++++++++++++- .../MSFT_AADServicePrincipal.schema.mof | 17 ++ 2 files changed, 264 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index 5640892910..d9f3d1b1e7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -226,6 +230,8 @@ function Get-TargetResource $complexDelegatedPermissionClassifications += $hashtable } + $complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -AppId $AppId) + $result = @{ AppId = $AADServicePrincipal.AppId AppRoleAssignedTo = $AppRoleAssignedToValues @@ -234,6 +240,7 @@ function Get-TargetResource AlternativeNames = $AADServicePrincipal.AlternativeNames AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired + CustomSecurityAttributes = $complexCustomSecurityAttributes DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications ErrorUrl = $AADServicePrincipal.ErrorUrl Homepage = $AADServicePrincipal.Homepage @@ -304,6 +311,10 @@ function Set-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -467,6 +478,39 @@ function Set-TargetResource $currentParameters.Remove('AppRoleAssignedTo') | Out-Null $currentParameters.Remove('Owners') | Out-Null $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null + + # logic to update the custom security attributes to be cmdlet comsumable + $updatedCustomSecurityAttributes = @{} + foreach ($attributeSet in $currentParameters.CustomSecurityAttributes) { + $attributeSetKey = $attributeSet.AttributeName + + $valuesHashtable = @{} + foreach ($attribute in $attributeSet.AttributeValues) { + $attributeKey = $attribute.AttributeName + $attributeValue + if ($null -ne $attribute.StringArrayValue) { + if ($attribute.StringArrayValue.Count -gt 1) { + $valuesHashtable($attributeKey + '@odata.type', "#Collection(String)") + $attributeValue = $attribute.StringArrayValue + } else { + $attributeValue = $attribute.StringArrayValue[0] + } + } + elseif ($null -ne $attribute.IntArrayValue) { + if ($attribute.IntArrayValue.Count -gt 1) { + $attributeValue = $attribute.IntArrayValue + } else { + $attributeValue = $attribute.IntArrayValue[0] + } + } + elseif ($null -ne $attribute.BoolValue) { + $attributeValue = $attribute.BoolValue + } + $valuesHashtable.Add($attributeKey, $attributeValue) + } + $updatedCustomSecurityAttributes.Add($attributeSetKey, $valuesHashtable) + } + Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters if ($AppRoleAssignedTo) @@ -642,6 +686,10 @@ function Test-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -743,12 +791,14 @@ function Test-TargetResource { $source = $PSBoundParameters.$key $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) + Write-Host "Key: $key, Cim comparison value: $testResult" if (-not $testResult) { $testTargetResource = $false @@ -843,6 +893,9 @@ function Export-TargetResource -ErrorAction Stop foreach ($AADServicePrincipal in $Script:exportedInstances) { + if($AADServicePrincipal.AppId -ne 'e4763382-ff8d-4c4c-97e1-65e2241986df') { + continue + } if ($null -ne $Global:M365DSCExportResourceInstancesCount) { $Global:M365DSCExportResourceInstancesCount++ @@ -873,6 +926,10 @@ function Export-TargetResource { $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications } + if ($Results.CustomSecurityAttributes.Count -gt 0) + { + $Results.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString -CustomSecurityAttributes $Results.CustomSecurityAttributes + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -888,6 +945,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'DelegatedPermissionClassifications' } + if ($null -ne $Results.CustomSecurityAttributes) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'CustomSecurityAttributes' + } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -912,6 +974,129 @@ function Export-TargetResource } } +# Function to create MSFT_AttributeValue +function Create-AttributeValue { + param ( + [string]$AttributeName, + [object]$Value + ) + + $attributeValue = @{ + AttributeName = $AttributeName + StringArrayValue = $null + IntArrayValue = $null + BoolValue = $null + } + + # Handle different types of values + if ($Value -is [string]) { + $attributeValue.StringArrayValue = @($Value) + } + elseif ($Value -is [System.Int32] -or $Value -is [System.Int64]) { + $attributeValue.IntArrayValue = @($Value) + } + elseif ($Value -is [bool]) { + $attributeValue.BoolValue = @($Value) + } + elseif ($Value -is [array]) { + if ($Value[0] -is [string]) { + $attributeValue.StringArrayValue = $Value + } + elseif ($Value[0] -is [System.Int32] -or $Value[0] -is [System.Int64]) { + $attributeValue.IntArrayValue = $Value + } + } + + return $attributeValue +} + + +function Get-CustomSecurityAttributes { + [OutputType([System.Array])] + param ( + [String]$AppId + ) + + $customSecurityAttributes = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$AppId')`?`$select=customSecurityAttributes" -Method Get + $customSecurityAttributes = $customSecurityAttributes.customSecurityAttributes + $newCustomSecurityAttributes = @() + + foreach ($key in $customSecurityAttributes.Keys) { + $attributeSet = @{ + AttributeSetName = $key + AttributeValues = @() + } + + foreach ($attribute in $customSecurityAttributes[$key].Keys) { + # Skip properties that end with '@odata.type' + if ($attribute -like "*@odata.type") { + continue + } + + $value = $customSecurityAttributes[$key][$attribute] + $attributeName = $attribute # Keep the attribute name as it is + + # Create the attribute value and add it to the set + $attributeSet.AttributeValues += Create-AttributeValue -AttributeName $attributeName -Value $value + } + + #Add the attribute set to the final structure + $newCustomSecurityAttributes += $attributeSet + } + + # Display the new structure + return [Array]$newCustomSecurityAttributes +} + +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes + ) + + $StringContent = "@(`r`n" + foreach ($customSecurityAttribute in $CustomSecurityAttributes) + { + $StringContent += " MSFT_AADServicePrincipalAttributeSet {`r`n" + $StringContent += " AttributeSetName = '" + $customSecurityAttribute.AttributeSetName + "'`r`n" + if ($customSecurityAttribute.AttributeValues.Length -gt 0) + { + $StringContent += " AttributeValues = @(`r`n" + foreach ($attributeValue in $customSecurityAttribute.AttributeValues) + { + $StringContent += " MSFT_AADServicePrincipalAttributeValue {`r`n" + $StringContent += " AttributeName = '" + $attributeValue.AttributeName + "'`r`n" + if ($null -ne $attributeValue.BoolValue){ + $StringContent += " BoolValue = '$" + $attributeValue.BoolValue + "'`r`n" + } + elseif ($null -ne $attributeValue.StringArrayValue){ + $StringContent += " StringArrayValue = @(" + $StringContent += ($attributeValue.StringArrayValue | ForEach-Object { "'$_'" }) -join "," + $StringContent += ")`r`n" + } + elseif ($null -ne $attributeValue.IntArrayValue){ + $StringContent += " IntArrayValue = @(" + $StringContent += $attributeValue.IntArrayValue -join "," + $StringContent += ")`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += " )`r`n" + } + else + { + $StringContent += " AttributeValues = @()`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + function Get-M365DSCAzureADServicePrincipalAssignmentAsString { [CmdletBinding()] @@ -956,4 +1141,65 @@ function Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications return $StringContent } -Export-ModuleMember -Function *-TargetResource + + +function Print-Hashtable { + param ( + [Parameter(Mandatory=$true)] + [hashtable]$Hashtable, + [int]$IndentLevel = 0 + ) + + # Helper function to handle arrays and nested objects + function Print-Value { + param ( + [Parameter(Mandatory=$true)] + $Value, + [int]$IndentLevel + ) + + $indent = " " * ($IndentLevel * 4) + + if ($Value -is [hashtable]) { + # Recursively call the Print-Hashtable function for nested hashtables + Print-Hashtable -Hashtable $Value -IndentLevel ($IndentLevel + 1) + } elseif ($Value -is [array]) { + # Handle arrays + Write-Host "${indent}Array:" + for ($i = 0; $i -lt $Value.Count; $i++) { + $item = $Value[$i] + Write-Host "${indent}[$i]:" + if ($item -is [hashtable]) { + Print-Hashtable -Hashtable $item -IndentLevel ($IndentLevel + 1) + } else { + Print-Value -Value $item -IndentLevel ($IndentLevel + 1) + } + } + } else { + # Print simple values (non-hashtable, non-array) + Write-Host "${indent}$Value" + } + } + + # Iterate through each key-value pair in the hashtable + foreach ($key in $Hashtable.Keys) { + $indent = " " * ($IndentLevel * 4) + $value = $Hashtable[$key] + + if ($value -is [hashtable]) { + # Print key and call recursively if value is a nested hashtable + Write-Host "${indent}$key :" + Print-Hashtable -Hashtable $value -IndentLevel ($IndentLevel + 1) + } elseif ($value -is [array]) { + # Print arrays with an index for each element + Write-Host "${indent}$key :" + Print-Value -Value $value -IndentLevel ($IndentLevel + 1) + } else { + # Print key-value pairs for non-complex data types + Write-Host "${indent}$key : $value" + } + } +} + + +Export-ModuleMember -Function * diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 717b2e569f..7493435d82 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -12,6 +12,22 @@ class MSFT_AADServicePrincipalDelegatedPermissionClassification [Write, Description("Name of the permission")] String PermissionName; }; +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeValue +{ + [Write, Description("Name of the Attribute")] String AttributeName; + [Write, Description("If the attribute has a string array value")] String StringArrayValue[]; + [Write, Description("If the attribute has a int array value")] UInt32 IntArrayValue[]; + [Write, Description("If the attribute has a boolean value")] Boolean BoolValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeSet +{ + [Write, Description("Attribute Set Name.")] String AttributeSetName; + [Write, Description("List of attribute values."), EmbeddedInstance("MSFT_AADServicePrincipalAttributeValue")] String AttributeValues[]; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")] class MSFT_AADServicePrincipal : OMI_BaseResource { @@ -33,6 +49,7 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("The type of the service principal.")] String ServicePrincipalType; [Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[]; [Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[]; + [Write, Description("The list of custom security attributes attached to this SPN"), EmbeddedInstance("MSFT_AADServicePrincipalAttributeSet")] String CustomSecurityAttributes[]; [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From 4e9afc18b3eddc6b6f681573853ff514417e33db Mon Sep 17 00:00:00 2001 From: Dan Lag Date: Fri, 18 Oct 2024 08:15:55 -0400 Subject: [PATCH 07/98] Added support for ApplicationSecret --- .../MSFT_AADCustomSecurityAttributeDefinition.psm1 | 14 ++++++++++++++ ...AADCustomSecurityAttributeDefinition.schema.mof | 2 +- .../MSFT_AADDomain/MSFT_AADDomain.schema.mof | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 index e8090ba85e..1e7e5822ab 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 @@ -57,6 +57,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -132,6 +136,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -209,6 +214,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -325,6 +334,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -447,6 +460,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof index f440bccc52..566b9bfcfb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof @@ -10,11 +10,11 @@ class MSFT_AADCustomSecurityAttributeDefinition : OMI_BaseResource [Write, Description("Specifies whether the custom security attribute is active or deactivated. Acceptable values are Available and Deprecated. Can be changed later.")] String Status; [Write, Description("Data type for the custom security attribute values. Supported types are: Boolean, Integer, and String. Can't be changed later.")] String Type; [Write, Description("Indicates whether only predefined values can be assigned to the custom security attribute. If set to false, free-form values are allowed. Can later be changed from true to false, but can't be changed from false to true. If type is set to Boolean, usePreDefinedValuesOnly can't be set to true.")] Boolean UsePreDefinedValuesOnly; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof index bef859a557..78960adce0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof @@ -11,7 +11,7 @@ class MSFT_AADDomain : OMI_BaseResource [Write, Description("Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.")] UInt32 PasswordNotificationWindowInDays; [Write, Description("Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.")] UInt32 PasswordValidityPeriodInDays; [Write, Description("The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.")] String SupportedServices[]; - + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From 061b5e5bb20dc6b39e6f50b6dd0e32cbedf96b9d Mon Sep 17 00:00:00 2001 From: Dan Lag Date: Fri, 18 Oct 2024 10:43:38 -0400 Subject: [PATCH 08/98] Added support for ApplicationSecret --- .../MSFT_AADDomain/MSFT_AADDomain.psm1 | 14 ++++++++++++++ .../MSFT_AADDomain/MSFT_AADDomain.schema.mof | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 index 6237de9617..eff7ae01fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 @@ -61,6 +61,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -114,6 +118,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -195,6 +200,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -342,6 +351,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -462,6 +475,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof index bef859a557..c2b6cab026 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof @@ -11,11 +11,11 @@ class MSFT_AADDomain : OMI_BaseResource [Write, Description("Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.")] UInt32 PasswordNotificationWindowInDays; [Write, Description("Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.")] UInt32 PasswordValidityPeriodInDays; [Write, Description("The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.")] String SupportedServices[]; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; From 73b972940c9effd27ed6057ef96e3f2d029e53c7 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 18 Oct 2024 11:13:39 -0400 Subject: [PATCH 09/98] FIxes --- CHANGELOG.md | 1 + .../MSFT_SPOTenantSettings.psm1 | 61 +++++++++++++++++++ .../MSFT_SPOTenantSettings.schema.mof | 2 +- 3 files changed, 63 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90d5670d6c..36a61c3ce0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, AllowSelectSecurityGroupsInSPSitesList, ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. + * TenantDefaultTimezone changed to String instead of Array. # 1.24.1016.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 825f563bc6..015cfea04f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -471,6 +471,11 @@ function Set-TargetResource $CurrentParameters.Remove('ManagedIdentity') | Out-Null $CurrentParameters.Remove('ApplicationSecret') | Out-Null $CurrentParameters.Remove('AccessTokens') | Out-Null + $CurrentParameters.Remove('ExemptNativeUsersFromTenantLevelRestricedAccessControl') | Out-Null + $CurrentParameters.Remove('AllowSelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSecurityGroupsInSPSitesList') | Out-Null + $CurrentParameters.Remove('AllowSelectSecurityGroupsInSPSitesList') | Out-Null $CurrentParameters.Remove('TenantDefaultTimezone') | Out-Null # this one is updated separately using Graph if ($CurrentParameters.Keys.Contains('UserVoiceForFeedbackEnabled')) @@ -490,6 +495,62 @@ function Set-TargetResource { $tenantGraph = Update-MgAdminSharepointSetting -TenantDefaultTimezone $TenantDefaultTimezone -ErrorAction Stop } + + # Updating via REST + try + { + $paramsToUpdate = @{} + $needToUpdate = $false + + if (null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + { + $needToUpdate = $true + $params.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + } + + if (null -ne $AllowSelectSGsInODBListInTenant) + { + $needToUpdate = $true + $params.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) + } + + if (null -ne $DenySelectSGsInODBListInTenant) + { + $needToUpdate = $true + $params.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) + } + + if (null -ne $DenySelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $params.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) + } + + if (null -ne $AllowSelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $params.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) + } + + if ($needToUpdate) + { + Write-Verbose -Message "Updating properties via REST PATCH call." + Invoke-PnPSPRestMethod -Method PATCH ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant" ` + -Content $paramsToUpdate + } + } + catch + { + if ($_.Exception.Message.Contains("The requested operation is part of an experimental feature that is not supported in the current environment.")) + { + Write-Verbose -Message "Updating via REST: The associated feature is not available in the given tenant." + } + else + { + throw $_ + } + } } function Test-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof index 6c71fd1025..9f9fca89d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof @@ -29,7 +29,7 @@ class MSFT_SPOTenantSettings : OMI_BaseResource [Write, Description("List of security groups to exclude in OneDrive access restrictions")] String DenySelectSGsInODBListInTenant[]; [Write, Description("List of security groups to exclude in SharePoint access restrictions")] String DenySelectSecurityGroupsInSPSitesList[]; [Write, Description("List of security groups to include in SharePoint access restrictions.")] String AllowSelectSecurityGroupsInSPSitesList[]; - [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone[]; + [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From 9be467bca6b287476335a58d7106d7ac5d72c1eb Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 18 Oct 2024 11:18:05 -0400 Subject: [PATCH 10/98] Update MSFT_SPOTenantSettings.psm1 --- .../MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 015cfea04f..bd5d982acf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -502,31 +502,31 @@ function Set-TargetResource $paramsToUpdate = @{} $needToUpdate = $false - if (null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + if ($null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) { $needToUpdate = $true $params.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) } - if (null -ne $AllowSelectSGsInODBListInTenant) + if ($null -ne $AllowSelectSGsInODBListInTenant) { $needToUpdate = $true $params.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) } - if (null -ne $DenySelectSGsInODBListInTenant) + if ($null -ne $DenySelectSGsInODBListInTenant) { $needToUpdate = $true $params.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) } - if (null -ne $DenySelectSecurityGroupsInSPSitesList) + if ($null -ne $DenySelectSecurityGroupsInSPSitesList) { $needToUpdate = $true $params.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) } - if (null -ne $AllowSelectSecurityGroupsInSPSitesList) + if ($null -ne $AllowSelectSecurityGroupsInSPSitesList) { $needToUpdate = $true $params.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) From 026016a7fc96cff9531b59107ecb7a9a89ff5cf9 Mon Sep 17 00:00:00 2001 From: Dan Lag Date: Fri, 18 Oct 2024 11:22:48 -0400 Subject: [PATCH 11/98] Added support for ApplicationSecret --- ...SFT_AADIdentityGovernanceLifecycleWorkflow.psm1 | 14 ++++++++++++++ ...DIdentityGovernanceLifecycleWorkflow.schema.mof | 1 + 2 files changed, 15 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 index 1e3a213421..1995d3719c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 @@ -49,6 +49,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -112,6 +116,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -181,6 +186,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -346,6 +355,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -494,6 +507,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof index 6af12f51bb..1fd0221206 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof @@ -56,6 +56,7 @@ class MSFT_AADIdentityGovernanceLifecycleWorkflow : OMI_BaseResource [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; From 604c0287ee974d0ec692bc924b72dc4c94a45797 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 18 Oct 2024 11:23:55 -0400 Subject: [PATCH 12/98] Update MSFT_SPOTenantSettings.psm1 --- .../MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index bd5d982acf..b52a11dd1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -505,31 +505,31 @@ function Set-TargetResource if ($null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) { $needToUpdate = $true - $params.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + $paramsToUpdate.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) } if ($null -ne $AllowSelectSGsInODBListInTenant) { $needToUpdate = $true - $params.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) + $paramsToUpdate.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) } if ($null -ne $DenySelectSGsInODBListInTenant) { $needToUpdate = $true - $params.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) + $paramsToUpdate.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) } if ($null -ne $DenySelectSecurityGroupsInSPSitesList) { $needToUpdate = $true - $params.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) + $paramsToUpdate.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) } if ($null -ne $AllowSelectSecurityGroupsInSPSitesList) { $needToUpdate = $true - $params.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) + $paramsToUpdate.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) } if ($needToUpdate) From 4f6db793050a2d22f1c17cb5d3665930374116d7 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 18 Oct 2024 11:45:32 -0400 Subject: [PATCH 13/98] Fixes --- .../Microsoft365DSC.SPOTenantSettings.Tests.ps1 | 4 ++++ Tests/Unit/Stubs/Microsoft365.psm1 | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 index 30eb96c585..de2f686924 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 @@ -36,6 +36,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return $null } + Mock -CommandName Invoke-PnPSPRestMethod -MockWith { + return $null + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 985abaa28d..e522432ec2 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -97621,3 +97621,20 @@ function Stop-MgBetaIdentityGovernanceAccessReviewDefinition #endregion +function Invoke-PnPSPRestMethod +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Method, + + [Parameter()] + [System.Url] + $Url, + + [Parameter()] + [System.Object] + $Content + ) +} From 25c25805b3a0a18f30ab3cf229c5aa436be4be55 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 18 Oct 2024 12:00:43 -0400 Subject: [PATCH 14/98] Update Microsoft365.psm1 --- Tests/Unit/Stubs/Microsoft365.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index e522432ec2..cdcf592740 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -97630,7 +97630,7 @@ function Invoke-PnPSPRestMethod $Method, [Parameter()] - [System.Url] + [System.String] $Url, [Parameter()] From f207a88de30723468c70368a5e15e10dcd0b6d25 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 18 Oct 2024 16:18:31 +0000 Subject: [PATCH 15/98] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/sharepoint/SPOTenantSettings.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/docs/resources/sharepoint/SPOTenantSettings.md b/docs/docs/resources/sharepoint/SPOTenantSettings.md index a9527057ce..4baad6486b 100644 --- a/docs/docs/resources/sharepoint/SPOTenantSettings.md +++ b/docs/docs/resources/sharepoint/SPOTenantSettings.md @@ -27,6 +27,11 @@ | **SocialBarOnSitePagesDisabled** | Write | Boolean | Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page. | | | **CommentsOnSitePagesDisabled** | Write | Boolean | Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature. | | | **EnableAIPIntegration** | Write | Boolean | Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant. | | +| **ExemptNativeUsersFromTenantLevelRestricedAccessControl** | Write | Boolean | Determines whether or not we need to include external participants in shared channels for SharePoint access restriction. | | +| **AllowSelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to include in OneDrive access restrictions | | +| **DenySelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to exclude in OneDrive access restrictions | | +| **DenySelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to exclude in SharePoint access restrictions | | +| **AllowSelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to include in SharePoint access restrictions. | | | **TenantDefaultTimezone** | Write | String | The default timezone of a tenant for newly created sites. | | | **Ensure** | Write | String | Only accepted value is 'Present'. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the account to authenticate with. | | From 75d64ec9c81709db69b7b11babb71ddef92bba26 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 18 Oct 2024 16:21:48 +0000 Subject: [PATCH 16/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 913a83d34b..564dcb1932 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -462,6 +462,11 @@ "Name": "ApplicationId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantId", @@ -50707,6 +50712,31 @@ "Name": "EnableAIPIntegration", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "ExemptNativeUsersFromTenantLevelRestricedAccessControl", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantDefaultTimezone", From 9291b3a814cf760c2e74333bfeff079e400736b3 Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Sat, 19 Oct 2024 21:13:28 +0530 Subject: [PATCH 17/98] added custom Security attribute property --- CHANGELOG.md | 3 +- .../MSFT_AADServicePrincipal.psm1 | 189 ++++++++---------- .../MSFT_AADServicePrincipal.schema.mof | 2 + 3 files changed, 92 insertions(+), 102 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5eeb43cba..24b6089172 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,7 +25,8 @@ * AADLifecycleWorkflowSettings * Initial release. * AADServicePrincipal - * Adding Delegated Permission Classification Property + * Added Delegated Permission Classification Property + * Added Custom Security Attributes Property * ADOPermissionGroupSettings * Initial release. * EXOATPBuiltInProtectionRule diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index d9f3d1b1e7..c539a90625 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -231,6 +231,9 @@ function Get-TargetResource } $complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -AppId $AppId) + if ($null -eq $complexCustomSecurityAttributes) { + $complexCustomSecurityAttributes = @() + } $result = @{ AppId = $AADServicePrincipal.AppId @@ -421,6 +424,13 @@ function Set-TargetResource $currentParameters.Remove('ApplicationSecret') | Out-Null $currentParameters.Remove('AccessTokens') | Out-Null + # update the custom security attributes to be cmdlet comsumable + if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) { + $currentParameters.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentParameters.CustomSecurityAttributes + } else { + $currentParameters.CustomSecurityAttributes = @() + } + # ServicePrincipal should exist but it doesn't if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Absent') { @@ -479,36 +489,13 @@ function Set-TargetResource $currentParameters.Remove('Owners') | Out-Null $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null - # logic to update the custom security attributes to be cmdlet comsumable - $updatedCustomSecurityAttributes = @{} - foreach ($attributeSet in $currentParameters.CustomSecurityAttributes) { - $attributeSetKey = $attributeSet.AttributeName - - $valuesHashtable = @{} - foreach ($attribute in $attributeSet.AttributeValues) { - $attributeKey = $attribute.AttributeName - $attributeValue - if ($null -ne $attribute.StringArrayValue) { - if ($attribute.StringArrayValue.Count -gt 1) { - $valuesHashtable($attributeKey + '@odata.type', "#Collection(String)") - $attributeValue = $attribute.StringArrayValue - } else { - $attributeValue = $attribute.StringArrayValue[0] - } - } - elseif ($null -ne $attribute.IntArrayValue) { - if ($attribute.IntArrayValue.Count -gt 1) { - $attributeValue = $attribute.IntArrayValue - } else { - $attributeValue = $attribute.IntArrayValue[0] - } - } - elseif ($null -ne $attribute.BoolValue) { - $attributeValue = $attribute.BoolValue - } - $valuesHashtable.Add($attributeKey, $attributeValue) + #removing the current custom security attributes + if ($currentAADServicePrincipal.CustomSecurityAttributes.Count -gt 0) { + $currentAADServicePrincipal.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentAADServicePrincipal.CustomSecurityAttributes -GetForDelete $true + $CSAParams = @{ + customSecurityAttributes = $currentAADServicePrincipal.CustomSecurityAttributes } - $updatedCustomSecurityAttributes.Add($attributeSetKey, $valuesHashtable) + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($currentParameters.AppId)')" -Method Patch -Body $CSAParams } Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters @@ -798,7 +785,6 @@ function Test-TargetResource -Source ($source) ` -Target ($target) - Write-Host "Key: $key, Cim comparison value: $testResult" if (-not $testResult) { $testTargetResource = $false @@ -885,7 +871,6 @@ function Export-TargetResource try { $i = 1 - Write-Host "`r`n" -NoNewline $Script:ExportMode = $true [array] $Script:exportedInstances = Get-MgServicePrincipal -All:$true ` -Filter $Filter ` @@ -893,7 +878,7 @@ function Export-TargetResource -ErrorAction Stop foreach ($AADServicePrincipal in $Script:exportedInstances) { - if($AADServicePrincipal.AppId -ne 'e4763382-ff8d-4c4c-97e1-65e2241986df') { + if($AADServicePrincipal.AppId -ne '0b750897-174f-4aed-ad21-ab3799c7e404') { continue } if ($null -ne $Global:M365DSCExportResourceInstancesCount) @@ -901,7 +886,6 @@ function Export-TargetResource $Global:M365DSCExportResourceInstancesCount++ } - Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($AADServicePrincipal.DisplayName)" -NoNewline $Params = @{ Credential = $Credential ApplicationId = $ApplicationId @@ -954,7 +938,6 @@ function Export-TargetResource Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName - Write-Host $Global:M365DSCEmojiGreenCheckMark $i++ } } @@ -962,7 +945,6 @@ function Export-TargetResource } catch { - Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` @@ -974,6 +956,64 @@ function Export-TargetResource } } +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes, + + [Parameter()] + [System.Boolean] + $GetForDelete = $false + ) + + # logic to update the custom security attributes to be cmdlet comsumable + $updatedCustomSecurityAttributes = @{} + foreach ($attributeSet in $CustomSecurityAttributes) { + $attributeSetKey = $attributeSet.AttributeSetName + + $valuesHashtable = @{} + $valuesHashtable.Add('@odata.type', '#Microsoft.DirectoryServices.CustomSecurityAttributeValue') + foreach ($attribute in $attributeSet.AttributeValues) { + $attributeKey = $attribute.AttributeName + # supply attributeName = $null in the body, if you want to delete this attribute + if ($GetForDelete -eq $true) { + $valuesHashtable.Add($attributeKey, $null) + continue + } + + $odataKey = $attributeKey + '@odata.type' + + if ($null -ne $attribute.StringArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(String)") + $attributeValue = $attribute.StringArrayValue + } + elseif ($null -ne $attribute.IntArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(Int32)") + $attributeValue = $attribute.IntArrayValue + } + elseif ($null -ne $attribute.StringValue) { + $valuesHashtable.Add($odataKey, "#String") + $attributeValue = $attribute.StringValue + } + elseif ($null -ne $attribute.IntValue) { + $valuesHashtable.Add($odataKey, "#Int32") + $attributeValue = $attribute.IntValue + } + elseif ($null -ne $attribute.BoolValue) { + $attributeValue = $attribute.BoolValue + } + + $valuesHashtable.Add($attributeKey, $attributeValue) + } + $updatedCustomSecurityAttributes.Add($attributeSetKey, $valuesHashtable) + } + return $updatedCustomSecurityAttributes +} + # Function to create MSFT_AttributeValue function Create-AttributeValue { param ( @@ -985,18 +1025,20 @@ function Create-AttributeValue { AttributeName = $AttributeName StringArrayValue = $null IntArrayValue = $null + StringValue = $null + IntValue = $null BoolValue = $null } # Handle different types of values if ($Value -is [string]) { - $attributeValue.StringArrayValue = @($Value) + $attributeValue.StringValue = $Value } elseif ($Value -is [System.Int32] -or $Value -is [System.Int64]) { - $attributeValue.IntArrayValue = @($Value) + $attributeValue.IntValue = $Value } elseif ($Value -is [bool]) { - $attributeValue.BoolValue = @($Value) + $attributeValue.BoolValue = $Value } elseif ($Value -is [array]) { if ($Value[0] -is [string]) { @@ -1071,7 +1113,13 @@ function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString $StringContent += " MSFT_AADServicePrincipalAttributeValue {`r`n" $StringContent += " AttributeName = '" + $attributeValue.AttributeName + "'`r`n" if ($null -ne $attributeValue.BoolValue){ - $StringContent += " BoolValue = '$" + $attributeValue.BoolValue + "'`r`n" + $StringContent += " BoolValue = $" + $attributeValue.BoolValue + "`r`n" + } + elseif ($null -ne $attributeValue.StringValue){ + $StringContent += " StringValue = '" + $attributeValue.StringValue + "'`r`n" + } + elseif ($null -ne $attributeValue.IntValue){ + $StringContent += " IntValue = " + $attributeValue.IntValue + "`r`n" } elseif ($null -ne $attributeValue.StringArrayValue){ $StringContent += " StringArrayValue = @(" @@ -1141,65 +1189,4 @@ function Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications return $StringContent } - - -function Print-Hashtable { - param ( - [Parameter(Mandatory=$true)] - [hashtable]$Hashtable, - [int]$IndentLevel = 0 - ) - - # Helper function to handle arrays and nested objects - function Print-Value { - param ( - [Parameter(Mandatory=$true)] - $Value, - [int]$IndentLevel - ) - - $indent = " " * ($IndentLevel * 4) - - if ($Value -is [hashtable]) { - # Recursively call the Print-Hashtable function for nested hashtables - Print-Hashtable -Hashtable $Value -IndentLevel ($IndentLevel + 1) - } elseif ($Value -is [array]) { - # Handle arrays - Write-Host "${indent}Array:" - for ($i = 0; $i -lt $Value.Count; $i++) { - $item = $Value[$i] - Write-Host "${indent}[$i]:" - if ($item -is [hashtable]) { - Print-Hashtable -Hashtable $item -IndentLevel ($IndentLevel + 1) - } else { - Print-Value -Value $item -IndentLevel ($IndentLevel + 1) - } - } - } else { - # Print simple values (non-hashtable, non-array) - Write-Host "${indent}$Value" - } - } - - # Iterate through each key-value pair in the hashtable - foreach ($key in $Hashtable.Keys) { - $indent = " " * ($IndentLevel * 4) - $value = $Hashtable[$key] - - if ($value -is [hashtable]) { - # Print key and call recursively if value is a nested hashtable - Write-Host "${indent}$key :" - Print-Hashtable -Hashtable $value -IndentLevel ($IndentLevel + 1) - } elseif ($value -is [array]) { - # Print arrays with an index for each element - Write-Host "${indent}$key :" - Print-Value -Value $value -IndentLevel ($IndentLevel + 1) - } else { - # Print key-value pairs for non-complex data types - Write-Host "${indent}$key : $value" - } - } -} - - -Export-ModuleMember -Function * +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 7493435d82..3b2c37bc14 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -18,6 +18,8 @@ class MSFT_AADServicePrincipalAttributeValue [Write, Description("Name of the Attribute")] String AttributeName; [Write, Description("If the attribute has a string array value")] String StringArrayValue[]; [Write, Description("If the attribute has a int array value")] UInt32 IntArrayValue[]; + [Write, Description("If the attribute has a string value")] String StringValue; + [Write, Description("If the attribute has a int value")] UInt32 IntValue; [Write, Description("If the attribute has a boolean value")] Boolean BoolValue; }; From acdfd1a348ea3573595c59af0293a499e1849311 Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Sat, 19 Oct 2024 21:17:07 +0530 Subject: [PATCH 18/98] minor --- .../MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index c539a90625..85a0ee97c7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -871,6 +871,7 @@ function Export-TargetResource try { $i = 1 + Write-Host "`r`n" -NoNewline $Script:ExportMode = $true [array] $Script:exportedInstances = Get-MgServicePrincipal -All:$true ` -Filter $Filter ` @@ -886,6 +887,7 @@ function Export-TargetResource $Global:M365DSCExportResourceInstancesCount++ } + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($AADServicePrincipal.DisplayName)" -NoNewline $Params = @{ Credential = $Credential ApplicationId = $ApplicationId @@ -938,6 +940,7 @@ function Export-TargetResource Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark $i++ } } @@ -945,6 +948,7 @@ function Export-TargetResource } catch { + Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` From c72dfc484e0cd1b3496ad807104e3679c70304f5 Mon Sep 17 00:00:00 2001 From: Sai Rohit Date: Mon, 21 Oct 2024 16:46:46 +0530 Subject: [PATCH 19/98] Added new resource --- ...MSFT_AADCustomAuthenticationExtension.psm1 | 133 ++++++-- ...ADCustomAuthenticationExtension.schema.mof | 37 +-- .../1-Create.ps1 | 52 +++ .../2-Update.ps1 | 52 +++ .../3-Remove.ps1 | 34 ++ ...AADCustomAuthenticationExtension.Tests.ps1 | 186 +++++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 299 ++++++++++++++++++ 7 files changed, 742 insertions(+), 51 deletions(-) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 index a81c729192..dd6ee5f452 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 @@ -4,6 +4,7 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( + [Parameter(Mandatory = $true)] [System.String] $DisplayName, @@ -38,7 +39,7 @@ function Get-TargetResource [Parameter()] [System.Int32] - $ClientConfigurationTimeoutMillisesonds, + $ClientConfigurationTimeoutMilliseconds, [Parameter()] [System.Int32] @@ -50,7 +51,7 @@ function Get-TargetResource [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] - $ClaimsForTokenConfguration, + $ClaimsForTokenConfiguration, [Parameter()] [System.Management.Automation.PSCredential] @@ -79,7 +80,7 @@ function Get-TargetResource [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] - $Ensure = 'Present', + $Ensure = 'Present' ) New-M365DSCConnection -Workload 'MicrosoftGraph' ` @@ -99,6 +100,7 @@ function Get-TargetResource $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' + Write-Verbose -Message "Fetching result...." try { # check for export. @@ -120,7 +122,7 @@ function Get-TargetResource { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = Get-MgBetaIdentityCustomAuthenticationExtension --CustomAuthenticationExtensionId $Id ` + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id ` -ErrorAction SilentlyContinue } if ($null -eq $instance) @@ -134,10 +136,13 @@ function Get-TargetResource return $nullResult } + Write-Verbose "Instance found for the resource. Calculating result...." + $results = @{ DisplayName = $instance.DisplayName Id = $instance.Id Description = $instance.Description + Ensure = 'Present' } if ($instance.AdditionalProperties -ne $null) @@ -157,25 +162,25 @@ function Get-TargetResource $results.Add('ClientConfigurationMaximumRetries', $instance.ClientConfiguration.MaximumRetries) } - $endpointConfiguration = @{} + $endpointConfigurationInstance = @{} if ($instance.EndPointConfiguration -ne $null -and $instance.EndPointConfiguration.AdditionalProperties -ne $null) { - $endpointConfiguration.Add("EndpointType", $instance.EndPointConfiguration.AdditionalProperties["@odata.type"]) + $endpointConfigurationInstance.Add("EndpointType", $instance.EndPointConfiguration.AdditionalProperties["@odata.type"]) - if ($endpointConfiguration["EndpointType"] -eq '#microsoft.graph.httpRequestEndpoint') + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.httpRequestEndpoint') { - $endpointConfiguration.Add("TargetUrl", $instance.EndPointConfiguration.AdditionalProperties["targetUrl"]) + $endpointConfigurationInstance.Add("TargetUrl", $instance.EndPointConfiguration.AdditionalProperties["targetUrl"]) } - if ($endpointConfiguration["EndpointType"] -eq '#microsoft.graph.logicAppTriggerEndpointConfiguration') + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.logicAppTriggerEndpointConfiguration') { - $endpointConfiguration.Add("SubscriptionId", $instance.EndPointConfiguration.AdditionalProperties["subscriptionId"]) - $endpointConfiguration.Add("ResourceGroupName", $instance.EndPointConfiguration.AdditionalProperties["resourceGroupName"]) - $endpointConfiguration.Add("LogicAppWorkflowName", $instance.EndPointConfiguration.AdditionalProperties["logicAppWorkflowName"]) + $endpointConfigurationInstance.Add("SubscriptionId", $instance.EndPointConfiguration.AdditionalProperties["subscriptionId"]) + $endpointConfigurationInstance.Add("ResourceGroupName", $instance.EndPointConfiguration.AdditionalProperties["resourceGroupName"]) + $endpointConfigurationInstance.Add("LogicAppWorkflowName", $instance.EndPointConfiguration.AdditionalProperties["logicAppWorkflowName"]) } } - $claimsForTokenConfguration = @() + $ClaimsForTokenConfigurationInstance = @() if ($instance.AdditionalProperties -ne $null -and $instance.AdditionalProperties["claimsForTokenConfiguration"] -ne $null) { foreach ($claim in $instance.AdditionalProperties["claimsForTokenConfiguration"]) @@ -184,12 +189,12 @@ function Get-TargetResource ClaimIdInApiResponse = $claim.claimIdInApiResponse } - $claimsForTokenConfguration += $c + $ClaimsForTokenConfigurationInstance += $c } } - $results.Add('EndPointConfiguration', $endpointConfiguration) - $results.Add('ClaimsForTokenConfguration', $claimsForTokenConfguration) + $results.Add('EndPointConfiguration', $endpointConfigurationInstance) + $results.Add('ClaimsForTokenConfiguration', $ClaimsForTokenConfigurationInstance) return [System.Collections.Hashtable] $results } @@ -211,6 +216,7 @@ function Set-TargetResource [CmdletBinding()] param ( + [Parameter(Mandatory = $true)] [System.String] $DisplayName, @@ -245,7 +251,7 @@ function Set-TargetResource [Parameter()] [System.Int32] - $ClientConfigurationTimeoutMillisesonds, + $ClientConfigurationTimeoutMilliseconds, [Parameter()] [System.Int32] @@ -257,7 +263,7 @@ function Set-TargetResource [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] - $ClaimsForTokenConfguration, + $ClaimsForTokenConfiguration, [Parameter()] [System.Management.Automation.PSCredential] @@ -323,24 +329,24 @@ function Set-TargetResource timeoutInMilliseconds = $setParameters["ClientConfigurationTimeoutMilliseconds"] maximumRetries = $setParameters["ClientConfigurationMaximumRetries"] } - claimsForTokenConfguration = @() - } - - foreach ($claim in $setParameters["ClaimsForTokenConfguration"]) - { - $c = @{ - "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] - } - - $params["claimsForTokenConfiguration"] += $c } # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + $params.Add("ClaimsForTokenConfiguration", @()) + foreach ($claim in $setParameters["ClaimsForTokenConfiguration"]) + { + $c = @{ + "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + } + + $params["claimsForTokenConfiguration"] += $c + } + $params.Remove('Id') | Out-Null Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName}" - New-MgBetaIdentityCustomAuthenticationExtension @params + New-MgBetaIdentityCustomAuthenticationExtension -BodyParameter $params } # UPDATE @@ -348,8 +354,22 @@ function Set-TargetResource { Write-Verbose -Message "Updating custom authentication extension {$DisplayName}" $params.Add('CustomAuthenticationExtensionId', $currentInstance.Id) + $params.Remove("@odata.type") | Out-Null $params.Remove('Id') | Out-Null - Update-MgBetaIdentityCustomAuthenticationExtension @SetParameters + + $params.Add("AdditionalProperties", @{}) + $params["AdditionalProperties"].Add("ClaimsForTokenConfiguration", @()) + + foreach ($claim in $setParameters["ClaimsForTokenConfiguration"]) + { + $c = @{ + "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + } + + $params["AdditionalProperties"]["claimsForTokenConfiguration"] += $c + } + + Update-MgBetaIdentityCustomAuthenticationExtension @params } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') @@ -365,6 +385,7 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( + [Parameter(Mandatory = $true)] [System.String] $DisplayName, @@ -399,7 +420,7 @@ function Test-TargetResource [Parameter()] [System.Int32] - $ClientConfigurationTimeoutMillisesonds, + $ClientConfigurationTimeoutMilliseconds, [Parameter()] [System.Int32] @@ -411,7 +432,7 @@ function Test-TargetResource [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] - $ClaimsForTokenConfguration, + $ClaimsForTokenConfiguration, [Parameter()] [System.Management.Automation.PSCredential] @@ -458,6 +479,28 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" @@ -547,7 +590,7 @@ function Export-TargetResource Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline $params = @{ Id = $config.Id - DisplayNames = $config.DisplayName + DisplayName = $config.DisplayName Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -557,6 +600,18 @@ function Export-TargetResource } $Results = Get-TargetResource @Params + + $endpointConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EndpointConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionEndPointConfiguration' + + $ClaimsForTokenConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ClaimsForTokenConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration' + + $Results.EndPointConfiguration = $endpointConfigurationCimString + $Results.ClaimsForTokenConfiguration = $ClaimsForTokenConfigurationCimString + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results @@ -565,7 +620,19 @@ function Export-TargetResource -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential + + if ($Results.EndPointConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "EndPointConfiguration" + } + + if ($Results.ClaimsForTokenConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ClaimsForTokenConfiguration" -IsCIMArray $true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName $i++ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof index 4d34f0d3ef..6382d10037 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof @@ -1,15 +1,32 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionEndPointConfiguration +{ + [Write, Description("Defines the type of the endpoint configuration")] String EndpointType; + [Write, Description("Defines the workflow name for the logic app")] String LogicAppWorkflowName; + [Write, Description("Defines the resource group name for the logic app")] String ResourceGroupName; + [Write, Description("Defines the subscription id for the logic app")] String SubscriptionId; + [Write, Description("Defines the target url for the http endpoint")] String TargetUrl; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration +{ + [Write, Description("Defines the claim id in api response.")] String ClaimIdInApiResponse; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtension")] class MSFT_AADCustomAuthenticationExtension : OMI_BaseResource { [Key, Description("Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive.")] String DisplayName; [Write, Description("Unique identifier of the Attribute Definition.")] String Id; + [Write, Description("Defines the custom authentication extension type.")] String CustomAuthenticationExtensionType; [Write, Description("Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. ")] String Description; [Write, Description("Defines the authentication configuration type")] String AuthenticationConfigurationType; [Write, Description("Defines the authentication configuration resource id")] String AuthenticationConfigurationResourceId; - [Write, Description("Defines the client configuration timeout in milliseconds")] UInt32 ClientConfigurationTimeoutMullisesonds; + [Write, Description("Defines the client configuration timeout in milliseconds")] UInt32 ClientConfigurationTimeoutMilliseconds; [Write, Description("Defines the client configuration max retries")] UInt32 ClientConfigurationMaximumRetries; [Write, Description("Defines the endpoint configuration"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String EndpointConfiguration; - [Write, Description("Defines the list of claims for token configurations"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String ClaimsForTokenConfguration[]; + [Write, Description("Defines the list of claims for token configurations"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration")] String ClaimsForTokenConfiguration[]; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; @@ -19,19 +36,3 @@ class MSFT_AADCustomAuthenticationExtension : OMI_BaseResource [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; - -[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtensionEndPointConfiguration")] -class MSFT_AADCustomAuthenticationExtensionEndPointConfiguration -{ - [Write, Description("Defines the type of the endpoint configuration")] String EndpointType; - [Write, Description("Defines the workflow name for the logic app")] String LogicAppWorkflowName; - [Write, Description("Defines the resource group name for the logic app")] String ResourceGroupName; - [Write, Description("Defines the subscription id for the logic app")] String SubscriptionId; - [Write, Description("Defines the target url for the http endpoint")] String TargetUrl; -} - -[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtensionClaimForTokenConfguration")] -class MSFT_AADCustomAuthenticationExtensionClaimForTokenConfguration -{ - [Write, Description("Defines the claim id in api response.")] String ClaimIdInApiResponse; -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 new file mode 100644 index 0000000000..1b48def3ec --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 new file mode 100644 index 0000000000..828ee261ff --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 @@ -0,0 +1,186 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADCustomAuthenticationExtension" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $False + } + + # Test Contexts + Context -Name "The AADCustomAuthenticationExtension should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityCustomAuthenticationExtension -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists but it should not' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Absent" + Credential = $Credential + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/a5352e69-55c0-4160-b4b5-03d034d842f" + ClientConfigurationTimeoutMilliseconds = 2000 + ClientConfigurationMaximumRetries = 1 + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + ClaimsForTokenConfiguration = @() + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the app from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description modified" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + } +} diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 816dc46565..7120b986b2 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -30,6 +30,7 @@ function Get-MgBetaPolicyAdminConsentRequestPolicy param() } + #region Microsoft.Graph.Beta.Applications function Get-MgBetaApplication { @@ -18283,7 +18284,305 @@ function Invoke-MgGraphRequest $Headers ) } + +function New-MgBetaIdentityCustomAuthenticationExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Update-MgBetaIdentityCustomAuthenticationExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaIdentityCustomAuthenticationExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaIdentityCustomAuthenticationExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} #endregion + #region Microsoft.Graph.Beta.DeviceManagement function Get-MgBetaDeviceManagement { From bfca5ba34af49b4774972ec2006258a8f111770e Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Mon, 21 Oct 2024 12:30:18 +0100 Subject: [PATCH 20/98] Fix permissions in settings.json --- CHANGELOG.md | 6 ++++++ .../settings.json | 12 +++++++++-- .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 12 +++++++++++ .../settings.json | 6 ++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 12 +++++++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 3 +++ .../settings.json | 6 ++++++ .../settings.json | 6 ++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../MSFT_IntunePolicySets/settings.json | 20 +++++++++++++++++-- .../MSFT_IntuneRoleAssignment/settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ .../settings.json | 12 +++++++++++ 85 files changed, 877 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 756b3e9f19..dd2fc36998 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,14 @@ * AADAccessReviewDefinition * Initial release. +* AADCustomSecurityAttributeDefinition + * Fixed missing permissions in settings.json * AADIdentityGovernanceProgram * Initial release. +* AADSocialIdentityProvider + * Fixed missing permissions in settings.json +* Intune workload + * Fixed missing permissions in settings.json * SPOTenantSettings * Added support for AllowSelectSGsInODBListInTenant, DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json index 9381adbf42..a35e974098 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json @@ -12,8 +12,16 @@ "permissions": { "graph": { "delegated": { - "read": [], - "update": [] + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] }, "application": { "read": [ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json index 18de6335a5..858c10b94f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json @@ -13,8 +13,14 @@ "graph": { "delegated": { "read": [ + { + "name": "IdentityProvider.Read.All" + } ], "update": [ + { + "name": "IdentityProvider.ReadWrite.All" + } ] }, "application": { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json index 0250bfc33a..e3c1d8a2ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json index 7f3c9f6cc3..8e0c3442a4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json index d6aeda8c71..1c2a8b1d80 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json index 1d0cdf0573..7fb501a21b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json index a20915a6b7..7e45256fd1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json index 307c2f8403..0489d61a43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json index fe0c097e79..6f8ca8d487 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json index 9e60b9ada3..57be974d43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json index e5bfa4dcaf..b6d0af3e02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json index 10e50f1081..315a58a821 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json index 270c79777d..ec5cecf736 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json index 0bd2d39195..de96e82e6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json index 5f0f5f1c8b..6057c5b021 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json index 6ce0bedcec..568542e5bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json index d32693cec5..83fe077865 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json index ab503e6e12..2a02222c6a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json index bd59e189c5..d426ac83cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json index 876c98b3c1..f99b98df4a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json index 4f70de0036..d08714575d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json index 4636671998..88bde5e09c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json index 59369d197b..1309114462 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json index 1ec45e354d..a9710165fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json index ad18510898..7bee7e4a38 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json index 2ebe5a545e..7f3828149e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json @@ -28,6 +28,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json index 7f59aea637..a9514693a2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json index eb9da4aa9e..3acddb9169 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json index 0ff407f836..9e4b185543 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json index 876ce379ca..98abdb2c2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json index d5d83f0b7f..d30f15580a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json index 7853f50eb7..7bc21f184f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json index 66190b15e9..4b9ef1bb53 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json index f08c5923b0..5b45219916 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json index c592a86cab..a89fd6923c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json index 2923dc7038..2e66e44c69 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -13,6 +16,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -23,6 +29,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -31,6 +40,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json index 8851545142..b01c36ed5d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json index d3a3c44787..d101037f68 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json index ea7bf4e312..e6117602b1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json index 1c86cfd292..bc1a6d1b7f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json index 9113736e64..99867d0c33 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json index 13e3014ede..25310db748 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json index 81fb935ab5..2ecb0e308d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json index d7181b6d6d..85b689c6d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json index 854402cc59..8812b2ccd2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json index 5b10130496..db1d9e82e6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json index e65c087644..052b0d3143 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json index d9683c421c..68a260efb4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json index bc61bbaa65..e5bc5b667d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json index e2fa434298..905ce1cdc7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json index 750c8444e2..942c440c54 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json index 14d53ad6c0..ce6301407a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json index 0c1c8f9933..9ad80f0947 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -16,6 +19,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -29,6 +35,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -40,6 +49,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json index 1b08179b72..d2f13930e3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -20,11 +26,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json index cacdc9cd53..404582571b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json index 861f452495..c0b019f8fb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json index 84a108a641..33f7eaeed0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json index e948d6df87..73dac608fe 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json index 204badf15c..252f77a1aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json index babe2f5775..a859ae39a8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json index 74e36b3081..293b222bff 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,11 +23,17 @@ }, "application": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json index 3e70ad560b..38c9bf4cd7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json index a9bd04b5fa..16e9c3c07d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json index d554d6a3d1..4439bab90a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json @@ -5,22 +5,38 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json index d0b58f2960..3e0874d1bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json index 4bda1f09ca..0906af650b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json index 67b62b373e..25e6e71739 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json index b13be8da58..8545fd14cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json index dcbdf86350..c29e518ded 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json index 29a31d1028..d97cec5ff2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json index 18c0618cda..73fbade06c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json index 4267d74c45..3418a6b113 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json index 74ae1c2be6..d9b467444e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json index 9b9968c82c..5584392a17 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json index e229470448..f4bc5e9e20 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json index e2103fd3aa..f83e95e9c8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json index c7365f3655..2ba6389c60 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json index 47581b03eb..c742e7a27c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json index 4139c67ca6..b6286b0fe9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json index 6becde2ab8..46a9440921 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json index ceffeec248..57c4bcc23a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json index ba73714015..40740285ca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json index 26b6907b55..836f8affe2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json index 918161498c..5eeb656602 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } From 2de919a53b85f1f8d6d268363eb73bce6e08a410 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Mon, 21 Oct 2024 17:36:34 +0530 Subject: [PATCH 21/98] initial commit --- .../MSFT_AADIdentityAPIConnector.psm1 | 566 ++++++++++++++++++ .../MSFT_AADIdentityAPIConnector.schema.mof | 18 + .../MSFT_AADIdentityAPIConnector/readme.md | 6 + .../settings.json | 25 + ...ft365DSC.AADIdentityAPIConnector.Tests.ps1 | 317 ++++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 287 +++++++++ 6 files changed, 1219 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 new file mode 100644 index 0000000000..1c6c4bc75d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -0,0 +1,566 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Pkcs12Value, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityAPIConnector -IdentityApiConnectorId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity A P I Connector with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaIdentityAPIConnector ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.IdentityApiConnector" + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity API Connector with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity API Connector with Id {$Id} and DisplayName {$DisplayName} was found" + + #region resource generator code + $complexAuthenticationConfiguration = @{} + + if($null -ne $getValue.AuthenticationConfiguration.AdditionalProperties.password) { + $securePassword = ConvertTo-SecureString $getValue.AuthenticationConfiguration.AdditionalProperties.password -AsPlainText -Force + + $Password = New-Object System.Management.Automation.PSCredential ('Password', $securePassword) + } + + if($null -ne $getValue.AuthenticationConfiguration.AdditionalProperties.pkcs12Value) { + $securePassword = ConvertTo-SecureString $getValue.AuthenticationConfiguration.AdditionalProperties.pkcs12Value -AsPlainText -Force + + $pkcs12Value = New-Object System.Management.Automation.PSCredential ('pkcs12Value', $securePassword) + } + #endregion + + $results = @{ + #region resource generator code + DisplayName = $getValue.DisplayName + TargetUrl = $getValue.TargetUrl + Id = $getValue.Id + Username = $getValue.AuthenticationConfiguration.AdditionalProperties.username + Password = $Password + Pkcs12Value = $pkcs12Value + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Pkcs12Value, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $updateParameters.Remove('Password') | Out-Null + $updateParameters.Remove('Pkcs12Value') | Out-Null + + $updateParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + + $UpdateParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + Update-MgBetaIdentityAPIConnector ` + -IdentityApiConnectorId $currentInstance.Id ` + -BodyParameter $UpdateParameters + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Pkcs12Value, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity A P I Connector with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Remove('Password') | Out-Null + $ValuesToCheck.Remove('Pkcs12Value') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityAPIConnector ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results.Password = "New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force));" + + $Results.Pkcs12Value = "New-Object System.Management.Automation.PSCredential('Pkcs12Value', (ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force));" + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Pkcs12Value' + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Password' + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof new file mode 100644 index 0000000000..7c359ad403 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -0,0 +1,18 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityAPIConnector")] +class MSFT_AADIdentityAPIConnector : OMI_BaseResource +{ + [Required, Description("The name of the API connector.")] String DisplayName; + [Write, Description("The URL of the API endpoint to call.")] String TargetUrl; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The username of the password")] String Username; + [Write, Description("The password of certificate/basic auth"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("The Pkcs12Value of the certificate"), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md new file mode 100644 index 0000000000..cfafce7110 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityAPIConnector + +## Description + +Azure AD Identity API Connector diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json new file mode 100644 index 0000000000..327fd87153 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json @@ -0,0 +1,25 @@ +{ + "resourceName": "AADIdentityAPIConnector", + "description": "This resource configures an Azure AD Identity A P I Connector.", + "permissions": { + "graph": { + "delegated": { + "read": [ + + ], + "update": [ + + ] + }, + "application": { + "read": [ + + ], + "update": [ + + ] + } + } +} + +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 new file mode 100644 index 0000000000..18e4a5281a --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 @@ -0,0 +1,317 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityAPIConnector" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityAPIConnector should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ + Password = "FakeStringValue" + Pkcs12Value = "FakeStringValue" + CertificateList = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } -ClientOnly) + ) + Username = "FakeStringValue" + odataType = "#microsoft.graph.basicAuthentication" + } -ClientOnly) + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + Context -Name "The AADIdentityAPIConnector exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ + Password = "FakeStringValue" + Pkcs12Value = "FakeStringValue" + CertificateList = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } -ClientOnly) + ) + Username = "FakeStringValue" + odataType = "#microsoft.graph.basicAuthentication" + } -ClientOnly) + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.IdentityApiConnector" + } + AuthenticationConfiguration = @{ + '@odata.type' = "#microsoft.graph.basicAuthentication" + Pkcs12Value = "FakeStringValue" + Password = "FakeStringValue" + Username = "FakeStringValue" + CertificateList = @( + @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } + ) + } + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityAPIConnector -Exactly 1 + } + } + Context -Name "The AADIdentityAPIConnector Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ + Password = "FakeStringValue" + Pkcs12Value = "FakeStringValue" + CertificateList = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } -ClientOnly) + ) + Username = "FakeStringValue" + odataType = "#microsoft.graph.basicAuthentication" + } -ClientOnly) + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.IdentityApiConnector" + } + AuthenticationConfiguration = @{ + '@odata.type' = "#microsoft.graph.basicAuthentication" + Pkcs12Value = "FakeStringValue" + Password = "FakeStringValue" + Username = "FakeStringValue" + CertificateList = @( + @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } + ) + } + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityAPIConnector exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ + Password = "FakeStringValue" + Pkcs12Value = "FakeStringValue" + CertificateList = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } -ClientOnly) + ) + Username = "FakeStringValue" + odataType = "#microsoft.graph.basicAuthentication" + } -ClientOnly) + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + AuthenticationConfiguration = @{ + '@odata.type' = "#microsoft.graph.basicAuthentication" + Pkcs12Value = "FakeStringValue" + Password = "FakeStringValue" + Username = "FakeStringValue" + CertificateList = @( + @{ + Thumbprint = "FakeStringValue" + } + ) + } + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.IdentityApiConnector" + } + AuthenticationConfiguration = @{ + '@odata.type' = "#microsoft.graph.basicAuthentication" + Pkcs12Value = "FakeStringValue" + Password = "FakeStringValue" + Username = "FakeStringValue" + CertificateList = @( + @{ + IsActive = $True + NotAfter = $True + Thumbprint = "FakeStringValue" + NotBefore = $True + } + ) + } + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + TargetUrl = "FakeStringValue" + + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index cdcf592740..f44a1bebb7 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -97638,3 +97638,290 @@ function Invoke-PnPSPRestMethod $Content ) } +#region MgBetaIdentityAPIConnector +function Get-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + From 7a1568241f712499b32256018d77ff4148a9d61a Mon Sep 17 00:00:00 2001 From: "Arpita Mohapatra (from Dev Box)" Date: Mon, 21 Oct 2024 18:46:42 +0530 Subject: [PATCH 22/98] intial changes --- ...MSFT_EXOMailboxAuditBypassAssociation.psm1 | 343 ++++++++++++++++++ ...XOMailboxAuditBypassAssociation.schema.mof | 13 + .../readme.md | 5 + .../settings.json | 35 ++ .../2-Update.ps1 | 34 ++ ...EXOMailboxAuditBypassAssociation.Tests.ps1 | 162 +++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 26 ++ 7 files changed, 618 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 new file mode 100644 index 0000000000..b38f64321c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 @@ -0,0 +1,343 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $instance = Get-MailboxAuditBypassAssociation -Identity $Identity -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = [System.String]$Identity + AuditBypassEnabled = [System.Boolean]$instance.AuditBypassEnabled + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + Set-MailboxAuditBypassAssociation @SetParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MailboxAuditBypassAssociation -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Identity + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof new file mode 100644 index 0000000000..59381b5ba7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOMailboxAuditBypassAssociation")] +class MSFT_EXOMailboxAuditBypassAssociation : OMI_BaseResource +{ + [Key, Description("The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property.")] String Identity; + [Write, Description("The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer.")] Boolean AuditBypassEnabled; + [Write, Description("Specifies if this instance should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md new file mode 100644 index 0000000000..092c6a9914 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md @@ -0,0 +1,5 @@ +# EXOMailboxAuditBypassAssociation + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json new file mode 100644 index 0000000000..cbacd227bb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json @@ -0,0 +1,35 @@ +{ + "resourceName": "EXOJournalRule", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Compliance Admin", + "View-Only Configuration", + "Journaling" + ], + "requiredrolegroups": [ + "Organization Management", + "Compliance Management" + ] + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 new file mode 100644 index 0000000000..0d7c78206c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 new file mode 100644 index 0000000000..882ae49894 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 @@ -0,0 +1,162 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-MailboxAuditBypassAssociation -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name 'Settings are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $True; #Drift + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MailboxAuditBypassAssociation -Exactly 1 + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + } + + Context -Name 'Settings are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + } + + Context -Name "User doesn't exist" -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return $null + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should return Absent from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + } + + + + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "TestMailbox109"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index cdcf592740..2578db280b 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -2768,6 +2768,19 @@ function Get-Mailbox $IncludeEmailAddressDisplayNames ) } +function Get-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $ResultSize + ) +} function Get-MailboxAutoReplyConfiguration { [CmdletBinding()] @@ -12123,6 +12136,19 @@ function Set-Mailbox $MessageTrackingReadStatusEnabled ) } +function Set-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Object] + $Identity + ) +} function Set-MailboxAutoReplyConfiguration { [CmdletBinding()] From 2cdb527742c05cbe661ecffa417739d12c25b4cd Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:38:17 +0000 Subject: [PATCH 23/98] Updated Resources and Cmdlet documentation pages --- .../azure-ad/AADCustomSecurityAttributeDefinition.md | 4 ++-- docs/docs/resources/azure-ad/AADSocialIdentityProvider.md | 4 ++-- .../resources/intune/IntuneASRRulesPolicyWindows10.md | 4 ++-- ...tProtectionLocalAdministratorPasswordSolutionPolicy.md | 4 ++-- ...tuneAccountProtectionLocalUserGroupMembershipPolicy.md | 4 ++-- .../resources/intune/IntuneAccountProtectionPolicy.md | 4 ++-- .../intune/IntuneAccountProtectionPolicyWindows10.md | 8 ++++---- .../IntuneAntivirusPolicyWindows10SettingCatalog.md | 4 ++-- .../intune/IntuneAppAndBrowserIsolationPolicyWindows10.md | 8 ++++---- .../intune/IntuneAppConfigurationDevicePolicy.md | 8 ++++---- .../docs/resources/intune/IntuneAppConfigurationPolicy.md | 4 ++-- .../resources/intune/IntuneAppProtectionPolicyAndroid.md | 4 ++-- .../docs/resources/intune/IntuneAppProtectionPolicyiOS.md | 4 ++-- .../intune/IntuneApplicationControlPolicyWindows10.md | 4 ++-- ...ckSurfaceReductionRulesPolicyWindows10ConfigManager.md | 8 ++++---- .../intune/IntuneDeviceCompliancePolicyAndroid.md | 4 ++-- .../IntuneDeviceCompliancePolicyAndroidDeviceOwner.md | 4 ++-- .../IntuneDeviceCompliancePolicyAndroidWorkProfile.md | 4 ++-- .../resources/intune/IntuneDeviceCompliancePolicyMacOS.md | 4 ++-- .../intune/IntuneDeviceCompliancePolicyWindows10.md | 4 ++-- .../resources/intune/IntuneDeviceCompliancePolicyiOs.md | 4 ++-- ...eConfigurationAdministrativeTemplatePolicyWindows10.md | 4 ++-- .../IntuneDeviceConfigurationCustomPolicyWindows10.md | 4 ++-- ...urationDefenderForEndpointOnboardingPolicyWindows10.md | 4 ++-- ...iceConfigurationDeliveryOptimizationPolicyWindows10.md | 4 ++-- .../IntuneDeviceConfigurationDomainJoinPolicyWindows10.md | 2 +- ...ntuneDeviceConfigurationEmailProfilePolicyWindows10.md | 4 ++-- ...eviceConfigurationEndpointProtectionPolicyWindows10.md | 4 ++-- ...DeviceConfigurationFirmwareInterfacePolicyWindows10.md | 8 ++++---- ...urationHealthMonitoringConfigurationPolicyWindows10.md | 8 ++++---- ...eviceConfigurationIdentityProtectionPolicyWindows10.md | 8 ++++---- ...eConfigurationImportedPfxCertificatePolicyWindows10.md | 8 ++++---- .../IntuneDeviceConfigurationKioskPolicyWindows10.md | 8 ++++---- ...neDeviceConfigurationNetworkBoundaryPolicyWindows10.md | 8 ++++---- ...neDeviceConfigurationPkcsCertificatePolicyWindows10.md | 8 ++++---- .../IntuneDeviceConfigurationPlatformScriptMacOS.md | 8 ++++---- ...DeviceConfigurationPolicyAndroidDeviceAdministrator.md | 8 ++++---- .../IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md | 8 ++++---- ...neDeviceConfigurationPolicyAndroidOpenSourceProject.md | 8 ++++---- .../IntuneDeviceConfigurationPolicyAndroidWorkProfile.md | 8 ++++---- .../intune/IntuneDeviceConfigurationPolicyMacOS.md | 8 ++++---- .../intune/IntuneDeviceConfigurationPolicyWindows10.md | 8 ++++---- .../intune/IntuneDeviceConfigurationPolicyiOS.md | 8 ++++---- ...neDeviceConfigurationScepCertificatePolicyWindows10.md | 8 ++++---- ...eDeviceConfigurationSecureAssessmentPolicyWindows10.md | 8 ++++---- ...DeviceConfigurationSharedMultiDevicePolicyWindows10.md | 8 ++++---- ...eviceConfigurationTrustedCertificatePolicyWindows10.md | 8 ++++---- .../intune/IntuneDeviceConfigurationVpnPolicyWindows10.md | 8 ++++---- ...IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md | 8 ++++---- ...ntuneDeviceConfigurationWiredNetworkPolicyWindows10.md | 8 ++++---- .../intune/IntuneDeviceControlPolicyWindows10.md | 8 ++++---- .../intune/IntuneDeviceEnrollmentPlatformRestriction.md | 8 ++++---- .../intune/IntuneDeviceEnrollmentStatusPageWindows10.md | 8 ++++---- docs/docs/resources/intune/IntuneDeviceRemediation.md | 8 ++++---- docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md | 8 ++++---- .../resources/intune/IntuneDiskEncryptionWindows10.md | 8 ++++---- .../IntuneEndpointDetectionAndResponsePolicyLinux.md | 8 ++++---- .../IntuneEndpointDetectionAndResponsePolicyMacOS.md | 8 ++++---- .../IntuneEndpointDetectionAndResponsePolicyWindows10.md | 8 ++++---- ...ntuneExploitProtectionPolicyWindows10SettingCatalog.md | 8 ++++---- .../resources/intune/IntuneFirewallPolicyWindows10.md | 8 ++++---- docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md | 8 ++++---- .../intune/IntuneMobileAppsWindowsOfficeSuiteApp.md | 8 ++++---- docs/docs/resources/intune/IntunePolicySets.md | 8 ++++---- docs/docs/resources/intune/IntuneRoleAssignment.md | 8 ++++---- ...IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md | 8 ++++---- .../intune/IntuneSecurityBaselineMicrosoftEdge.md | 8 ++++---- .../intune/IntuneSettingCatalogASRRulesPolicyWindows10.md | 8 ++++---- .../intune/IntuneSettingCatalogCustomPolicyWindows10.md | 8 ++++---- ...neWifiConfigurationPolicyAndroidDeviceAdministrator.md | 8 ++++---- ...WifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md | 8 ++++---- ...WifiConfigurationPolicyAndroidEnterpriseWorkProfile.md | 8 ++++---- .../intune/IntuneWifiConfigurationPolicyAndroidForWork.md | 8 ++++---- ...tuneWifiConfigurationPolicyAndroidOpenSourceProject.md | 8 ++++---- .../resources/intune/IntuneWifiConfigurationPolicyIOS.md | 8 ++++---- .../intune/IntuneWifiConfigurationPolicyMacOS.md | 8 ++++---- .../intune/IntuneWifiConfigurationPolicyWindows10.md | 8 ++++---- ...indowsAutopilotDeploymentProfileAzureADHybridJoined.md | 8 ++++---- ...ntuneWindowsAutopilotDeploymentProfileAzureADJoined.md | 8 ++++---- ...dowsInformationProtectionPolicyWindows10MdmEnrolled.md | 8 ++++---- ...indowsUpdateForBusinessDriverUpdateProfileWindows10.md | 8 ++++---- ...ndowsUpdateForBusinessFeatureUpdateProfileWindows10.md | 8 ++++---- ...ndowsUpdateForBusinessQualityUpdateProfileWindows10.md | 8 ++++---- ...eWindowsUpdateForBusinessRingUpdateProfileWindows10.md | 8 ++++---- 84 files changed, 287 insertions(+), 287 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md index 0c447db556..8a4d9f3576 100644 --- a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md +++ b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md @@ -36,11 +36,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - CustomSecAttributeDefinition.Read.All - **Update** - - None + - CustomSecAttributeDefinition.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md index 2472e76d61..3f219780b6 100644 --- a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md +++ b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md @@ -34,11 +34,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - IdentityProvider.Read.All - **Update** - - None + - IdentityProvider.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md index 0134626168..a2a8e9febb 100644 --- a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md @@ -70,7 +70,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -80,7 +80,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index 9736f856f2..7f39e3c94a 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -71,7 +71,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 25709f754b..1287d250e4 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md index 2da74fb4a8..6c8c2806ec 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md @@ -65,7 +65,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -75,7 +75,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md index 8a3356509d..0eef097e57 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md @@ -85,21 +85,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md index 15667b067a..83653bc0e8 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md @@ -124,7 +124,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -134,7 +134,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md index 31b41d628a..7282b36bb0 100644 --- a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md @@ -65,21 +65,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md index 319165e8e6..79e0395881 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md @@ -75,21 +75,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md index c82c22102d..cea7be67b5 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md @@ -59,7 +59,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -69,7 +69,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md index d3a1ef135e..2aac0e36e1 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md @@ -76,7 +76,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -86,7 +86,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md index 3f09651531..d35a55f973 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md @@ -84,7 +84,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -94,7 +94,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md index a45a81497f..9dd1be00fd 100644 --- a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md @@ -51,7 +51,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md index 205075bc84..b307c64c4a 100644 --- a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md +++ b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md @@ -68,21 +68,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md index f80985d6ae..c3052f5d90 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md @@ -240,7 +240,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -250,7 +250,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md index 5077132b8a..674e6e1ce3 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md @@ -183,7 +183,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -193,7 +193,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md index 0ac8a37438..be23f3a17d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md @@ -192,7 +192,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -202,7 +202,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md index 1dbafd1602..62ed0cb6a2 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md @@ -149,7 +149,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -159,7 +159,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md index 540cb06564..c5213a4659 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md @@ -275,7 +275,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -285,7 +285,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md index b52a7bcd11..108291075d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md @@ -78,7 +78,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -88,7 +88,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md index b40d25a38c..eea55ebd46 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md @@ -106,7 +106,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -116,7 +116,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md index 37558493b4..1905c60a5e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md @@ -67,7 +67,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -77,7 +77,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md index 4cb1a2d2a3..0f4534a56e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md @@ -56,7 +56,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -66,7 +66,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md index 0bf2db5749..00f76e0a2f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md @@ -112,7 +112,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -122,7 +122,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md index a705947392..c1e6c2166f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md @@ -64,7 +64,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md index d798e86d27..560d2b0695 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md index 46db453044..580b09ee95 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md @@ -412,7 +412,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -422,7 +422,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md index 6ec96ea63a..2ae37fd998 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md index b22ae76162..9679aeb85c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md index 2d9c1e50bd..45082593bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md index cb9e49e688..34a6e4f5bb 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md index 998029d885..3104bea335 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md @@ -176,21 +176,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md index 756039e8b5..64eaedfc79 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md @@ -82,21 +82,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md index 150c6e599a..d6c299b557 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md @@ -77,21 +77,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md index 00ee60fb40..a4049bc531 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md index 0c8d6a404f..00a71444f3 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md @@ -107,21 +107,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md index 599a916218..62d2dd381c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md @@ -278,21 +278,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md index 4052c23262..cc5b36011b 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md index 830ea4f2f4..ca514643c2 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md index 44ac6ea8b4..3c13057576 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md @@ -160,21 +160,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md index 076052931f..2902d595a1 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md @@ -378,21 +378,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md index 56ff63330b..cb796d8f23 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md @@ -335,21 +335,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md index 9f84dbc720..e12a9b17d0 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md index f864dc4e88..b17818c54e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md @@ -53,21 +53,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md index 443fb8dac9..6c17828e42 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md index 90261573a7..6d4624b074 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md index f677318176..a4a4da3902 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md @@ -185,21 +185,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md index 93cceec8d8..d128159cae 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md @@ -66,21 +66,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md index ab63011a7a..6269122839 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md index 39762924d8..5d5854b665 100644 --- a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md index 30dcaf901c..d262958eee 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md @@ -73,21 +73,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md index 231aff3635..9a1c3bb492 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md @@ -59,21 +59,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md index f9763f951e..b68f9395bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceRemediation.md +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -99,21 +99,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md index f4289f16e9..27a43c72ee 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md index b359738f21..30ea1cc6ef 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md @@ -101,21 +101,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md index dcce4db30c..3e214c55ea 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md index d7f9f57a4b..b7440d0972 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md index 92a2428a6d..7ab1d07c4a 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md index 17b0440a3d..bc0860cef2 100644 --- a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md index f9ad6cee2b..c09a160b70 100644 --- a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md @@ -123,21 +123,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md index cdb64c20a7..2d7d5b3efe 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md @@ -110,21 +110,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md index 52bfea559e..ca844c4abd 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntunePolicySets.md b/docs/docs/resources/intune/IntunePolicySets.md index d1bb683e0a..ddc91dc234 100644 --- a/docs/docs/resources/intune/IntunePolicySets.md +++ b/docs/docs/resources/intune/IntunePolicySets.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneRoleAssignment.md b/docs/docs/resources/intune/IntuneRoleAssignment.md index ab0133db1c..0ca60f3e19 100644 --- a/docs/docs/resources/intune/IntuneRoleAssignment.md +++ b/docs/docs/resources/intune/IntuneRoleAssignment.md @@ -38,21 +38,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md index 78a3f1969a..3c60a47ae5 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md @@ -499,21 +499,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md index 439264f0bc..858d62840b 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md index b565f3f12c..90d9ba2ebd 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md index fb7b396272..9962ba0a3c 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md @@ -137,21 +137,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md index 8f3324c65a..7483c4710f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md index a2d42ba204..b3861e4351 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md @@ -57,21 +57,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md index 3b93f6cb7f..8fafa7ecab 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md index 01e681328d..3eb7f1c1b2 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md index ef98411a57..f5c81807de 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md index ddcf26325a..241082231f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md index 57e8731161..d542ae3f65 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md @@ -55,21 +55,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md index 23ba85724c..f4ed4299f5 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md index 43d2e26d9f..348408777b 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md @@ -81,21 +81,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md index 526656617c..fee1d8eb6c 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md index e581a1dcc1..75f98f153f 100644 --- a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md +++ b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md @@ -140,21 +140,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md index edb5abbe42..6b8532fcc2 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md index 2c6cec626d..da5c950514 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md index 413892c638..edeac97ca8 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md index 46d2e49c70..b12b125578 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md @@ -91,21 +91,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples From de3e556570001f42e75a47699e0a92ea96304af4 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:40:12 +0000 Subject: [PATCH 24/98] Updated Resources and Cmdlet documentation pages --- .../resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md index 14afcf7a7f..4eb16af7ab 100644 --- a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md @@ -15,6 +15,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | From e5099fe8bd5e8ce080bb99e377bc557e2651c709 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:40:32 +0000 Subject: [PATCH 25/98] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADDomain.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/azure-ad/AADDomain.md b/docs/docs/resources/azure-ad/AADDomain.md index 01a98d0d24..1e11b20532 100644 --- a/docs/docs/resources/azure-ad/AADDomain.md +++ b/docs/docs/resources/azure-ad/AADDomain.md @@ -18,6 +18,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | From 5538c1d2e28825c913e5558137e67ee2b5b0dd02 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:43:49 +0000 Subject: [PATCH 26/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 564dcb1932..543d8fb404 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -5472,6 +5472,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", From e03bf7ed63080352acfef4de92ee37569214efbd Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Mon, 21 Oct 2024 19:27:17 +0530 Subject: [PATCH 27/98] Added AADIdentityB2XUserFlow resource --- .../MSFT_AADIdentityB2XUserFlow.psm1 | 719 ++++++++++++++++++ .../MSFT_AADIdentityB2XUserFlow.schema.mof | 41 + .../MSFT_AADIdentityB2XUserFlow/readme.md | 6 + .../MSFT_AADIdentityB2XUserFlow/settings.json | 29 + .../AADIdentityB2XUserFlow/1-Create.ps1 | 79 ++ .../AADIdentityB2XUserFlow/2-Update.ps1 | 79 ++ .../AADIdentityB2XUserFlow/3-Remove.ps1 | 33 + ...oft365DSC.AADIdentityB2XUserFlow.Tests.ps1 | 502 ++++++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 566 ++++++++++++++ 9 files changed, 2054 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 new file mode 100644 index 0000000000..41be1d79fe --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 @@ -0,0 +1,719 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity B2 X User Flow with Id {$Id}" + return $nullResult + } + #endregion + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity B2 X User Flow with Id {$Id} was found" + + #region Get ApiConnectorConfiguration + $connectorConfiguration = Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -B2xIdentityUserFlowId $Id -ExpandProperty "postFederationSignup,postAttributeCollection" + + $complexApiConnectorConfiguration = @{ + postFederationSignupConnectorName = Get-ConnectorName($connectorConfiguration.PostFederationSignup.DisplayName) + postAttributeCollectionConnectorName = Get-ConnectorName($connectorConfiguration.PostAttributeCollection.DisplayName) + } + #endregion + + #region Get IdentityProviders + $getIdentityProviders = Get-MgBetaIdentityB2XUserFlowIdentityProvider -B2XIdentityUserFlowId $Id | Select-Object Id + if ($getIdentityProviders.Count -eq 0) + { + $getIdentityProviders = @() + } + #endregion + + $complexUserAttributeAssignments = @() + $getUserAttributeAssignments = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $Id -ExpandProperty UserAttribute + foreach ($getUserAttributeAssignment in $getUserAttributeAssignments) + { + $getuserAttributeValues = @() + foreach ($getUserAttributeAssignmentAttributeValue in $getUserAttributeAssignment.UserAttributeValues) + { + $getuserAttributeValues += @{ + Name = $getUserAttributeAssignmentAttributeValue.Name + Value = $getUserAttributeAssignmentAttributeValue.Value + IsDefault = $getUserAttributeAssignmentAttributeValue.IsDefault + } + } + $complexUserAttributeAssignments += @{ + Id = $getUserAttributeAssignment.Id + DisplayName = $getUserAttributeAssignment.DisplayName + IsOptional = $getUserAttributeAssignment.IsOptional + UserInputType = $getUserAttributeAssignment.UserInputType + UserAttributeValues = $getuserAttributeValues + } + } + + $results = @{ + #region resource generator code + ApiConnectorConfiguration = $complexApiConnectorConfiguration + Id = $getValue.Id + IdentityProviders = $getIdentityProviders + UserAttributeAssignments = $complexUserAttributeAssignments + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity B2 X User Flow with Id {$Id}" + + #region Create ApiConnectorConfiguration object + $newApiConnectorConfiguration = @{} + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $newApiConnectorConfiguration['PostFederationSignup'] = @{ + 'Id' = $getConnector.Id + } + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $newApiConnectorConfiguration['PostAttributeCollection'] = @{ + 'Id' = $getConnector.Id + } + } + #endregion + + $params = @{ + id = $Id + userFlowType = "signUpOrSignIn" + userFlowTypeVersion = 1 + apiConnectorConfiguration = $newApiConnectorConfiguration + } + + $newObj = New-MgBetaIdentityB2XUserFlow -BodyParameter $params + + #region Add IdentityProvider objects to the newly created object + foreach ($provider in $IdentityProviders) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + + #region Add UserAtrributeAssignments to the newly created object + $currentAttributes = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id | Select-Object -ExpandProperty Id + $attributesToAdd = $UserAttributeAssignments | Where-Object {$_.Id -notin $currentAttributes} + + foreach ($userAttributeAssignment in $attributesToAdd) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + userAttribute = @{ + id = $userAttributeAssignment.Id + } + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + #region Update ApiConnectorConfiguration object + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Federation Signup connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Attribute Collection connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + #endregion + + #region Add or Remove Identity Providers on the current instance + $providersToAdd = $IdentityProviders | Where-Object {$_ -notin $currentInstance.IdentityProviders} + foreach ($provider in $providersToAdd) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + $providersToRemove = $currentInstance.IdentityProviders | Where-Object {$_ -notin $IdentityProviders} + foreach ($provider in $providersToRemove) + { + Write-Verbose -Message "Removing the Identity Provider with Id {$provider} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -IdentityProviderBaseId $provider + } + #endregion + + #region Add, remove or update User Attribute Assignments on the current instance + $attributesToRemove = $currentInstance.UserAttributeAssignments | Where-Object {$_.Id -notin $UserAttributeAssignments.Id} + + #Remove + foreach ($userAttributeAssignment in $attributesToRemove) + { + Write-Verbose -Message "Removing the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id + } + + #Add/Update + foreach ($userAttributeAssignment in $UserAttributeAssignments) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + if ($userAttributeAssignment.Id -notin $currentInstance.UserAttributeAssignments.Id) + { + $params["userAttribute"] = @{ + id = $userAttributeAssignment.Id + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + else + { + Write-Verbose -Message "Updating the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} in the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2xIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id -BodyParameter $params + } + } + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity B2 X User Flow with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity B2 X User Flow with Id {$Id}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($ValuesToCheck.Count -gt 0 -and $testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityB2XUserFlow ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ApiConnectorConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ApiConnectorConfiguration ` + -CIMInstanceName 'MicrosoftGraphuserFlowApiConnectorConfiguration' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ApiConnectorConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('ApiConnectorConfiguration') | Out-Null + } + } + + if ($null -ne $Results.UserAttributeAssignments) + { + $complexMapping = @( + @{ + Name = 'UserAttributeValues' + CimInstanceName = 'MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserAttributeAssignments ` + -CIMInstanceName 'MicrosoftGraphuserFlowUserAttributeAssignment' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserAttributeAssignments = $complexTypeStringResult + } + else + { + $Results.Remove('UserAttributeAssignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ApiConnectorConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ApiConnectorConfiguration" -IsCIMArray:$False + } + if ($Results.UserAttributeAssignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserAttributeAssignments" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-ConnectorName($connectorName) { + if ($null -ne $connectorName) { + return $connectorName + } else { + return "" + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof new file mode 100644 index 0000000000..4ea315f134 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof @@ -0,0 +1,41 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration +{ + [Write, Description("The name of the connector used for post federation signup step.")] String postFederationSignupConnectorName; + [Write, Description("The name of the connector used for post attribute collection step.")] String postAttributeCollectionConnectorName; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues +{ + [Write, Description("The display name of the property displayed to the end user in the user flow.")] String Name; + [Write, Description("The value that is set when this item is selected.")] String Value; + [Write, Description("Used to set the value as the default.")] Boolean IsDefault; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignment +{ + [Write, Description("The unique identifier of identityUserFlowAttributeAssignment.")] String Id; + [Write, Description("The display name of the identityUserFlowAttribute within a user flow.")] String DisplayName; + [Write, Description("Determines whether the identityUserFlowAttribute is optional.")] Boolean IsOptional; + [Write, Description("User Flow Attribute Input Type."), ValueMap{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}, Values{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}] String UserInputType; + [Write, Description("The list of user attribute values for this assignment."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues")] String UserAttributeValues[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityB2XUserFlow")] +class MSFT_AADIdentityB2XUserFlow : OMI_BaseResource +{ + [Write, Description("Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration")] String ApiConnectorConfiguration; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The identity providers included in the user flow.")] String IdentityProviders[]; + [Write, Description("The user attribute assignments included in the user flow."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignment")] String UserAttributeAssignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md new file mode 100644 index 0000000000..c81de81f9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityB2XUserFlow + +## Description + +Azure AD Identity B2 X User Flow diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json new file mode 100644 index 0000000000..d6df4d957a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADIdentityB2XUserFlow", + "description": "This resource configures an Azure AD Identity B2 X User Flow.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 new file mode 100644 index 0000000000..643146f6ca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 new file mode 100644 index 0000000000..643146f6ca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 new file mode 100644 index 0000000000..295893f499 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 new file mode 100644 index 0000000000..b0dd2cbd56 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 @@ -0,0 +1,502 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityB2XUserFlow" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityB2XUserFlow should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlow -Exactly 1 + Should -Invoke -CommandName Get-MgBetaIdentityApiConnector -Exactly 2 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 2 + Should -Invoke -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name "The AADIdentityB2XUserFlow exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlow -Exactly 1 + } + } + Context -Name "The AADIdentityB2XUserFlow Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityB2XUserFlow exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'Z' + Value = '2' + } -ClientOnly + ) + } -ClientOnly), + (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Surname' + Id = 'surname' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index cdcf592740..7d0f828598 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -97638,3 +97638,569 @@ function Invoke-PnPSPRestMethod $Content ) } + +#region MgBetaIdentityB2XUserFlow +function Get-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowApiConnectorConfiguration +function Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowUserAttributeAssignment +function Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId + ) +} + +#endregion + +#region MgBetaIdentityB2XUserFlowIdentityProvider +function Get-MgBetaIdentityB2XUserFlowIdentityProvider +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityProviderBaseId + ) +} +#endregion + +function Get-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} From 7f456e0f4552ec0b1af0d970ced876a69389a2b4 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:58:46 +0000 Subject: [PATCH 28/98] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 1b8db2b05d..4f7852e57e 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -451,6 +451,59 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; From 23fd99282dd9ed298cad70386432e8448c415bbe Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:59:01 +0000 Subject: [PATCH 29/98] Updated Resources and Cmdlet documentation pages --- .../resources/azure-ad/AADCustomSecurityAttributeDefinition.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md index 8a4d9f3576..6cdf6b96b3 100644 --- a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md +++ b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md @@ -17,6 +17,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | From 66fbddd3e987d5790912ef2e4a17d8f8cdaa6484 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:59:10 +0000 Subject: [PATCH 30/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Update.Tests.ps1 | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index 01fcfd4435..e0ae304574 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -952,6 +952,59 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; From e60fa55fd0c2c13f7761e2d16ce763039510fe18 Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Mon, 21 Oct 2024 19:29:23 +0530 Subject: [PATCH 31/98] Added Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ee03c9e3d..f55af8027f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ * Initial release. * AADCustomSecurityAttributeDefinition * Fixed missing permissions in settings.json +* AADIdentityB2XUserFlow + * Initial release. * AADIdentityGovernanceProgram * Initial release. * AADSocialIdentityProvider From 648d8959f09436e3ae979c1964660b2533b265a4 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 13:59:28 +0000 Subject: [PATCH 32/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Remove.Tests.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 8c9f5796a0..501de97c48 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -296,6 +296,13 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; From 1c4a030afeaedc519db2160f2c7338cf23878bf8 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 14:02:36 +0000 Subject: [PATCH 33/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 564dcb1932..69e8d4b070 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -5299,6 +5299,136 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "postFederationSignupConnectorName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "postAttributeCollectionConnectorName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsOptional", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UserInputType", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[]", + "Name": "UserAttributeValues", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityB2XUserFlow", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration", + "Name": "ApiConnectorConfiguration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "IdentityProviders", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[]", + "Name": "UserAttributeAssignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IdentityGovernanceScope", "Parameters": [ From cadab7687b79c28d88d150d2e301381e3bea8929 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 14:04:00 +0000 Subject: [PATCH 34/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 543d8fb404..1bbc69b421 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -3572,6 +3572,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -3762,6 +3767,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", From 375503862a18a5a581bbb00f1fb088c87ae6bed8 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 14:13:39 +0000 Subject: [PATCH 35/98] Updated Resources and Cmdlet documentation pages --- .../azure-ad/AADIdentityB2XUserFlow.md | 283 ++++++++++++++++++ 1 file changed, 283 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md diff --git a/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md new file mode 100644 index 0000000000..193a1d29f9 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md @@ -0,0 +1,283 @@ +# AADIdentityB2XUserFlow + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ApiConnectorConfiguration** | Write | MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration | Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **IdentityProviders** | Write | StringArray[] | The identity providers included in the user flow. | | +| **UserAttributeAssignments** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[] | The user attribute assignments included in the user flow. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **postFederationSignupConnectorName** | Write | String | The name of the connector used for post federation signup step. | | +| **postAttributeCollectionConnectorName** | Write | String | The name of the connector used for post attribute collection step. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | The display name of the property displayed to the end user in the user flow. | | +| **Value** | Write | String | The value that is set when this item is selected. | | +| **IsDefault** | Write | Boolean | Used to set the value as the default. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The unique identifier of identityUserFlowAttributeAssignment. | | +| **DisplayName** | Write | String | The display name of the identityUserFlowAttribute within a user flow. | | +| **IsOptional** | Write | Boolean | Determines whether the identityUserFlowAttribute is optional. | | +| **UserInputType** | Write | String | User Flow Attribute Input Type. | `textBox`, `dateTimeDropdown`, `radioSingleSelect`, `dropdownSingleSelect`, `emailBox`, `checkboxMultiSelect` | +| **UserAttributeValues** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[] | The list of user attribute values for this assignment. | | + + +## Description + +Azure AD Identity B2 X User Flow + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} +``` + From 3be4b1587c3d484ff37c40ed39e15f9a8ec0a5f9 Mon Sep 17 00:00:00 2001 From: "Arpita Mohapatra (from Dev Box)" Date: Mon, 21 Oct 2024 22:35:35 +0530 Subject: [PATCH 36/98] put proper resource name in settings.json --- .../MSFT_EXOMailboxAuditBypassAssociation/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json index cbacd227bb..35a9d6c51d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json @@ -1,5 +1,5 @@ { - "resourceName": "EXOJournalRule", + "resourceName": "EXOMailboxAuditBypassAssociation", "description": "", "roles": { "read": [ From 5d41c816ead07d8a2a64698a6ba4bc9b47f90a02 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 21 Oct 2024 15:05:08 -0400 Subject: [PATCH 37/98] Updated --- CHANGELOG.md | 6 ++++++ Modules/Microsoft365DSC/Dependencies/Manifest.psd1 | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ee03c9e3d..1738593e7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,12 @@ * M365DSCDRGUtil * Fixes an issue where non-unique properties were not combined properly with their respective parent setting. +* DEPENDENCIES + * Updated ExchangeOnlineManagement to version 3.6.0. + * Updated Microsoft.Graph to version 2.24.0. + * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. + * Updated MSCloudLoginAssistant to version 1.1.27 + * Updated MicrosoftTeams to version 6.6.0. # 1.24.1016.1 diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 7fd6bbe7fe..c9f78cc37b 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -26,7 +26,7 @@ }, @{ ModuleName = 'ExchangeOnlineManagement' - RequiredVersion = '3.4.0' + RequiredVersion = '3.6.0' }, @{ ModuleName = 'Microsoft.Graph.Applications' @@ -114,15 +114,15 @@ }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' - RequiredVersion = '2.0.191' + RequiredVersion = '2.0.199' }, @{ ModuleName = 'MicrosoftTeams' - RequiredVersion = '6.5.0' + RequiredVersion = '6.6.0' }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.25" + RequiredVersion = "1.1.27" }, @{ ModuleName = 'PnP.PowerShell' From c4ee0dae32f177351fa4f614b359b905ba5d3abf Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 21 Oct 2024 17:22:15 -0400 Subject: [PATCH 38/98] Fixes to examples --- .../Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 | 4 ++-- .../Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 index 643146f6ca..ca33cc25d7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 @@ -29,8 +29,8 @@ Configuration Example CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 index 643146f6ca..ca33cc25d7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 @@ -29,8 +29,8 @@ Configuration Example CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; From 433c7390ef396d0e2afab8213c8c313e6dbae2a5 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 21 Oct 2024 18:31:57 -0400 Subject: [PATCH 39/98] Fixes Unit Tests --- .../MSFT_AADIdentityB2XUserFlow.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 index 41be1d79fe..c6dac92a02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 @@ -101,7 +101,7 @@ function Get-TargetResource #endregion #region Get IdentityProviders - $getIdentityProviders = Get-MgBetaIdentityB2XUserFlowIdentityProvider -B2XIdentityUserFlowId $Id | Select-Object Id + $getIdentityProviders = (Get-MgBetaIdentityB2XUserFlowIdentityProvider -B2XIdentityUserFlowId $Id).id if ($getIdentityProviders.Count -eq 0) { $getIdentityProviders = @() From 8429b4963379b1f07e726dacdbc8fea359ccc8bf Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 22:47:22 +0000 Subject: [PATCH 40/98] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md index 193a1d29f9..d0b06feda8 100644 --- a/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md +++ b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md @@ -113,8 +113,8 @@ Configuration Example CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; @@ -195,8 +195,8 @@ Configuration Example CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; From 0f4eb1c85def1a7ae6d34a671eef73869fa5bb1d Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 22:47:31 +0000 Subject: [PATCH 41/98] Updated {Create} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 4f7852e57e..2cd1184f98 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -458,8 +458,8 @@ CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; From a8155a36170e481ca318c9f5d98a377fb1fdd034 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 21 Oct 2024 22:47:54 +0000 Subject: [PATCH 42/98] Updated {Update} AAD Integration Tests --- .../Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index e0ae304574..dd03f57077 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -959,8 +959,8 @@ CertificateThumbprint = $CertificateThumbprint ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration { - postAttributeCollectionConnectorId = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' - postFederationSignupConnectorId = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' }; Credential = $Credscredential; Ensure = "Present"; From 113ce98c372fae7c5c9adebe3c2812d129433e30 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 22 Oct 2024 10:29:17 +0530 Subject: [PATCH 43/98] Making changes for certificates --- .../MSFT_AADIdentityAPIConnector.psm1 | 54 ++++++++++++++----- .../MSFT_AADIdentityAPIConnector.schema.mof | 11 +++- 2 files changed, 51 insertions(+), 14 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 index 1c6c4bc75d..60f6d95ac3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -26,8 +26,8 @@ function Get-TargetResource $Password, [Parameter()] - [System.Management.Automation.PSCredential] - $Pkcs12Value, + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, #endregion @@ -121,10 +121,19 @@ function Get-TargetResource $Password = New-Object System.Management.Automation.PSCredential ('Password', $securePassword) } - if($null -ne $getValue.AuthenticationConfiguration.AdditionalProperties.pkcs12Value) { - $securePassword = ConvertTo-SecureString $getValue.AuthenticationConfiguration.AdditionalProperties.pkcs12Value -AsPlainText -Force - $pkcs12Value = New-Object System.Management.Automation.PSCredential ('pkcs12Value', $securePassword) + $complexCertificates = @() + foreach ($currentCertificate in $getValue.AuthenticationConfiguration.AdditionalProperties.certificateList) + { + $myCertificate= @{} + $myCertificate.Add('Pkcs12Value', "Please insert a valid Pkcs12Value") + $myCertificate.Add('Thumbprint', $currentCertificate.thumbprint) + $myCertificate.Add('IsActive', $currentCertificate.isActive) + + if ($myCertificate.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificates += $myCertificate + } } #endregion @@ -135,7 +144,7 @@ function Get-TargetResource Id = $getValue.Id Username = $getValue.AuthenticationConfiguration.AdditionalProperties.username Password = $Password - Pkcs12Value = $pkcs12Value + Certificates = $complexCertificates Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -187,8 +196,8 @@ function Set-TargetResource $Password, [Parameter()] - [System.Management.Automation.PSCredential] - $Pkcs12Value, + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, #endregion @@ -321,8 +330,8 @@ function Test-TargetResource $Password, [Parameter()] - [System.Management.Automation.PSCredential] - $Pkcs12Value, + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, #endregion @@ -526,11 +535,25 @@ function Export-TargetResource $Results = Get-TargetResource @Params $Results.Password = "New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force));" - $Results.Pkcs12Value = "New-Object System.Management.Automation.PSCredential('Pkcs12Value', (ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force));" - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results + + if ($null -ne $Results.Certificates) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Certificates` + -CIMInstanceName 'AADIdentityAPIConnectionCertificate' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Certificates = $complexTypeStringResult + } + else + { + $Results.Remove('Certificates') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -538,9 +561,14 @@ function Export-TargetResource -Credential $Credential - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Pkcs12Value' $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Password' + + if ($Results.Certificates) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Certificates" -IsCIMArray:$True + } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof index 7c359ad403..8407b6ae24 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -1,3 +1,12 @@ +[ClassVersion("1.0.0")] +class MSFT_AADIdentityAPIConnectionCertificate +{ + [Write, Description("")] String Pkcs12Value; + [Write, Description("")] String Thumbprint; + [Write, Description("")] Boolean IsActive; +}; + + [ClassVersion("1.0.0.0"), FriendlyName("AADIdentityAPIConnector")] class MSFT_AADIdentityAPIConnector : OMI_BaseResource { @@ -6,7 +15,7 @@ class MSFT_AADIdentityAPIConnector : OMI_BaseResource [Key, Description("The unique identifier for an entity. Read-only.")] String Id; [Write, Description("The username of the password")] String Username; [Write, Description("The password of certificate/basic auth"), EmbeddedInstance("MSFT_Credential")] String Password; - [Write, Description("The Pkcs12Value of the certificate"), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; + [Write, Description(""), EmbeddedInstance("MSFT_AADIdentityAPIConnectionCertificate")] String Certificates[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From c213db26a2c6663bb3d79c382e6651bbcb9f6f21 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 22 Oct 2024 10:54:30 +0530 Subject: [PATCH 44/98] temp --- .../MSFT_AADIdentityAPIConnector.psm1 | 83 +++++++++++-------- 1 file changed, 48 insertions(+), 35 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 index 60f6d95ac3..bf311e9b62 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -251,54 +251,67 @@ function Set-TargetResource $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + # If the certificates array is not empty, then we need to create a new instance of New-MgBetaAADIdentityAPIConnector - if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') - { - Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + $needToUpdateCertificates = $false + if($null -ne $Certificates -and $Certificates.Count -gt 0) { + $needToUpdateCertificates = $true + } - $createParameters = ([Hashtable]$BoundParameters).Clone() - $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters - $createParameters.Remove('Id') | Out-Null + if($needToUpdateCertificates -eq $false) { + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" - $createParameters.Remove('Password') | Out-Null - $createParameters.Remove('Pkcs12Value') | Out-Null + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null - $createParameters.Add("AuthenticationConfiguration", @{ - '@odata.type' = "microsoft.graph.basicAuthentication" - "password" = $Password.GetNetworkCredential().Password - "username" = $Username - }) + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null - $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") - $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters - } - elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') - { - Write-Verbose -Message "Updating the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + if($username -ne $null) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + } - $updateParameters = ([Hashtable]$BoundParameters).Clone() - $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters - $updateParameters.Remove('Id') | Out-Null + $updateParameters.Remove('Id') | Out-Null - $updateParameters.Remove('Password') | Out-Null - $updateParameters.Remove('Pkcs12Value') | Out-Null + $updateParameters.Remove('Password') | Out-Null + $updateParameters.Remove('Pkcs12Value') | Out-Null - $updateParameters.Add("AuthenticationConfiguration", @{ - '@odata.type' = "microsoft.graph.basicAuthentication" - "password" = $Password.GetNetworkCredential().Password - "username" = $Username - }) + $updateParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) - $UpdateParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") - Update-MgBetaIdentityAPIConnector ` + $UpdateParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + Update-MgBetaIdentityAPIConnector ` -IdentityApiConnectorId $currentInstance.Id ` -BodyParameter $UpdateParameters + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } } - elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') - { - Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" - Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + else { + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id } } From 3b813b219873b9d756d72f9a40c812f531ce251d Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Tue, 22 Oct 2024 13:33:23 +0530 Subject: [PATCH 45/98] Added AADAuthenticationMethodPolicyExternal resource --- ...AADAuthenticationMethodPolicyExternal.psm1 | 678 ++++++++++++++++++ ...henticationMethodPolicyExternal.schema.mof | 39 + .../readme.md | 6 + .../settings.json | 52 ++ .../1-Create.ps1 | 52 ++ .../2-Update.ps1 | 52 ++ .../3-Remove.ps1 | 34 + ...thenticationMethodPolicyExternal.Tests.ps1 | 365 ++++++++++ 8 files changed, 1278 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 new file mode 100644 index 0000000000..18533817f8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 @@ -0,0 +1,678 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + else + { + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Authentication Method Policy External with DisplayName {$DisplayName}" + return $nullResult + } + + Write-Verbose -Message "An Azure AD Authentication Method Policy External with displayName {$DisplayName} was found." + + #region resource generator code + $complexExcludeTargets = @() + foreach ($currentExcludeTargets in $getValue.excludeTargets) + { + $myExcludeTargets = @{} + if ($currentExcludeTargets.id -ne 'all_users'){ + $myExcludeTargetsDisplayName = get-MgGroup -GroupId $currentExcludeTargets.id + $myExcludeTargets.Add('Id', $myExcludeTargetsDisplayName.DisplayName) + } + else{ + $myExcludeTargets.Add('Id', $currentExcludeTargets.id) + } + if ($null -ne $currentExcludeTargets.targetType) + { + $myExcludeTargets.Add('TargetType', $currentExcludeTargets.targetType.toString()) + } + if ($myExcludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexExcludeTargets += $myExcludeTargets + } + } + #endregion + + $complexincludeTargets = @() + foreach ($currentincludeTargets in $getValue.includeTargets) + { + $myincludeTargets = @{} + if ($currentIncludeTargets.id -ne 'all_users'){ + $myIncludeTargetsDisplayName = get-MgGroup -GroupId $currentIncludeTargets.id + $myIncludeTargets.Add('Id', $myIncludeTargetsDisplayName.DisplayName) + } + else{ + $myIncludeTargets.Add('Id', $currentIncludeTargets.id) + } + if ($null -ne $currentincludeTargets.targetType) + { + $myincludeTargets.Add('TargetType', $currentincludeTargets.targetType.toString()) + } + if ($myincludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexincludeTargets += $myincludeTargets + } + } + + $complexOpenIdConnectSetting = @{ + clientId = $getValue.OpenIdConnectSetting.ClientId + discoveryUrl = $getValue.OpenIdConnectSetting.DiscoveryUrl + } + + #region resource generator code + $enumState = $null + if ($null -ne $getValue.State) + { + $enumState = $getValue.State.ToString() + } + #endregion + + $results = @{ + #region resource generator code + ExcludeTargets = $complexExcludeTargets + IncludeTargets = $complexincludeTargets + OpenIdConnectSetting = $complexOpenIdConnectSetting + State = $enumState + AppId = $getValue.appId + DisplayName = $getValue.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $params = ([Hashtable]$BoundParameters).clone() + $params = Rename-M365DSCCimInstanceParameter -Properties $params + + $params = Get-UpdatedTargetProperty($params) + + $params.Add('@odata.type', '#microsoft.graph.externalAuthenticationMethodConfiguration') + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$DisplayName}" + + $newobj = New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -BodyParameter $params + + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$($newObj.displayName)}" + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Authentication Method Policy External with name {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + $params.Remove('displayName') | Out-Null + + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` + -AuthenticationMethodConfigurationId $getValue.Id ` + -BodyParameter $params + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Authentication Method Policy External with Id {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $getValue.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Authentication Method Policy External with Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $desiredType = "#microsoft.graph.externalAuthenticationMethodConfiguration" + $getPolicy = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/" + $getValue = $getPolicy.AuthenticationMethodConfigurations | Where-Object -FilterScript {$_.'@odata.type' -eq $desiredType} + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.displayName + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ExcludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ExcludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalExcludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ExcludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('ExcludeTargets') | Out-Null + } + } + + if ($null -ne $Results.IncludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalIncludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('IncludeTargets') | Out-Null + } + } + + if ($null -ne $Results.OpenIdConnectSetting) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.OpenIdConnectSetting ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalOpenIdConnectSetting' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.OpenIdConnectSetting = $complexTypeStringResult + } + else + { + $Results.Remove('OpenIdConnectSetting') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ExcludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ExcludeTargets' -IsCIMArray:$True + } + if ($Results.IncludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncludeTargets' -IsCIMArray:$True + } + if ($Results.OpenIdConnectSetting) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'OpenIdConnectSetting' -IsCIMArray:$False + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-UpdatedTargetProperty +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $params + ) + + $keys = (([Hashtable]$params).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $params.$key -and $params.$key.getType().Name -like '*cimInstance*') + { + $params.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $params.$key + } + if ($key -eq 'IncludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + if ($key -eq 'ExcludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + } + + return $params +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof new file mode 100644 index 0000000000..00077c4287 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting +{ + [Write, Description("The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID.")] String ClientId; + [Write, Description("The host URL of the external identity provider's OIDC discovery endpoint.")] String DiscoveryUrl; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADAuthenticationMethodPolicyExternal")] +class MSFT_AADAuthenticationMethodPolicyExternal : OMI_BaseResource +{ + [Write, Description("Displayname of the groups of users that are excluded from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget")] String ExcludeTargets[]; + [Write, Description("Displayname of the groups of users that are included from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget")] String IncludeTargets[]; + [Write, Description("Open ID Connection settings used by this external authentication method."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting")] String OpenIdConnectSetting; + [Write, Description("The state of the policy. Possible values are: enabled, disabled."), ValueMap{"enabled","disabled"}, Values{"enabled","disabled"}] String State; + [Write, Description("The appId for the app registration in Microsoft Entra ID representing the integration with the external provider.")] String AppId; + [Key, Description("The displayName of the authentication policy configuration. Read-only.")] String DisplayName; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md new file mode 100644 index 0000000000..7dfd5268e3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md @@ -0,0 +1,6 @@ + +# AADAuthenticationMethodPolicyExternal + +## Description + +Azure AD Authentication Method Policy External diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json new file mode 100644 index 0000000000..8257c0365e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json @@ -0,0 +1,52 @@ +{ + "resourceName": "AADAuthenticationMethodPolicyExternal", + "description": "This resource configures an Azure AD Authentication Method Policy External.", + "roles": { + "read": [ + "Security Reader" + ], + "update": [ + "Authentication Policy Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 new file mode 100644 index 0000000000..37d14becd2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 new file mode 100644 index 0000000000..d74c1bc156 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 new file mode 100644 index 0000000000..baa1dcf897 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 new file mode 100644 index 0000000000..ec4f10ace8 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 @@ -0,0 +1,365 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADAuthenticationMethodPolicyExternal" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADAuthenticationMethodPolicyExternal should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Absent" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + Context -Name "The AADAuthenticationMethodPolicyExternal Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000003" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 2e5dd690f6885febec22637e5785d80df07c2167 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 08:04:36 +0000 Subject: [PATCH 46/98] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 4f7852e57e..18b143b38f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -209,6 +209,32 @@ Id = "c3"; IsAvailable = $True; } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationStrengthPolicy 'AADAuthenticationStrengthPolicy-Example' { AllowedCombinations = @("windowsHelloForBusiness","fido2","x509CertificateMultiFactor","deviceBasedPush"); From e38de23c9146d5c57f2689007af7e82a824c106f Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 08:05:00 +0000 Subject: [PATCH 47/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Update.Tests.ps1 | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index e0ae304574..d0217fa731 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -357,6 +357,32 @@ ); State = "enabled"; # Updated Property } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { ApplicationId = $ApplicationId From 7df2bfd52e89aba1fcbc0ca8f63314399d87edf6 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 08:05:18 +0000 Subject: [PATCH 48/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Remove.Tests.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 501de97c48..202ca07b45 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -88,6 +88,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { Ensure = "Absent"; From ccd354865e72afe6f2c6736e6c29b551a251ea9b Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Tue, 22 Oct 2024 13:35:32 +0530 Subject: [PATCH 49/98] Added changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f55af8027f..0a4a3d013e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ * AADAccessReviewDefinition * Initial release. +* AADAuthenticationMethodPolicyExternal + * Initial release. * AADCustomSecurityAttributeDefinition * Fixed missing permissions in settings.json * AADIdentityB2XUserFlow From d52254b5f548459206fa6c02c562fc64a8447a95 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 08:07:04 +0000 Subject: [PATCH 50/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index f90e5d8058..2ba602200b 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -1844,6 +1844,126 @@ } ] }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClientId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DiscoveryUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternal", + "Parameters": [ + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[]", + "Name": "ExcludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[]", + "Name": "IncludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Name": "OpenIdConnectSetting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphFido2KeyRestrictions", "Parameters": [ From d2908a1c4ba6f0e01202e957f25a4768883dd59c Mon Sep 17 00:00:00 2001 From: Sai Rohit Date: Tue, 22 Oct 2024 13:39:37 +0530 Subject: [PATCH 51/98] Fixed Set cases. --- ...MSFT_AADCustomAuthenticationExtension.psm1 | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 index dd6ee5f452..8cb16f56e8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 @@ -311,19 +311,15 @@ function Set-TargetResource $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $params = @{ - "@odata.type" = $setParameters["CustomAuthenticationExtensionType"] - displayName = $setParameters["DisplayName"] - description = $setParameters["Description"] + "@odata.type" = $setParameters.CustomAuthenticationExtensionType + displayName = $setParameters.DisplayName + description = $setParameters.Description endpointConfiguration = @{ - "@odata.type" = $setParameters["EndpointType"] - targetUrl = $setParameters["TargetUrl"] - subscriptionId = $setParameters["SubscriptionId"] - resourceGroupName = $setParameters["ResourceGroupName"] - logicAppWorkflowName = $setParameters["LogicAppWorkflowName"] + "@odata.type" = $setParameters.EndPointConfiguration.EndpointType } authenticationConfiguration = @{ - "@odata.type" = $setParameters["AuthenticationConfigurationType"] - resourceId = $setParameters["AuthenticationConfigurationResourceId"] + "@odata.type" = $setParameters.AuthenticationConfigurationType + resourceId = $setParameters.AuthenticationConfigurationResourceId } clientConfiguration = @{ timeoutInMilliseconds = $setParameters["ClientConfigurationTimeoutMilliseconds"] @@ -331,21 +327,37 @@ function Set-TargetResource } } + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.httpRequestEndpoint") + { + Write-Verbose -Message "{$setParameters.EndPointConfiguration.TargetUrl}" + $params.endpointConfiguration["targetUrl"] = $setParameters.EndPointConfiguration.TargetUrl + } + + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.logicAppTriggerEndpointConfiguration") + { + $params.endpointConfiguration["subscriptionId"] = $setParameters.EndPointConfiguration["SubscriptionId"] + $params.endpointConfiguration["resourceGroupName"] = $setParameters.EndPointConfiguration["ResourceGroupName"] + $params.endpointConfiguration["logicAppWorkflowName"] = $setParameters.EndPointConfiguration["LogicAppWorkflowName"] + } + # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - $params.Add("ClaimsForTokenConfiguration", @()) - foreach ($claim in $setParameters["ClaimsForTokenConfiguration"]) + $params.Add("claimsForTokenConfiguration", @()) + foreach ($claim in $setParameters.claimsForTokenConfiguration) { + $val = $claim.claimIdInApiResponse + Write-Verbose -Message "{$val}" $c = @{ - "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + "claimIdInApiResponse" = $claim.claimIdInApiResponse } - $params["claimsForTokenConfiguration"] += $c + $params.claimsForTokenConfiguration += $c } $params.Remove('Id') | Out-Null - Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName}" + $type = $params["@odata.type"] + Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName} and type {$type}" New-MgBetaIdentityCustomAuthenticationExtension -BodyParameter $params } @@ -354,7 +366,6 @@ function Set-TargetResource { Write-Verbose -Message "Updating custom authentication extension {$DisplayName}" $params.Add('CustomAuthenticationExtensionId', $currentInstance.Id) - $params.Remove("@odata.type") | Out-Null $params.Remove('Id') | Out-Null $params.Add("AdditionalProperties", @{}) @@ -369,7 +380,8 @@ function Set-TargetResource $params["AdditionalProperties"]["claimsForTokenConfiguration"] += $c } - Update-MgBetaIdentityCustomAuthenticationExtension @params + Write-Verbose -Message "{$params['@odata.type']}" + Update-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id -BodyParameter $params } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') From e597b00376cf47615c6ceb812e243e6e39176e1c Mon Sep 17 00:00:00 2001 From: Sai Rohit Date: Tue, 22 Oct 2024 14:13:37 +0530 Subject: [PATCH 52/98] Added change log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9879a4382a..cac51ab204 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ * Initial release. * AADConnectorGroupApplicationProxy * Initial release. +* AADCustomAuthenticationExtension + * Initial release. * AADCustomSecurityAttributeDefinition * Initial release. * AADDeviceRegistrationPolicy From d4aa20d86537a434b2e4babf5dbb8de29331db7c Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 22 Oct 2024 15:19:07 +0530 Subject: [PATCH 53/98] added logic to upload certificates --- .../MSFT_AADIdentityAPIConnector.psm1 | 85 ++++++++++++++++++- .../MSFT_AADIdentityAPIConnector.schema.mof | 1 + 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 index bf311e9b62..8218e0f355 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -128,6 +128,7 @@ function Get-TargetResource $myCertificate= @{} $myCertificate.Add('Pkcs12Value', "Please insert a valid Pkcs12Value") $myCertificate.Add('Thumbprint', $currentCertificate.thumbprint) + $myCertificate.Add('Password', "Please insert a valid Password for the certificate") $myCertificate.Add('IsActive', $currentCertificate.isActive) if ($myCertificate.values.Where({$null -ne $_}).Count -gt 0) @@ -311,7 +312,90 @@ function Set-TargetResource } } else { + + # Remove the existing instance if already present + if($currentInstance.Ensure -ne 'Absent') { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } + + # Create a new instance with the certificates + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + # Get the active and inactive certificates + $activeCertificates = @() + $inactiveCertificates = @() + foreach ($currentCertificate in $Certificates) + { + $myCertificate = @{} + $myCertificate.Add('Pkcs12Value', $currentCertificate.Pkcs12Value) + $myCertificate.Add('Password', $currentCertificate.Password) + + if($currentCertificate.IsActive -eq $true) { + $activeCertificates += $myCertificate + } + else { + $inactiveCertificates += $myCertificate + } + } + + # Only one certificate can be active + if($activeCertificates.Count -ne 1) { + Write-Error "There should be one active certificate" + throw + } + + if($inactiveCertificates.Count -eq 0) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $activeCertificates[0].Password + "pkcs12Value" = $activeCertificates[0].Pkcs12Value + }) + $activeCertificates = $activeCertificates[1..$activeCertificates.Count] + } + else { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $inactiveCertificates[0].Password + "pkcs12Value" = $inactiveCertificates[0].Pkcs12Value + }) + # remove the first element from the inactive certificates + $inactiveCertificates = $inactiveCertificates[1..$inactiveCertificates.Count] + } + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + + + # Upload the inactive certificates + foreach ($currentCertificate in $inactiveCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + + # Upload active certificate + foreach ($currentCertificate in $activeCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + } } @@ -428,7 +512,6 @@ function Test-TargetResource $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck.Remove('Password') | Out-Null - $ValuesToCheck.Remove('Pkcs12Value') | Out-Null $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof index 8407b6ae24..32f16ddc5e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -3,6 +3,7 @@ class MSFT_AADIdentityAPIConnectionCertificate { [Write, Description("")] String Pkcs12Value; [Write, Description("")] String Thumbprint; + [Write, Description("")] String Password; [Write, Description("")] Boolean IsActive; }; From 838ad8adfbd91b816127d81f934a24259529537b Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Tue, 22 Oct 2024 16:29:46 +0530 Subject: [PATCH 54/98] Added AADOrganizationCertificateBasedAuthConfiguration resource --- ...tionCertificateBasedAuthConfiguration.psm1 | 483 ++++++++++++++++++ ...rtificateBasedAuthConfiguration.schema.mof | 23 + .../readme.md | 6 + .../settings.json | 29 ++ ...ertificateBasedAuthConfiguration.Tests.ps1 | 263 ++++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 220 ++++++++ 6 files changed, 1024 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 new file mode 100644 index 0000000000..1c2b3c7ad7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 @@ -0,0 +1,483 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganizationCertificateBasedAuthConfiguration ` + -CertificateBasedAuthConfigurationId $CertificateBasedAuthConfigurationId ` + -OrganizationId $OrganizationId -ErrorAction SilentlyContinue + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Organization Certificate Based Auth Configuration with Id {$Id}." + return $nullResult + } + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Organization Certificate Based Auth Configuration with Id {$Id} was found" + + #region resource generator code + $complexCertificateAuthorities = @() + foreach ($currentCertificateAuthorities in $getValue.certificateAuthorities) + { + $myCertificateAuthorities = @{} + $myCertificateAuthorities.Add('Certificate', [convert]::ToBase64String($currentCertificateAuthorities.certificate)) + $myCertificateAuthorities.Add('CertificateRevocationListUrl', $currentCertificateAuthorities.certificateRevocationListUrl) + $myCertificateAuthorities.Add('DeltaCertificateRevocationListUrl', $currentCertificateAuthorities.deltaCertificateRevocationListUrl) + $myCertificateAuthorities.Add('IsRootAuthority', $currentCertificateAuthorities.isRootAuthority) + if ($myCertificateAuthorities.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificateAuthorities += $myCertificateAuthorities + } + } + #endregion + + $results = @{ + #region resource generator code + CertificateAuthorities = $complexCertificateAuthorities + OrganizationId = $OrganizationId + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + # Delete the old configuration + Write-Verbose -Message "Removing the current Azure AD Organization Certificate Based Auth Configuration." + + Remove-MgBetaOrganizationCertificateBasedAuthConfiguration ` + -CertificateBasedAuthConfigurationId $CertificateBasedAuthConfigurationId ` + -OrganizationId $OrganizationId + + if ($Ensure -eq 'Present') + { + Write-Verbose -Message "Creating an Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$createParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') + { + $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + } + } + + $policy = New-MgBetaOrganizationCertificateBasedAuthConfiguration -OrganizationId $OrganizationId -BodyParameter $createParameters + Write-Host "Policy: $policy" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + Write-Verbose -Message "Testing configuration of the Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganization + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = "CertificateBasedAuthConfigurations for $($getValue.DisplayName)" + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Ensure = 'Present' + OrganizationId = $getValue.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.CertificateAuthorities) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CertificateAuthorities ` + -CIMInstanceName 'MicrosoftGraphcertificateAuthority' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CertificateAuthorities = $complexTypeStringResult + } + else + { + $Results.Remove('CertificateAuthorities') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.CertificateAuthorities) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "CertificateAuthorities" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof new file mode 100644 index 0000000000..5da0783e97 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof @@ -0,0 +1,23 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphCertificateAuthority +{ + [Write, Description("Required. The base64 encoded string representing the public certificate.")] String Certificate; + [Write, Description("The URL of the certificate revocation list.")] String CertificateRevocationListUrl; + [Write, Description("The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created.")] String DeltaCertificateRevocationListUrl; + [Write, Description("Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority.")] Boolean IsRootAuthority; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADOrganizationCertificateBasedAuthConfiguration")] +class MSFT_AADOrganizationCertificateBasedAuthConfiguration : OMI_BaseResource +{ + [Write, Description("Collection of certificate authorities which creates a trusted certificate chain."), EmbeddedInstance("MSFT_MicrosoftGraphcertificateAuthority")] String CertificateAuthorities[]; + [Write, Description("The Organization ID. Read-only.")] String OrganizationId; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md new file mode 100644 index 0000000000..9f7447d1d9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md @@ -0,0 +1,6 @@ + +# AADOrganizationCertificateBasedAuthConfiguration + +## Description + +Azure AD Organization Certificate Based Auth Configuration diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json new file mode 100644 index 0000000000..df50b61fde --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADOrganizationCertificateBasedAuthConfiguration", + "description": "This resource configures an Azure AD Organization Certificate Based Auth Configuration.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 new file mode 100644 index 0000000000..412fec15c4 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 @@ -0,0 +1,263 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADOrganizationCertificateBasedAuthConfiguration" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Set-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + } + + Mock -CommandName New-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + } + + Mock -CommandName Remove-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } -ClientOnly) + ) + Id = "FakeStringValue" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } -ClientOnly) + ) + Id = "FakeStringValue" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } + ) + Id = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + } + } + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } -ClientOnly) + ) + Id = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } + ) + Id = "FakeStringValue" + + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } -ClientOnly) + ) + Id = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } + ) + Id = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + } + ) + Id = "FakeStringValue" + + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 7d0f828598..285653c1ff 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -98204,3 +98204,223 @@ function Get-MgBetaIdentityApiConnector $CountVariable ) } +#region MgBetaOrganizationCertificateBasedAuthConfiguration +function Get-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + From d239edb117fa83ef32ff0779888321e2b31bc7c0 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 22 Oct 2024 17:22:16 +0530 Subject: [PATCH 55/98] Added MSFT_Credentials in password and pkcs12Value --- .../MSFT_AADIdentityAPIConnector.psm1 | 14 ++++---------- .../MSFT_AADIdentityAPIConnector.schema.mof | 4 ++-- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 index 8218e0f355..60116d209c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -97,10 +97,7 @@ function Get-TargetResource { $getValue = Get-MgBetaIdentityAPIConnector ` -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue | Where-Object ` - -FilterScript { - $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.IdentityApiConnector" - } + -ErrorAction SilentlyContinue } } #endregion @@ -335,8 +332,8 @@ function Set-TargetResource foreach ($currentCertificate in $Certificates) { $myCertificate = @{} - $myCertificate.Add('Pkcs12Value', $currentCertificate.Pkcs12Value) - $myCertificate.Add('Password', $currentCertificate.Password) + $myCertificate.Add('Pkcs12Value', ($currentCertificate.Pkcs12Value).Password) + $myCertificate.Add('Password', ($currentCertificate.Password).Password) if($currentCertificate.IsActive -eq $true) { $activeCertificates += $myCertificate @@ -629,7 +626,7 @@ function Export-TargetResource } $Results = Get-TargetResource @Params - $Results.Password = "New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force));" + $Results.Password = "Please insert a valid Password" $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results @@ -657,9 +654,6 @@ function Export-TargetResource -Credential $Credential - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Password' - - if ($Results.Certificates) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Certificates" -IsCIMArray:$True diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof index 32f16ddc5e..9d7db64611 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -1,9 +1,9 @@ [ClassVersion("1.0.0")] class MSFT_AADIdentityAPIConnectionCertificate { - [Write, Description("")] String Pkcs12Value; + [Write, Description(""), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; [Write, Description("")] String Thumbprint; - [Write, Description("")] String Password; + [Write, Description(""), EmbeddedInstance("MSFT_Credential")] String Password; [Write, Description("")] Boolean IsActive; }; From 9e1ab02ecdf3d6cefd7ec502a278493618222926 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:18:02 +0000 Subject: [PATCH 56/98] Updated Resources and Cmdlet documentation pages --- .../AADAuthenticationMethodPolicyExternal.md | 228 ++++++++++++++++++ 1 file changed, 228 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md new file mode 100644 index 0000000000..275115ee02 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md @@ -0,0 +1,228 @@ +# AADAuthenticationMethodPolicyExternal + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ExcludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | | +| **IncludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[] | Displayname of the groups of users that are included from a policy. | | +| **OpenIdConnectSetting** | Write | MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting | Open ID Connection settings used by this external authentication method. | | +| **State** | Write | String | The state of the policy. Possible values are: enabled, disabled. | `enabled`, `disabled` | +| **AppId** | Write | String | The appId for the app registration in Microsoft Entra ID representing the integration with the external provider. | | +| **DisplayName** | Key | String | The displayName of the authentication policy configuration. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClientId** | Write | String | The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID. | | +| **DiscoveryUrl** | Write | String | The host URL of the external identity provider's OIDC discovery endpoint. | | + + +## Description + +Azure AD Authentication Method Policy External + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +#### Application permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} +``` + From 448a25a56c2a748958cefc204a3a1dad5407d35f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 22 Oct 2024 08:25:53 -0400 Subject: [PATCH 57/98] SentinelThreatIntelligenceIndicator - Initial Release --- CHANGELOG.md | 2 + ...T_SentinelThreatIntelligenceIndicator.psm1 | 853 ++++++++++++++++++ ...inelThreatIntelligenceIndicator.schema.mof | 29 + .../readme.md | 6 + .../settings.json | 20 + .../1-Create.ps1 | 43 + .../2-Update.ps1 | 43 + .../3-Remove.ps1 | 43 + ...tinelThreatIntelligenceIndicator.Tests.ps1 | 264 ++++++ 9 files changed, 1303 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 046e476c01..a2977d81b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ * Fixed missing permissions in settings.json * Intune workload * Fixed missing permissions in settings.json +* SentinelThreatIntelligenceIndicator + * Initial release. * SPOTenantSettings * Added support for AllowSelectSGsInODBListInTenant, DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 new file mode 100644 index 0000000000..5f7e93dfba --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 @@ -0,0 +1,853 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + try + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving indicator by id {$Id}" + $instance = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving indicator by DisplayName {$DisplayName}" + $instances = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + DisplayName = $instance.properties.displayName + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Description = $instance.properties.description + PatternType = $instance.properties.patternType + Pattern = $instance.properties.pattern + Revoked = $instance.properties.revoked + ValidFrom = $instance.properties.validFrom + ValidUntil = $instance.properties.validUntil + Labels = $instance.properties.labels + ThreatIntelligenceTags = $instance.properties.threatIntelligenceTags + ThreatTypes = $instance.properties.threatTypes + KillChainPhases = $instance.properties.KillChainPhases.phaseName + Confidence = $instance.properties.confidence + Source = $instance.properties.source + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParameters = @{ + kind = 'indicator' + properties = @{ + confidence = $Confidence + description = $Description + displayName = $DisplayName + labels = $Labels + pattern = $Pattern + patternType = $patternType + revoked = $revoked + source = $Source + threatIntelligenceTags = $ThreatIntelligenceTags + threatTypes = $ThreatTypes + validFrom = $ValidFrom + validUntil = $ValidUntil + } + } + + if ($null -ne $KillChainPhases) + { + $values = @() + foreach ($phase in $KillChainPhases) + { + $values += @{ + killChainName = 'lockheed-martin-cyber-kill-chain' + phaseName = $phase.phaseName + } + } + $instanceParameters.properties.Add('KillChainPhases', $values) + } + + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating a new indicator {$DisplayName}" + New-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating indicator {$DisplayName}" + Set-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters ` + -Id $currentInstance.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing indicator {$DisplayName}" + Remove-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $indicators = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($indicator in $indicators) + { + $displayedKey = $indicator.properties.DisplayName + Write-Host " |---[$j/$($indicators.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $indicator.properties.displayName + Id = $indicator.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'POST' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Set-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof new file mode 100644 index 0000000000..8dd7b86807 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof @@ -0,0 +1,29 @@ +[ClassVersion("1.0.0.0"), FriendlyName("SentinelThreatIntelligenceIndicator")] +class MSFT_SentinelThreatIntelligenceIndicator : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("Pattern type of a threat intelligence entity")] String PatternType; + [Write, Description("Pattern of a threat intelligence entity")] String Pattern; + [Write, Description("Is threat intelligence entity revoked")] String Revoked; + [Write, Description("Valid from")] String ValidFrom; + [Write, Description("Valid until")] String ValidUntil; + [Write, Description("Source type.")] String Source; + [Write, Description("Labels of threat intelligence entity")] String Labels[]; + [Write, Description("List of tags")] String ThreatIntelligenceTags[]; + [Write, Description("Threat types")] String ThreatTypes[]; + [Write, Description("Kill chain phases")] String KillChainPhases[]; + [Write, Description("Confidence of threat intelligence entity")] UInt32 Confidence; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md new file mode 100644 index 0000000000..1d4a233d39 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md @@ -0,0 +1,6 @@ + +# SentinelThreatIntelligenceIndicator + +## Description + +Configures threat intelligence indicators in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json new file mode 100644 index 0000000000..87040bf176 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelThreatIntelligenceIndicator", + "description": "Configures threat intelligence indicators in Azure Sentinel.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 new file mode 100644 index 0000000000..8af0d7f657 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 new file mode 100644 index 0000000000..91919b455d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 new file mode 100644 index 0000000000..e2cbe36a01 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 0000000000..24bc9959c9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,264 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; #Drift + validUntil = "2024-10-23T19:03:57.24Z"; #Drift + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; + validUntil = "2024-10-23T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 0e27725bbf6ad7682a417d2f3957303661bd2602 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:32:33 +0000 Subject: [PATCH 58/98] Updated Resources and Cmdlet documentation pages --- .../AADCustomAuthenticationExtension.md | 224 ++++++++++++++++++ 1 file changed, 224 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md diff --git a/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md new file mode 100644 index 0000000000..ad3f66cda2 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md @@ -0,0 +1,224 @@ +# AADCustomAuthenticationExtension + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive. | | +| **Id** | Write | String | Unique identifier of the Attribute Definition. | | +| **CustomAuthenticationExtensionType** | Write | String | Defines the custom authentication extension type. | | +| **Description** | Write | String | Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. | | +| **AuthenticationConfigurationType** | Write | String | Defines the authentication configuration type | | +| **AuthenticationConfigurationResourceId** | Write | String | Defines the authentication configuration resource id | | +| **ClientConfigurationTimeoutMilliseconds** | Write | UInt32 | Defines the client configuration timeout in milliseconds | | +| **ClientConfigurationMaximumRetries** | Write | UInt32 | Defines the client configuration max retries | | +| **EndpointConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionEndPointConfiguration | Defines the endpoint configuration | | +| **ClaimsForTokenConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[] | Defines the list of claims for token configurations | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADCustomAuthenticationExtensionEndPointConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EndpointType** | Write | String | Defines the type of the endpoint configuration | | +| **LogicAppWorkflowName** | Write | String | Defines the workflow name for the logic app | | +| **ResourceGroupName** | Write | String | Defines the resource group name for the logic app | | +| **SubscriptionId** | Write | String | Defines the subscription id for the logic app | | +| **TargetUrl** | Write | String | Defines the target url for the http endpoint | | + +### MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClaimIdInApiResponse** | Write | String | Defines the claim id in api response. | | + + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - CustomSecAttributeDefinition.Read.All + +- **Update** + + - CustomSecAttributeDefinition.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + From 84ec4cfacbd2067f85c8634c0240f8cae2197ed9 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:32:45 +0000 Subject: [PATCH 59/98] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 16e33b31eb..f235c8d684 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -308,6 +308,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; From 2f7c89db397e34b8c04f9fc5f5220285ac357927 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:33:08 +0000 Subject: [PATCH 60/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Update.Tests.ps1 | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index a1e12c46fe..c02ddde277 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -758,6 +758,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; From 3ae315cea7088e8d7423950dc56273696b9d1e14 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:33:26 +0000 Subject: [PATCH 61/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Remove.Tests.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 202ca07b45..690edff880 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -185,6 +185,14 @@ Ensure = "Absent"; PartnerTenantId = "12345-12345-12345-12345-12345"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; From 43d48d48ae6f4a3822a6ece7f9a96332059f74aa Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 12:35:47 +0000 Subject: [PATCH 62/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 2ba602200b..18c78000da 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -3624,6 +3624,136 @@ } ] }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "EndpointType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LogicAppWorkflowName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClaimIdInApiResponse", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtension", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomAuthenticationExtensionType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthenticationConfigurationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthenticationConfigurationResourceId", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "ClientConfigurationTimeoutMilliseconds", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "ClientConfigurationMaximumRetries", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", + "Name": "EndpointConfiguration", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[]", + "Name": "ClaimsForTokenConfiguration", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADCustomSecurityAttributeDefinition", "Parameters": [ From 077961fbaf908cf20f73a960873c239f408140cd Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 13:04:36 +0000 Subject: [PATCH 63/98] Updated Resources and Cmdlet documentation pages --- .../SentinelThreatIntelligenceIndicator.md | 202 ++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md diff --git a/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md new file mode 100644 index 0000000000..cfed84166e --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md @@ -0,0 +1,202 @@ +# SentinelThreatIntelligenceIndicator + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **PatternType** | Write | String | Pattern type of a threat intelligence entity | | +| **Pattern** | Write | String | Pattern of a threat intelligence entity | | +| **Revoked** | Write | String | Is threat intelligence entity revoked | | +| **ValidFrom** | Write | String | Valid from | | +| **ValidUntil** | Write | String | Valid until | | +| **Source** | Write | String | Source type. | | +| **Labels** | Write | StringArray[] | Labels of threat intelligence entity | | +| **ThreatIntelligenceTags** | Write | StringArray[] | List of tags | | +| **ThreatTypes** | Write | StringArray[] | Threat types | | +| **KillChainPhases** | Write | StringArray[] | Kill chain phases | | +| **Confidence** | Write | UInt32 | Confidence of threat intelligence entity | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures threat intelligence indicators in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + From 76cbfa8d2be39fbe6cef5cd5e69f75d84b077a17 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 13:07:48 +0000 Subject: [PATCH 64/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 18c78000da..46ca96b08d 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -49134,6 +49134,131 @@ } ] }, + { + "ClassName": "MSFT_SentinelThreatIntelligenceIndicator", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PatternType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pattern", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Revoked", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidFrom", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidUntil", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Source", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Labels", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatIntelligenceTags", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatTypes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "KillChainPhases", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Confidence", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SentinelWatchlist", "Parameters": [ From bd1e51692abe7d0da397398b2337c92ff46c1d2b Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Tue, 22 Oct 2024 18:39:56 +0530 Subject: [PATCH 65/98] More changes --- ...tionCertificateBasedAuthConfiguration.psm1 | 27 +++++---- ...rtificateBasedAuthConfiguration.schema.mof | 2 +- .../1-Create.ps1 | 47 +++++++++++++++ .../3-Remove.ps1 | 34 +++++++++++ ...ertificateBasedAuthConfiguration.Tests.ps1 | 60 +++++++++++-------- 5 files changed, 130 insertions(+), 40 deletions(-) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 index 1c2b3c7ad7..47b7da56f4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 @@ -92,7 +92,7 @@ function Get-TargetResource foreach ($currentCertificateAuthorities in $getValue.certificateAuthorities) { $myCertificateAuthorities = @{} - $myCertificateAuthorities.Add('Certificate', [convert]::ToBase64String($currentCertificateAuthorities.certificate)) + $myCertificateAuthorities.Add('Certificate', [System.Convert]::ToBase64String($currentCertificateAuthorities.certificate)) $myCertificateAuthorities.Add('CertificateRevocationListUrl', $currentCertificateAuthorities.certificateRevocationListUrl) $myCertificateAuthorities.Add('DeltaCertificateRevocationListUrl', $currentCertificateAuthorities.deltaCertificateRevocationListUrl) $myCertificateAuthorities.Add('IsRootAuthority', $currentCertificateAuthorities.isRootAuthority) @@ -201,10 +201,7 @@ function Set-TargetResource # Delete the old configuration Write-Verbose -Message "Removing the current Azure AD Organization Certificate Based Auth Configuration." - - Remove-MgBetaOrganizationCertificateBasedAuthConfiguration ` - -CertificateBasedAuthConfigurationId $CertificateBasedAuthConfigurationId ` - -OrganizationId $OrganizationId + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/$CertificateBasedAuthConfigurationId" -Method DELETE if ($Ensure -eq 'Present') { @@ -212,19 +209,23 @@ function Set-TargetResource $createParameters = ([Hashtable]$BoundParameters).Clone() $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters - $createParameters.Remove('Id') | Out-Null + $createParameters.Remove('OrganizationId') | Out-Null - $keys = (([Hashtable]$createParameters).Clone()).Keys - foreach ($key in $keys) + $createCertAuthorities = @() + foreach ($CertificateAuthority in $CertificateAuthorities) { - if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') - { - $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + $createCertAuthorities += @{ + certificate = $CertificateAuthority.Certificate + certificateRevocationListUrl = $CertificateAuthority.CertificateRevocationListUrl + deltaCertificateRevocationListUrl = $CertificateAuthority.DeltaCertificateRevocationListUrl + isRootAuthority = $CertificateAuthority.IsRootAuthority } } + $params = @{ + certificateAuthorities = $createCertAuthorities + } - $policy = New-MgBetaOrganizationCertificateBasedAuthConfiguration -OrganizationId $OrganizationId -BodyParameter $createParameters - Write-Host "Policy: $policy" + $policy = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/" -Method POST -Body $params } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof index 5da0783e97..1331883aea 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof @@ -11,7 +11,7 @@ class MSFT_MicrosoftGraphCertificateAuthority class MSFT_AADOrganizationCertificateBasedAuthConfiguration : OMI_BaseResource { [Write, Description("Collection of certificate authorities which creates a trusted certificate chain."), EmbeddedInstance("MSFT_MicrosoftGraphcertificateAuthority")] String CertificateAuthorities[]; - [Write, Description("The Organization ID. Read-only.")] String OrganizationId; + [Key, Description("The Organization ID. Read-only.")] String OrganizationId; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 new file mode 100644 index 0000000000..b2b618aa5c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 new file mode 100644 index 0000000000..46030224d5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 index 412fec15c4..0f0800c5a8 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 @@ -33,13 +33,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-PSSession -MockWith { } - Mock -CommandName Set-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { - } - - Mock -CommandName New-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { - } - - Mock -CommandName Remove-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null } Mock -CommandName New-M365DSCConnection -MockWith { @@ -58,14 +53,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ CertificateAuthorities = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ - IssuerSki = "FakeStringValue" DeltaCertificateRevocationListUrl = "FakeStringValue" IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" - Issuer = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" } -ClientOnly) ) - Id = "FakeStringValue" + OrganizationId = "FakeStringValue" Ensure = "Present" Credential = $Credential; } @@ -82,7 +76,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should Create the group from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName New-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 } } @@ -91,15 +85,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ CertificateAuthorities = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ - IssuerSki = "FakeStringValue" DeltaCertificateRevocationListUrl = "FakeStringValue" IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" - Issuer = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" } -ClientOnly) ) - Id = "FakeStringValue" - Ensure = 'Absent' + OrganizationId = "FakeStringValue" + Ensure = "Absent" Credential = $Credential; } @@ -115,6 +108,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" } ) Id = "FakeStringValue" @@ -133,7 +127,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should Remove the group from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Remove-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 } } Context -Name "The AADOrganizationCertificateBasedAuthConfiguration Exists and Values are already in the desired state" -Fixture { @@ -141,14 +135,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ CertificateAuthorities = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ - IssuerSki = "FakeStringValue" DeltaCertificateRevocationListUrl = "FakeStringValue" IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" - Issuer = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" } -ClientOnly) ) - Id = "FakeStringValue" + OrganizationId = "FakeStringValue" Ensure = 'Present' Credential = $Credential; } @@ -165,6 +158,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" } ) Id = "FakeStringValue" @@ -184,29 +178,34 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ CertificateAuthorities = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ - IssuerSki = "FakeStringValue" DeltaCertificateRevocationListUrl = "FakeStringValue" IsRootAuthority = $True CertificateRevocationListUrl = "FakeStringValue" - Issuer = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" } -ClientOnly) ) - Id = "FakeStringValue" + OrganizationId = "FakeStringValue" Ensure = 'Present' Credential = $Credential; } Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } CertificateAuthorities = @( @{ IssuerSki = "FakeStringValue" - DeltaCertificateRevocationListUrl = "FakeStringValue" + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False CertificateRevocationListUrl = "FakeStringValue" Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" } ) Id = "FakeStringValue" + } } } @@ -221,7 +220,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Set-MgBetaOrganizationCertificateBasedAuthConfiguration -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 } } @@ -241,16 +241,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { CertificateAuthorities = @( @{ IssuerSki = "FakeStringValue" - DeltaCertificateRevocationListUrl = "FakeStringValue" - IsRootAuthority = $True + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False CertificateRevocationListUrl = "FakeStringValue" Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" } ) Id = "FakeStringValue" } } + + Mock -CommandName Get-MgBetaOrganization -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } } It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams From f2528c2f68198599a760fd55936ab1ccb278cadc Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 13:11:16 +0000 Subject: [PATCH 66/98] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 2cd1184f98..1b56b9fe65 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -565,6 +565,27 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } AADRoleDefinition 'AADRoleDefinition1' { DisplayName = "DSCRole1" From a2e0ecd7a3dd1488ec07977b023f1925ab2ee4e4 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 13:11:55 +0000 Subject: [PATCH 67/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Remove.Tests.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 501de97c48..9737a591f2 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -360,6 +360,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } AADRoleDefinition 'AADRoleDefinition1' { IsEnabled = $true From b4141ef59009986898dae9a2512d9e941f273b09 Mon Sep 17 00:00:00 2001 From: "Ritik Mittal (from Dev Box)" Date: Tue, 22 Oct 2024 18:42:33 +0530 Subject: [PATCH 68/98] Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 046e476c01..95a81240b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ * Initial release. * AADIdentityGovernanceProgram * Initial release. +* AADOrganizationCertificateBasedAuthConfiguration + * Initial release. * AADSocialIdentityProvider * Fixed missing permissions in settings.json * Intune workload From d15afcf462e6e6ab431e4ed7c9111900383c6842 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 13:14:42 +0000 Subject: [PATCH 69/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index f90e5d8058..703b9b8560 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -5834,6 +5834,86 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphCertificateAuthority", + "Parameters": [ + { + "CIMType": "String", + "Name": "Certificate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeltaCertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRootAuthority", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADOrganizationCertificateBasedAuthConfiguration", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphcertificateAuthority[]", + "Name": "CertificateAuthorities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OrganizationId", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADPasswordRuleSettings", "Parameters": [ From 76532319a04f059ca357aff4e4f374e2b5b2f375 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 22 Oct 2024 14:12:26 +0000 Subject: [PATCH 70/98] Updated Resources and Cmdlet documentation pages --- ...zationCertificateBasedAuthConfiguration.md | 148 ++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md diff --git a/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md new file mode 100644 index 0000000000..7a795004c0 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md @@ -0,0 +1,148 @@ +# AADOrganizationCertificateBasedAuthConfiguration + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **CertificateAuthorities** | Write | MSFT_MicrosoftGraphcertificateAuthority[] | Collection of certificate authorities which creates a trusted certificate chain. | | +| **OrganizationId** | Key | String | The Organization ID. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphCertificateAuthority + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Certificate** | Write | String | Required. The base64 encoded string representing the public certificate. | | +| **CertificateRevocationListUrl** | Write | String | The URL of the certificate revocation list. | | +| **DeltaCertificateRevocationListUrl** | Write | String | The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created. | | +| **IsRootAuthority** | Write | Boolean | Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority. | | + + +## Description + +Azure AD Organization Certificate Based Auth Configuration + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + From 48efcff2752562b398cccffe1416670c90972b77 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 22 Oct 2024 20:00:54 +0530 Subject: [PATCH 71/98] Fixed Test Target Resource --- .../MSFT_AADIdentityAPIConnector.psm1 | 60 +++++++++++++++++-- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 index 60116d209c..04f48ad77f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -494,16 +494,64 @@ function Test-TargetResource $target = $CurrentValues.$key if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) + + # create a list of thumbprints from the source list + $sourceThumbprints = @() + foreach ($item in $source) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $sourceThumbprints += $myCertificate + } + + # create a list of thumbprints from the target list + $targetThumbprints = @() + foreach ($item in $target) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $targetThumbprints += $myCertificate + } + # sort the lists + $sourceThumbprints = $sourceThumbprints | Sort-Object -Property { $_.Thumbprint } + $targetThumbprints = $targetThumbprints | Sort-Object -Property { $_.Thumbprint } + + # print the list in verbose logs + foreach ($item in $sourceThumbprints) + { + Write-Verbose -Message "Source Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } - if (-not $testResult) + foreach ($item in $targetThumbprints) { - break + Write-Verbose -Message "Target Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } + + # check if the lists are identical + $compareResult = $true + if ($sourceThumbprints.Count -ne $targetThumbprints.Count) + { + $compareResult = $false + } + else + { + for ($i = 0; $i -lt $sourceThumbprints.Count; $i++) + { + if ($sourceThumbprints[$i].Thumbprint -ne $targetThumbprints[$i].Thumbprint) + { + $compareResult = $false + Write-Verbose -Message "Thumbprint mismatch: $($sourceThumbprints[$i].Thumbprint) - $($targetThumbprints[$i].Thumbprint)" + break + } + } } - $ValuesToCheck.Remove($key) | Out-Null + if($compareResult -eq $true) + { + $ValuesToCheck.Remove($key) | Out-Null + } } } From 940d185e3dbf6973ad5f62588e2dbabbbba75647 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 22 Oct 2024 11:22:43 -0400 Subject: [PATCH 72/98] SentinelAlertRule - Initial Release --- .../MSFT_SentinelAlertRule.psm1 | 642 ++++++++++++++++++ .../MSFT_SentinelAlertRule.schema.mof | 109 +++ .../MSFT_SentinelAlertRule/readme.md | 6 + .../MSFT_SentinelAlertRule/settings.json | 32 + .../Resources/SentinelAlertRule/1-Create.ps1 | 26 + .../Resources/SentinelAlertRule/2-Update.ps1 | 26 + .../Resources/SentinelAlertRule/3-Remove.ps1 | 26 + ...icrosoft365DSC.SentinelAlertRule.Tests.ps1 | 178 +++++ 8 files changed, 1045 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 new file mode 100644 index 0000000000..947211cb19 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 @@ -0,0 +1,642 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + $instances = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + ProductFilter = $instance.properties.ProductFilter + Enabled = $instance.properties.Enabled + Severity = $instance.properties.Severity + Tactics = $instance.properties.Tactics + Techniques = $instance.properties.Techniques + Query = $instance.properties.Query + QueryFrequency = $instance.properties.QueryFrequency + QueryPeriod = $instance.properties.QueryPeriod + TriggerOperator = $instance.properties.TriggerOperator + TriggerThreshold = $instance.properties.TriggerThreshold + SuppressionDuration = $instance.properties.SuppressionDuration + SuppresionEnabled = $instance.properties.SuppresionEnabled + AlertRuleTemplateName = $instance.properties.AlertRuleTemplateName + DisplayNamesExcludeFilter = $instance.properties.DisplayNamesExcludeFilter + DisplayNamesFilter = $instance.properties.DisplayNamesFilter + SeveritiesFilter = $instance.properties.SeveritiesFilter + DisplayName = $instance.properties.displayName + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Description = $instance.properties.description + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + ##TODO - Replace the PrimaryKey + [Parameter(Mandatory = $true)] + [System.String] + $PrimaryKey, + + ##TODO - Add the list of Parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + ##TODO - Replace by the New cmdlet for the resource + New-Cmdlet @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + ##TODO - Replace by the Update/Set cmdlet for the resource + Set-cmdlet @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + ##TODO - Replace by the Remove cmdlet for the resource + Remove-cmdlet @SetParameters + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + ##TODO - Replace the PrimaryKey + [Parameter(Mandatory = $true)] + [System.String] + $PrimaryKey, + + ##TODO - Add the list of Parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $rules = Get-M365DSCSentinelAlertRule -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($rule in $rules) + { + $displayedKey = $rule.properties.DisplayName + Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $indruleicator.properties.displayName + Id = $rule.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$((New-GUID).ToString())?api-version=2023-12-01-preview" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Set-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof new file mode 100644 index 0000000000..30c37ecf58 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof @@ -0,0 +1,109 @@ +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEventGroupSettings +{ + [Write, Description("")] String aggregationKind; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleCustomDetails +{ + [Write, Description("")] String DetailKey; + [Write, Description("")] String DetailValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMapping +{ + [Write, Description("")] String entityType; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMappingFieldMapping")] String fieldMappings[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMappingFieldMapping +{ + [Write, Description("")] String columnName; + [Write, Description("")] String identifier; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverride +{ + [Write, Description("")] String alertDescriptionFormat; + [Write, Description("")] String alertDisplayNameFormat; + [Write, Description("")] String alertColumnName; + [Write, Description("")] String alertTacticsColumnName; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty +{ + [Write, Description("")] String alertProperty; + [Write, Description("")] String alertPropertyValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfiguration +{ + [Write, Description("")] Boolean createIncident; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration")] String groupingConfiguration; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration +{ + [Write, Description("")] Boolean enabled; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] groupByAlertDetails[]; + [Write, Description("")] String groupByCustomDetails[]; + [Write, Description("")] String groupByEntities[]; + [Write, Description("")] String lookbackDuration; + [Write, Description("")] String matchingMethod; + [Write, Description("")] Boolean reopenClosedIncident; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail +{ + [Write, Description("")] String DisplayName; + [Write, Description("")] String Severity; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("ResourceName")] +class MSFT_ResourceName : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("")] String ProductFilter; + [Write, Description("")] Boolean Enabled; + [Write, Description("")] String Severity; + [Write, Description("")] String Tactics[]; + [Write, Description("")] String Techniques[]; + [Write, Description("")] String Query; + [Write, Description("")] String QueryFrequency; + [Write, Description("")] String QueryPeriod; + [Write, Description("")] String TriggerOperator; + [Write, Description("")] UInt32 TriggerThreshold; + [Write, Description("")] String SuppressionDuration; + [Write, Description("")] String SuppresionEnabled; + [Write, Description("")] String AlertRuleTemplateName; + [Write, Description("")] String DisplayNamesExcludeFilter[]; + [Write, Description("")] String DisplayNamesFilter[]; + [Write, Description("")] String SeveritiesFilter[]; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupSettings")] String EventGroupSettings; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md new file mode 100644 index 0000000000..32e0e7fb27 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md @@ -0,0 +1,6 @@ + +# ResourceName + +## Description + +##TODO - Provide a short description of what the resource is set to configure. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json new file mode 100644 index 0000000000..edf14b05e4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "ResourceName", + "description": "Description of what the resource is about.", + "roles": { + "read": [ + "Role" + ], + "update": [ + "Role" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Permission for Monitoring and Export" + } + ], + "update": [ + { + "name": "Permission for deploying" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 new file mode 100644 index 0000000000..780e0f343d --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 @@ -0,0 +1,178 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + ##TODO - Mock any Remove/Set/New cmdlets + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return $null + Mock -CommandName Get-Cmdlet -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + ##TODO - Replace the New-Cmdlet by the appropriate one + Set-TargetResource @testParams + Should -Invoke -CommandName New-Cmdlet -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Absent' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + ##TODO - Replace the Remove-Cmdlet by the appropriate one + Should -Invoke -CommandName Remove-Cmdlet -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return the desired values + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return a drift + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + ##TODO - Replace the Update-Cmdlet by the appropriate one + Should -Invoke -CommandName Update-Cmdlet -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From a6fab102a5b3d9525c94ef255ebbf22b412436dd Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Tue, 22 Oct 2024 23:17:02 +0200 Subject: [PATCH 73/98] Add Intune Group.Read.All permissions to generated permissions --- ResourceGenerator/M365DSCResourceGenerator.psm1 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index 932f7012a2..9cd5544639 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -967,7 +967,15 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments -Workload $Workload ` -CmdLetNoun $CmdLetNoun ` -ApiVersion $ApiVersion ` - -UpdateVerb $updateVerb).permissions | ConvertTo-Json -Depth 20 + -UpdateVerb $updateVerb).permissions + if ($ResourceName -like "Intune*") + { + $resourcePermissions.application.read += @{ name = 'Group.Read.All' } + $resourcePermissions.application.update += @{ name = 'Group.Read.All' } + $resourcePermissions.delegated.read += @{ name = 'Group.Read.All' } + $resourcePermissions.delegated.update += @{ name = 'Group.Read.All' } + } + $resourcePermissions = $resourcePermissions | ConvertTo-Json -Depth 20 $resourcePermissions = ' ' + $resourcePermissions Write-TokenReplacement -Token '' -Value $ResourceName -FilePath $settingsFilePath Write-TokenReplacement -Token '' -Value $resourceDescription -FilePath $settingsFilePath From 47b1372de3a6ed932ff0f0598cca27cc5dbeec8b Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 22 Oct 2024 23:01:40 -0400 Subject: [PATCH 74/98] Ready for Review --- CHANGELOG.md | 2 + .../MSFT_SentinelAlertRule.psm1 | 889 ++++++++++++++++-- .../MSFT_SentinelAlertRule.schema.mof | 18 +- .../MSFT_SentinelAlertRule/readme.md | 4 +- .../MSFT_SentinelAlertRule/settings.json | 24 +- .../Dependencies/Manifest.psd1 | 42 +- .../Resources/SentinelAlertRule/1-Create.ps1 | 51 +- .../Resources/SentinelAlertRule/2-Update.ps1 | 51 +- .../Resources/SentinelAlertRule/3-Remove.ps1 | 14 +- ...icrosoft365DSC.SentinelAlertRule.Tests.ps1 | 347 ++++++- 10 files changed, 1286 insertions(+), 156 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c94a634efc..da4bf910c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ * Fixed missing permissions in settings.json * Intune workload * Fixed missing permissions in settings.json +* SentinelAlertRule + * Initial release. * SentinelThreatIntelligenceIndicator * Initial release. * SPOTenantSettings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 index 947211cb19..77911ab204 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 @@ -28,6 +28,98 @@ function Get-TargetResource [System.String] $Description, + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -103,28 +195,119 @@ function Get-TargetResource return $nullResult } + # EventGroupingSettings + $EventGroupingValueSettingsValue = $null + if ($null -ne $instance.properties.eventGroupingSettings) + { + $EventGroupingValueSettingsValue = @{ + aggregationKind = $instance.properties.eventGroupingSettings.aggregationKind + } + } + + # CustomDetails + $CustomDetailsValue = @() + if ($null -ne $instance.properties.customDetails) + { + $detailAsHash = @{} + $instance.properties.customDetails.psobject.properties | foreach { $detailAsHash[$_.Name] = $_.Value } + foreach ($key in $detailAsHash.Keys) + { + $CustomDetailsValue += @{ + DetailKey = $key + DetailValue = $detailAsHash.$key + } + } + } + + #EntityMappings + $EntityMappingsValue = @() + if ($null -ne $instance.properties.entityMappings) + { + foreach ($mapping in $instance.properties.entityMappings) + { + $entity = @{ + entityType = $mapping.entityType + fieldMappings = @() + } + + foreach ($fieldMapping in $mapping.fieldMappings) + { + $entity.fieldMappings += @{ + identifier = $fieldMapping.identifier + columnName = $fieldMapping.columnName + } + } + + $EntityMappingsValue += $entity + } + } + + #AlertDetailsOverride + if ($null -ne $instance.properties.alertDetailsOverride) + { + $info = $instance.properties.alertDetailsOverride + $AlertDetailsOverrideValue = @{ + alertDisplayNameFormat = $info.alertDisplayNameFormat + alertDescriptionFormat = $info.alertDescriptionFormat + alertDynamicProperties = @() + } + + foreach ($propertyEntry in $info.alertDynamicProperties) + { + $AlertDetailsOverrideValue.alertDynamicProperties += @{ + alertProperty = $propertyEntry.alertProperty + alertPropertyValue = $propertyEntry.value + } + } + } + + #IncidentConfiguration + if ($null -ne $instance.properties.incidentConfiguration) + { + $info = $instance.properties.incidentConfiguration + $IncidentConfigurationValue = @{ + createIncident = [Boolean]::Parse($info.createIncident.ToString()) + groupingConfiguration = @{ + enabled = $info.groupingConfiguration.enabled + reopenClosedIncident = $info.groupingConfiguration.reopenClosedIncident + lookbackDuration = $info.groupingConfiguration.lookbackDuration + matchingMethod = $info.groupingConfiguration.matchingMethod + groupByEntities = $info.groupingConfiguration.groupByEntities + groupByAlertDetails = $info.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $info.groupingConfiguration.groupByCustomDetails + } + } + } + $results = @{ ProductFilter = $instance.properties.ProductFilter Enabled = $instance.properties.Enabled Severity = $instance.properties.Severity Tactics = $instance.properties.Tactics Techniques = $instance.properties.Techniques + SubTechniques = $instance.properties.SubTechniques Query = $instance.properties.Query QueryFrequency = $instance.properties.QueryFrequency QueryPeriod = $instance.properties.QueryPeriod TriggerOperator = $instance.properties.TriggerOperator TriggerThreshold = $instance.properties.TriggerThreshold SuppressionDuration = $instance.properties.SuppressionDuration - SuppresionEnabled = $instance.properties.SuppresionEnabled + SuppressionEnabled = $instance.properties.SuppressionEnabled AlertRuleTemplateName = $instance.properties.AlertRuleTemplateName DisplayNamesExcludeFilter = $instance.properties.DisplayNamesExcludeFilter DisplayNamesFilter = $instance.properties.DisplayNamesFilter SeveritiesFilter = $instance.properties.SeveritiesFilter DisplayName = $instance.properties.displayName + EventGroupingSettings = $EventGroupingValueSettingsValue + CustomDetails = $CustomDetailsValue + EntityMappings = $EntityMappingsValue + AlertDetailsOverride = $AlertDetailsOverrideValue + IncidentConfiguration = $IncidentConfigurationValue SubscriptionId = $SubscriptionId ResourceGroupName = $ResourceGroupName WorkspaceName = $WorkspaceName Id = $instance.name + Kind = $instance.kind Description = $instance.properties.description Ensure = 'Present' Credential = $Credential @@ -154,12 +337,121 @@ function Set-TargetResource [CmdletBinding()] param ( - ##TODO - Replace the PrimaryKey [Parameter(Mandatory = $true)] [System.String] - $PrimaryKey, + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, - ##TODO - Add the list of Parameters + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -205,25 +497,222 @@ function Set-TargetResource $currentInstance = Get-TargetResource @PSBoundParameters - $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + $instance = @{} + if ($Kind -eq 'Fusion') + { + $instance = @{ + kind = $Kind + properties = @{ + alertRuleTemplateName = $AlertRuleTemplateName + enabled = $Enabled + } + } + } + elseif ($Kind -eq 'MicrosoftSecurityIncidentCreation') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + description = $Description + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + enabled = $Enabled + severitiesFilter = $AlertSeverity + } + } + } + elseif ($Kind -eq 'Scheduled') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + queryFrequency = $QueryFrequency + queryPeriod = $QueryPeriod + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + triggerOperator = $TriggerOperator + triggerThreshold = $TriggerThreshold + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + customDetails = @{} + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + severitiesFilter = $AlertSeverity + } + } + + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } + elseif ($Kind -eq 'NRT') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + customDetails = @{} + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + techniques = $Techniques + subTechniques = $SubTechniques + tactics = $Tactics + } + } + + if ($null -eq $EntityMappings -or $EntityMappings.Length -eq 0) + { + $instance.properties.Remove('entityMappings') | Out-Null + } + else + { + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - ##TODO - Replace by the New cmdlet for the resource - New-Cmdlet @SetParameters + Write-Verbose -Message "Creating new Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance } # UPDATE - elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + elseif($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - ##TODO - Replace by the Update/Set cmdlet for the resource - Set-cmdlet @SetParameters + Write-Verbose -Message "Updating Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance ` + -Id $currentInstance.Id } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - ##TODO - Replace by the Remove cmdlet for the resource - Remove-cmdlet @SetParameters + Write-Verbose -Message "Removing Alert Rule {$DisplayName}" + Remove-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id } } @@ -233,12 +722,121 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - ##TODO - Replace the PrimaryKey [Parameter(Mandatory = $true)] [System.String] - $PrimaryKey, + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, - ##TODO - Add the list of Parameters + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -288,10 +886,33 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $testResult" @@ -400,7 +1021,7 @@ function Export-TargetResource $displayedKey = $rule.properties.DisplayName Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline $params = @{ - DisplayName = $indruleicator.properties.displayName + DisplayName = $rule.properties.displayName Id = $rule.name SubscriptionId = $subscriptionId ResourceGroupName = $resourceGroupName @@ -417,11 +1038,173 @@ function Export-TargetResource $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results + if ( $null -ne $Results.EventGroupingSettings) + { + $complexMapping = @( + @{ + Name = 'EventGroupingSettings' + CimInstanceName = 'SentinelAlertRuleEventGroupingSettings' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EventGroupingSettings ` + -CIMInstanceName 'SentinelAlertRuleEventGroupingSettings' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EventGroupingSettings = $complexTypeStringResult + } + else + { + $Results.Remove('EventGroupingSettings') | Out-Null + } + } + + if ($null -ne $Results.CustomDetails) + { + $complexMapping = @( + @{ + Name = 'CustomDetails' + CimInstanceName = 'SentinelAlertRuleCustomDetails' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CustomDetails ` + -CIMInstanceName 'SentinelAlertRuleCustomDetails' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CustomDetails = $complexTypeStringResult + } + else + { + $Results.Remove('CustomDetails') | Out-Null + } + } + + if ( $null -ne $Results.EntityMappings) + { + $complexMapping = @( + @{ + Name = 'EntityMappings' + CimInstanceName = 'SentinelAlertRuleEntityMapping' + IsRequired = $False + }, + @{ + Name = 'fieldMappings' + CimInstanceName = 'SentinelAlertRuleEntityMappingFieldMapping' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EntityMappings ` + -CIMInstanceName 'SentinelAlertRuleEntityMapping' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EntityMappings = $complexTypeStringResult + } + else + { + $Results.Remove('EntityMappings') | Out-Null + } + } + + if ($null -ne $Results.AlertDetailsOverride) + { + $complexMapping = @( + @{ + Name = 'AlertDetailsOverride' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverride' + IsRequired = $False + }, + @{ + Name = 'alertDynamicProperties' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.AlertDetailsOverride ` + -CIMInstanceName 'SentinelAlertRuleAlertDetailsOverride' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.AlertDetailsOverride = $complexTypeStringResult + } + else + { + $Results.Remove('AlertDetailsOverride') | Out-Null + } + } + + if ($null -ne $Results.IncidentConfiguration) + { + $complexMapping = @( + @{ + Name = 'IncidentConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfiguration' + IsRequired = $False + }, + @{ + Name = 'groupingConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfiguration' + IsRequired = $False + } + @{ + Name = 'groupByAlertDetails' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncidentConfiguration ` + -CIMInstanceName 'SentinelAlertRuleIncidentConfiguration' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncidentConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('IncidentConfiguration') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential + + if ($Results.EventGroupingSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EventGroupingSettings' -IsCIMArray:$False + } + if ($Results.CustomDetails) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CustomDetails' -IsCIMArray:$False + } + if ($Results.EntityMappings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EntityMappings' -IsCIMArray:$True + } + if ($Results.AlertDetailsOverride) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AlertDetailsOverride' -IsCIMArray:$True + } + if ($Results.IncidentConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncidentConfiguration' -IsCIMArray:$True + } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -501,7 +1284,7 @@ function Get-M365DSCSentinelAlertRule } } -function New-M365DSCSentinelThreatIntelligenceIndicator +function New-M365DSCSentinelAlertRule { [CmdletBinding()] param( @@ -523,56 +1306,11 @@ function New-M365DSCSentinelThreatIntelligenceIndicator [Parameter()] [System.Collections.Hashtable] - $Body - ) + $Body, - try - { - $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId - $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" - - $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$((New-GUID).ToString())?api-version=2023-12-01-preview" - $payload = ConvertTo-Json $Body -Depth 10 -Compress - $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload - } - catch - { - Write-Verbose -Message $_ - New-M365DSCLogEntry -Message 'Error retrieving data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId - throw $_ - } -} - -function Set-M365DSCSentinelThreatIntelligenceIndicator -{ - [CmdletBinding()] - param( [Parameter()] [System.String] - $SubscriptionId, - - [Parameter()] - [System.String] - $ResourceGroupName, - - [Parameter()] - [System.String] - $WorkspaceName, - - [Parameter(Mandatory = $true)] - [System.String] - $TenantId, - - [Parameter(Mandatory = $true)] - [System.String] - $Id, - - [Parameter()] - [System.Collections.Hashtable] - $Body + $Id ) try @@ -580,9 +1318,18 @@ function Set-M365DSCSentinelThreatIntelligenceIndicator $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" - $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + if ($null -eq $Id) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$((New-GUID).ToString())?api-version=2024-04-01-preview" + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2024-04-01-preview" + } $payload = ConvertTo-Json $Body -Depth 10 -Compress + Write-Verbose -Message "Creating new rule against URL:`r`n$($uri)`r`nWith payload:`r`n$payload" $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + Write-Verbose -Message $response.Content } catch { @@ -595,7 +1342,7 @@ function Set-M365DSCSentinelThreatIntelligenceIndicator } } -function Remove-M365DSCSentinelThreatIntelligenceIndicator +function Remove-M365DSCSentinelAlertRule { [CmdletBinding()] param( @@ -625,7 +1372,7 @@ function Remove-M365DSCSentinelThreatIntelligenceIndicator $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" - $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertRules/$($Id)?api-version=2024-04-01-preview" $response = Invoke-AzRest -Uri $uri -Method 'DELETE' } catch diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof index 30c37ecf58..3762c576f8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof @@ -1,5 +1,5 @@ [ClassVersion("1.0.0")] -class MSFT_SentinelAlertRuleEventGroupSettings +class MSFT_SentinelAlertRuleEventGroupingSettings { [Write, Description("")] String aggregationKind; }; @@ -32,7 +32,7 @@ class MSFT_SentinelAlertRuleAlertDetailsOverride [Write, Description("")] String alertDisplayNameFormat; [Write, Description("")] String alertColumnName; [Write, Description("")] String alertTacticsColumnName; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties[]; }; [ClassVersion("1.0.0")] @@ -53,7 +53,7 @@ class MSFT_SentinelAlertRuleIncidentConfiguration class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration { [Write, Description("")] Boolean enabled; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] groupByAlertDetails[]; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] String groupByAlertDetails[]; [Write, Description("")] String groupByCustomDetails[]; [Write, Description("")] String groupByEntities[]; [Write, Description("")] String lookbackDuration; @@ -68,8 +68,8 @@ class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetai [Write, Description("")] String Severity; }; -[ClassVersion("1.0.0.0"), FriendlyName("ResourceName")] -class MSFT_ResourceName : OMI_BaseResource +[ClassVersion("1.0.0.0"), FriendlyName("SentinelAlertRule")] +class MSFT_SentinelAlertRule : OMI_BaseResource { [Key, Description("The display name of the indicator")] String DisplayName; [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; @@ -82,22 +82,24 @@ class MSFT_ResourceName : OMI_BaseResource [Write, Description("")] String Severity; [Write, Description("")] String Tactics[]; [Write, Description("")] String Techniques[]; + [Write, Description("")] String SubTechniques[]; [Write, Description("")] String Query; [Write, Description("")] String QueryFrequency; [Write, Description("")] String QueryPeriod; [Write, Description("")] String TriggerOperator; [Write, Description("")] UInt32 TriggerThreshold; [Write, Description("")] String SuppressionDuration; - [Write, Description("")] String SuppresionEnabled; + [Write, Description("")] String SuppressionEnabled; [Write, Description("")] String AlertRuleTemplateName; [Write, Description("")] String DisplayNamesExcludeFilter[]; [Write, Description("")] String DisplayNamesFilter[]; [Write, Description("")] String SeveritiesFilter[]; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupSettings")] String EventGroupSettings; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupingSettings")] String EventGroupingSettings; + [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails[]; [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; + [Write, Description("")] String Kind; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md index 32e0e7fb27..2bdf6ede04 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md @@ -1,6 +1,6 @@ -# ResourceName +# SentinelAlertRule ## Description -##TODO - Provide a short description of what the resource is set to configure. +Configures alert rules in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json index edf14b05e4..d01973dfcf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json @@ -1,13 +1,9 @@ { - "resourceName": "ResourceName", - "description": "Description of what the resource is about.", + "resourceName": "SentinelAlertRule", + "description": "Configures alert rules in Azure Sentinel.", "roles": { - "read": [ - "Role" - ], - "update": [ - "Role" - ] + "read": [], + "update": [] }, "permissions": { "graph": { @@ -16,16 +12,8 @@ "update": [] }, "application": { - "read": [ - { - "name": "Permission for Monitoring and Export" - } - ], - "update": [ - { - "name": "Permission for deploying" - } - ] + "read": [], + "update": [] } } } diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index c9f78cc37b..bfb5342628 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -30,87 +30,87 @@ }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Applications' - Requiredversion = '2.23.0' + Requiredversion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Search' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Sites' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 index b516274848..48bcd14ca7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 @@ -21,6 +21,55 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 index b516274848..f2ce0ff25e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 @@ -21,6 +21,55 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 index b516274848..9d40a7633d 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 @@ -21,6 +21,18 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 index 780e0f343d..90786e49f9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 @@ -35,7 +35,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return "Credentials" } - ##TODO - Mock any Remove/Set/New cmdlets + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName New-M365DSCSentinelAlertRule -MockWith { + + } + + Mock -CommandName Remove-M365DSCSentinelAlertRule -MockWith { + + } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { @@ -47,13 +61,47 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The instance should exist but it DOES NOT" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters - Ensure = 'Present' - Credential = $Credential; + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return $null - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { return $null } } @@ -65,24 +113,91 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should create a new instance from the Set method' { - ##TODO - Replace the New-Cmdlet by the appropriate one Set-TargetResource @testParams - Should -Invoke -CommandName New-Cmdlet -Exactly 1 + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 } } Context -Name "The instance exists but it SHOULD NOT" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters - Ensure = 'Absent' - Credential = $Credential; + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Absent"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return an instance - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { return @{ - + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } } } } @@ -95,23 +210,89 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should remove the instance from the Set method' { Set-TargetResource @testParams - ##TODO - Replace the Remove-Cmdlet by the appropriate one - Should -Invoke -CommandName Remove-Cmdlet -Exactly 1 + Should -Invoke -CommandName Remove-M365DSCSentinelAlertRule -Exactly 1 } } Context -Name "The instance exists and values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters - Ensure = 'Present' - Credential = $Credential; + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return the desired values - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { return @{ - + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = + [PSCustomObject]@{ + Color = 'TenantId' + } + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } } } } @@ -124,15 +305,83 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The instance exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters - Ensure = 'Present' - Credential = $Credential; + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $False; #Drift + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return a drift - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { return @{ - + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } } } } @@ -147,8 +396,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams - ##TODO - Replace the Update-Cmdlet by the appropriate one - Should -Invoke -CommandName Update-Cmdlet -Exactly 1 + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 } } @@ -160,10 +408,43 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return an instance - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { return @{ - + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } } } } From e6a170f947e06dd416fe81d1a0f2713cf1a50cac Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 22 Oct 2024 23:26:12 -0400 Subject: [PATCH 75/98] Fixes --- .../MSFT_SentinelAlertRule.schema.mof | 96 +++++++++---------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof index 3762c576f8..e7fa79a05e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof @@ -1,71 +1,71 @@ [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleEventGroupingSettings { - [Write, Description("")] String aggregationKind; + [Write, Description("The event grouping aggregation kinds")] String aggregationKind; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleCustomDetails { - [Write, Description("")] String DetailKey; - [Write, Description("")] String DetailValue; + [Write, Description("Key of the custom detail.")] String DetailKey; + [Write, Description("Associated value with the custom detail.")] String DetailValue; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleEntityMapping { - [Write, Description("")] String entityType; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMappingFieldMapping")] String fieldMappings[]; + [Write, Description("Type of entity.")] String entityType; + [Write, Description("List of field mappings."), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMappingFieldMapping")] String fieldMappings[]; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleEntityMappingFieldMapping { - [Write, Description("")] String columnName; - [Write, Description("")] String identifier; + [Write, Description("Name of the column")] String columnName; + [Write, Description("Identifier of the associated field.")] String identifier; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleAlertDetailsOverride { - [Write, Description("")] String alertDescriptionFormat; - [Write, Description("")] String alertDisplayNameFormat; - [Write, Description("")] String alertColumnName; - [Write, Description("")] String alertTacticsColumnName; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties[]; + [Write, Description("The format containing columns name(s) to override the alert description")] String alertDescriptionFormat; + [Write, Description("The format containing columns name(s) to override the alert name")] String alertDisplayNameFormat; + [Write, Description("The column name to take the alert severity from")] String alertSeverityColumnName; + [Write, Description("The column name to take the alert tactics from")] String alertTacticsColumnName; + [Write, Description("List of additional dynamic properties to override"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties[]; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty { - [Write, Description("")] String alertProperty; - [Write, Description("")] String alertPropertyValue; + [Write, Description("Dynamic property key.")] String alertProperty; + [Write, Description("Dynamic property value.")] String alertPropertyValue; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleIncidentConfiguration { - [Write, Description("")] Boolean createIncident; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration")] String groupingConfiguration; + [Write, Description("Create incidents from alerts triggered by this analytics rule")] Boolean createIncident; + [Write, Description("Set how the alerts that are triggered by this analytics rule, are grouped into incidents"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration")] String groupingConfiguration; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration { - [Write, Description("")] Boolean enabled; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] String groupByAlertDetails[]; - [Write, Description("")] String groupByCustomDetails[]; - [Write, Description("")] String groupByEntities[]; - [Write, Description("")] String lookbackDuration; - [Write, Description("")] String matchingMethod; - [Write, Description("")] Boolean reopenClosedIncident; + [Write, Description("Grouping enabled")] Boolean enabled; + [Write, Description("A list of alert details to group by (when matchingMethod is Selected)"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] String groupByAlertDetails[]; + [Write, Description("A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.")] String groupByCustomDetails[]; + [Write, Description("A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.")] String groupByEntities[]; + [Write, Description("Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)")] String lookbackDuration; + [Write, Description("Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.")] String matchingMethod; + [Write, Description("Re-open closed matching incidents")] Boolean reopenClosedIncident; }; [ClassVersion("1.0.0")] class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail { - [Write, Description("")] String DisplayName; - [Write, Description("")] String Severity; + [Write, Description("Display name of the alert detail.")] String DisplayName; + [Write, Description("Severity level associated with the alert detail.")] String Severity; }; [ClassVersion("1.0.0.0"), FriendlyName("SentinelAlertRule")] @@ -77,29 +77,29 @@ class MSFT_SentinelAlertRule : OMI_BaseResource [Write, Description("The name of the workspace.")] String WorkspaceName; [Write, Description("The unique id of the indicator.")] String Id; [Write, Description("The name of the workspace.")] String Description; - [Write, Description("")] String ProductFilter; - [Write, Description("")] Boolean Enabled; - [Write, Description("")] String Severity; - [Write, Description("")] String Tactics[]; - [Write, Description("")] String Techniques[]; - [Write, Description("")] String SubTechniques[]; - [Write, Description("")] String Query; - [Write, Description("")] String QueryFrequency; - [Write, Description("")] String QueryPeriod; - [Write, Description("")] String TriggerOperator; - [Write, Description("")] UInt32 TriggerThreshold; - [Write, Description("")] String SuppressionDuration; - [Write, Description("")] String SuppressionEnabled; - [Write, Description("")] String AlertRuleTemplateName; - [Write, Description("")] String DisplayNamesExcludeFilter[]; - [Write, Description("")] String DisplayNamesFilter[]; - [Write, Description("")] String SeveritiesFilter[]; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupingSettings")] String EventGroupingSettings; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails[]; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; - [Write, Description(""), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; - [Write, Description("")] String Kind; + [Write, Description("The alerts' productName on which the cases will be generated")] String ProductFilter; + [Write, Description("Determines whether this alert rule is enabled or disabled.")] Boolean Enabled; + [Write, Description("The severity for alerts created by this alert rule.")] String Severity; + [Write, Description("The tactics of the alert rule")] String Tactics[]; + [Write, Description("The techniques of the alert rule")] String Techniques[]; + [Write, Description("The sub-techniques of the alert rule")] String SubTechniques[]; + [Write, Description("The query that creates alerts for this rule.")] String Query; + [Write, Description("The frequency (in ISO 8601 duration format) for this alert rule to run.")] String QueryFrequency; + [Write, Description("The period (in ISO 8601 duration format) that this alert rule looks at.")] String QueryPeriod; + [Write, Description("The operation against the threshold that triggers alert rule.")] String TriggerOperator; + [Write, Description("The threshold triggers this alert rule.")] UInt32 TriggerThreshold; + [Write, Description("The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.")] String SuppressionDuration; + [Write, Description("Determines whether the suppression for this alert rule is enabled or disabled.")] String SuppressionEnabled; + [Write, Description("The Name of the alert rule template used to create this rule.")] String AlertRuleTemplateName; + [Write, Description("The alerts' displayNames on which the cases will not be generated.")] String DisplayNamesExcludeFilter[]; + [Write, Description("The alerts' displayNames on which the cases will be generated.")] String DisplayNamesFilter[]; + [Write, Description("The alerts' severities on which the cases will be generated")] String SeveritiesFilter[]; + [Write, Description("The event grouping settings."), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupingSettings")] String EventGroupingSettings; + [Write, Description("Dictionary of string key-value pairs of columns to be attached to the alert"), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails[]; + [Write, Description("Array of the entity mappings of the alert rule"), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; + [Write, Description("The alert details override settings"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; + [Write, Description("The settings of the incidents that created from alerts triggered by this analytics rule"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; + [Write, Description("The kind of the alert rule")] String Kind; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; From 5b067bc4f1c7070fcb501304e14f08d5d1577e1b Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 03:43:38 +0000 Subject: [PATCH 76/98] Updated Resources and Cmdlet documentation pages --- .../security-compliance/SentinelAlertRule.md | 361 ++++++++++++++++++ 1 file changed, 361 insertions(+) create mode 100644 docs/docs/resources/security-compliance/SentinelAlertRule.md diff --git a/docs/docs/resources/security-compliance/SentinelAlertRule.md b/docs/docs/resources/security-compliance/SentinelAlertRule.md new file mode 100644 index 0000000000..89da026080 --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelAlertRule.md @@ -0,0 +1,361 @@ +# SentinelAlertRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **ProductFilter** | Write | String | The alerts' productName on which the cases will be generated | | +| **Enabled** | Write | Boolean | Determines whether this alert rule is enabled or disabled. | | +| **Severity** | Write | String | The severity for alerts created by this alert rule. | | +| **Tactics** | Write | StringArray[] | The tactics of the alert rule | | +| **Techniques** | Write | StringArray[] | The techniques of the alert rule | | +| **SubTechniques** | Write | StringArray[] | The sub-techniques of the alert rule | | +| **Query** | Write | String | The query that creates alerts for this rule. | | +| **QueryFrequency** | Write | String | The frequency (in ISO 8601 duration format) for this alert rule to run. | | +| **QueryPeriod** | Write | String | The period (in ISO 8601 duration format) that this alert rule looks at. | | +| **TriggerOperator** | Write | String | The operation against the threshold that triggers alert rule. | | +| **TriggerThreshold** | Write | UInt32 | The threshold triggers this alert rule. | | +| **SuppressionDuration** | Write | String | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | | +| **SuppressionEnabled** | Write | String | Determines whether the suppression for this alert rule is enabled or disabled. | | +| **AlertRuleTemplateName** | Write | String | The Name of the alert rule template used to create this rule. | | +| **DisplayNamesExcludeFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will not be generated. | | +| **DisplayNamesFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will be generated. | | +| **SeveritiesFilter** | Write | StringArray[] | The alerts' severities on which the cases will be generated | | +| **EventGroupingSettings** | Write | MSFT_SentinelAlertRuleEventGroupingSettings | The event grouping settings. | | +| **CustomDetails** | Write | MSFT_SentinelAlertRuleCustomDetails[] | Dictionary of string key-value pairs of columns to be attached to the alert | | +| **EntityMappings** | Write | MSFT_SentinelAlertRuleEntityMapping[] | Array of the entity mappings of the alert rule | | +| **AlertDetailsOverride** | Write | MSFT_SentinelAlertRuleAlertDetailsOverride | The alert details override settings | | +| **IncidentConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | | +| **Kind** | Write | String | The kind of the alert rule | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_SentinelAlertRuleEventGroupingSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **aggregationKind** | Write | String | The event grouping aggregation kinds | | + +### MSFT_SentinelAlertRuleCustomDetails + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DetailKey** | Write | String | Key of the custom detail. | | +| **DetailValue** | Write | String | Associated value with the custom detail. | | + +### MSFT_SentinelAlertRuleEntityMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **entityType** | Write | String | Type of entity. | | +| **fieldMappings** | Write | MSFT_SentinelAlertRuleEntityMappingFieldMapping[] | List of field mappings. | | + +### MSFT_SentinelAlertRuleEntityMappingFieldMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **columnName** | Write | String | Name of the column | | +| **identifier** | Write | String | Identifier of the associated field. | | + +### MSFT_SentinelAlertRuleAlertDetailsOverride + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertDescriptionFormat** | Write | String | The format containing columns name(s) to override the alert description | | +| **alertDisplayNameFormat** | Write | String | The format containing columns name(s) to override the alert name | | +| **alertSeverityColumnName** | Write | String | The column name to take the alert severity from | | +| **alertTacticsColumnName** | Write | String | The column name to take the alert tactics from | | +| **alertDynamicProperties** | Write | MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] | List of additional dynamic properties to override | | + +### MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertProperty** | Write | String | Dynamic property key. | | +| **alertPropertyValue** | Write | String | Dynamic property value. | | + +### MSFT_SentinelAlertRuleIncidentConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **createIncident** | Write | Boolean | Create incidents from alerts triggered by this analytics rule | | +| **groupingConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **enabled** | Write | Boolean | Grouping enabled | | +| **groupByAlertDetails** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] | A list of alert details to group by (when matchingMethod is Selected) | | +| **groupByCustomDetails** | Write | StringArray[] | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | | +| **groupByEntities** | Write | StringArray[] | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | | +| **lookbackDuration** | Write | String | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | | +| **matchingMethod** | Write | String | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | | +| **reopenClosedIncident** | Write | Boolean | Re-open closed matching incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Display name of the alert detail. | | +| **Severity** | Write | String | Severity level associated with the alert detail. | | + + +## Description + +Configures alert rules in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + From a50ebc607be92bc28407a5f79642b940e5bbe11f Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 03:48:55 +0000 Subject: [PATCH 77/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 355 ++++++++++++++++++ 1 file changed, 355 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 8e7cea3329..33d014f36c 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -49144,6 +49144,361 @@ } ] }, + { + "ClassName": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "aggregationKind", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleCustomDetails", + "Parameters": [ + { + "CIMType": "String", + "Name": "DetailKey", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DetailValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEntityMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "entityType", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMappingFieldMapping[]", + "Name": "fieldMappings", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEntityMappingFieldMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "columnName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "identifier", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Parameters": [ + { + "CIMType": "String", + "Name": "alertDescriptionFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertDisplayNameFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertSeverityColumnName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertTacticsColumnName", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[]", + "Name": "alertDynamicProperties", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty", + "Parameters": [ + { + "CIMType": "String", + "Name": "alertProperty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertPropertyValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "createIncident", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Name": "groupingConfiguration", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "enabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[]", + "Name": "groupByAlertDetails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "groupByCustomDetails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "groupByEntities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "lookbackDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "matchingMethod", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "reopenClosedIncident", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Severity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ProductFilter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Severity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Tactics", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Techniques", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubTechniques", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Query", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryFrequency", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryPeriod", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TriggerOperator", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "TriggerThreshold", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SuppressionDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SuppressionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AlertRuleTemplateName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DisplayNamesExcludeFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DisplayNamesFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SeveritiesFilter", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Name": "EventGroupingSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleCustomDetails[]", + "Name": "CustomDetails", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMapping[]", + "Name": "EntityMappings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Name": "AlertDetailsOverride", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Name": "IncidentConfiguration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Kind", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SentinelSetting", "Parameters": [ From ab76a26424d7b77598b701d06d167a80e00123b8 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Wed, 23 Oct 2024 11:55:16 +0530 Subject: [PATCH 78/98] Added UTs --- .../MSFT_AADIdentityAPIConnector.schema.mof | 10 +- ...ft365DSC.AADIdentityAPIConnector.Tests.ps1 | 225 +++++++----------- 2 files changed, 88 insertions(+), 147 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof index 9d7db64611..447b39d00d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -1,10 +1,10 @@ [ClassVersion("1.0.0")] class MSFT_AADIdentityAPIConnectionCertificate { - [Write, Description(""), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; - [Write, Description("")] String Thumbprint; - [Write, Description(""), EmbeddedInstance("MSFT_Credential")] String Password; - [Write, Description("")] Boolean IsActive; + [Write, Description("Pkcs12Value of the certificate as a secure string in Base64 encoding"), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; + [Write, Description("Thumbprint of the certificate in Base64 encoding")] String Thumbprint; + [Write, Description("Password of the certificate as a secure string"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("Tells if the certificate is in use or not")] Boolean IsActive; }; @@ -16,7 +16,7 @@ class MSFT_AADIdentityAPIConnector : OMI_BaseResource [Key, Description("The unique identifier for an entity. Read-only.")] String Id; [Write, Description("The username of the password")] String Username; [Write, Description("The password of certificate/basic auth"), EmbeddedInstance("MSFT_Credential")] String Password; - [Write, Description(""), EmbeddedInstance("MSFT_AADIdentityAPIConnectionCertificate")] String Certificates[]; + [Write, Description("List of certificates to be used in the API connector"), EmbeddedInstance("MSFT_AADIdentityAPIConnectionCertificate")] String Certificates[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 index 18e4a5281a..8fcde7f64b 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 @@ -55,26 +55,28 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { # Test contexts Context -Name "The AADIdentityAPIConnector should exist but it DOES NOT" -Fixture { BeforeAll { + $testParams = @{ - AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ - Password = "FakeStringValue" - Pkcs12Value = "FakeStringValue" - CertificateList = [CimInstance[]]@( - (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } -ClientOnly) - ) - Username = "FakeStringValue" - odataType = "#microsoft.graph.basicAuthentication" - } -ClientOnly) - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" - Ensure = "Present" - Credential = $Credential; + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential } Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { @@ -96,50 +98,40 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The AADIdentityAPIConnector exists but it SHOULD NOT" -Fixture { BeforeAll { $testParams = @{ - AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ - Password = "FakeStringValue" - Pkcs12Value = "FakeStringValue" - CertificateList = [CimInstance[]]@( - (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } -ClientOnly) - ) - Username = "FakeStringValue" - odataType = "#microsoft.graph.basicAuthentication" - } -ClientOnly) - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential Ensure = 'Absent' - Credential = $Credential; } Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { return @{ - AdditionalProperties = @{ - '@odata.type' = "#microsoft.graph.IdentityApiConnector" - } + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' AuthenticationConfiguration = @{ - '@odata.type' = "#microsoft.graph.basicAuthentication" - Pkcs12Value = "FakeStringValue" - Password = "FakeStringValue" - Username = "FakeStringValue" - CertificateList = @( - @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } - ) + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } } - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" - } } } @@ -159,51 +151,28 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Context -Name "The AADIdentityAPIConnector Exists and Values are already in the desired state" -Fixture { BeforeAll { + $testParams = @{ - AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ - Password = "FakeStringValue" - Pkcs12Value = "FakeStringValue" - CertificateList = [CimInstance[]]@( - (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } -ClientOnly) - ) - Username = "FakeStringValue" - odataType = "#microsoft.graph.basicAuthentication" - } -ClientOnly) - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential Ensure = 'Present' - Credential = $Credential; } Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { return @{ - AdditionalProperties = @{ - '@odata.type' = "#microsoft.graph.IdentityApiConnector" - } + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' AuthenticationConfiguration = @{ - '@odata.type' = "#microsoft.graph.basicAuthentication" - Pkcs12Value = "FakeStringValue" - Password = "FakeStringValue" - Username = "FakeStringValue" - CertificateList = @( - @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } - ) + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } } - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" - } } } @@ -215,45 +184,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Context -Name "The AADIdentityAPIConnector exists and values are NOT in the desired state" -Fixture { + BeforeAll { $testParams = @{ - AuthenticationConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphapiAuthenticationConfigurationBase -Property @{ - Password = "FakeStringValue" - Pkcs12Value = "FakeStringValue" - CertificateList = [CimInstance[]]@( - (New-CimInstance -ClassName MSFT_MicrosoftGraphpkcs12CertificateInformation -Property @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } -ClientOnly) - ) - Username = "FakeStringValue" - odataType = "#microsoft.graph.basicAuthentication" - } -ClientOnly) - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" + DisplayName = 'FakeStringValue2' #drift + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential Ensure = 'Present' - Credential = $Credential; } Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' AuthenticationConfiguration = @{ - '@odata.type' = "#microsoft.graph.basicAuthentication" - Pkcs12Value = "FakeStringValue" - Password = "FakeStringValue" - Username = "FakeStringValue" - CertificateList = @( - @{ - Thumbprint = "FakeStringValue" - } - ) + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } } - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" } } } @@ -282,27 +235,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { return @{ - AdditionalProperties = @{ - '@odata.type' = "#microsoft.graph.IdentityApiConnector" - } + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' AuthenticationConfiguration = @{ - '@odata.type' = "#microsoft.graph.basicAuthentication" - Pkcs12Value = "FakeStringValue" - Password = "FakeStringValue" - Username = "FakeStringValue" - CertificateList = @( - @{ - IsActive = $True - NotAfter = $True - Thumbprint = "FakeStringValue" - NotBefore = $True - } - ) + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } } - DisplayName = "FakeStringValue" - Id = "FakeStringValue" - TargetUrl = "FakeStringValue" - } } } From e089ba5629c0e19350b99fee4f7db00b1ea8d2bd Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Wed, 23 Oct 2024 12:02:04 +0530 Subject: [PATCH 79/98] Adding more UTs --- ...ft365DSC.AADIdentityAPIConnector.Tests.ps1 | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 index 8fcde7f64b..d8484eef0b 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 @@ -225,6 +225,60 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } + + Context -Name "The AADIdentityAPIConnector with certificates exists and values are in the desired state" -Fixture { + + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + certificateList = @( + @{ + Thumbprint = 'FakeStringValue' + IsActive = $true + } + ) + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + Context -Name 'ReverseDSC Tests' -Fixture { BeforeAll { $Global:CurrentModeIsExport = $true From d482791bbe1b8788fb8dd1dd7af226f70962c931 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Wed, 23 Oct 2024 12:25:51 +0530 Subject: [PATCH 80/98] Adding examples --- .../AADIdentityAPIConnector/1-Create.ps1 | 37 +++++++++++++++++++ .../AADIdentityAPIConnector/2-Update.ps1 | 37 +++++++++++++++++++ .../AADIdentityAPIConnector/3-Remove.ps1 | 37 +++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 new file mode 100644 index 0000000000..7382692428 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 new file mode 100644 index 0000000000..d123d0151f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 new file mode 100644 index 0000000000..926a36404f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} From 69c06dde52ef3d7189a9d474a7db91529a3c7f3a Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Wed, 23 Oct 2024 09:40:22 +0200 Subject: [PATCH 81/98] Remove property from merge conflict --- .../MSFT_IntuneMobileAppsMacOSLobApp.schema.mof | 2 +- .../Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 | 1 - .../Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 | 4 ---- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof index ce7f2b865f..ec3e29882d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof @@ -57,12 +57,12 @@ class MSFT_IntuneMobileAppsMacOSLobApp : OMI_BaseResource [Write, Description("The owner of the app. Inherited from mobileApp.")] String Owner; [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; [Write, Description("The publisher of the app. Inherited from mobileApp.")] String Publisher; - [Write, Description("The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp."), ValueMap{"notPublished", "processing","published"}, Values{"notPublished", "processing", "published"}] String PublishingState; [Write, Description("The bundleId of the app.")] String BundleId; [Write, Description("The build number of the app.")] String BuildNumber; [Write, Description("The version number of the app.")] String VersionNumber; [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; [Write, Description("Whether to ignore the version of the app or not.")] Boolean IgnoreVersionDetection; + [Write, Description("Install the app as managed. Requires macOS 11.0.")] Boolean InstallAsManaged; [Write, Description("The icon for this app."), EmbeddedInstance("MSFT_DeviceManagementMimeContent")] String LargeIcon; [Write, Description("The minimum supported operating system to install the app."), EmbeddedInstance("MSFT_DeviceManagementMinimumOperatingSystem")] String MinimumSupportedOperatingSystem; [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 index f7746f29b1..4bb88786ac 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 @@ -38,7 +38,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 index abfda47b65..0e5552d5fd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 @@ -138,7 +138,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() IgnoreVersionDetection = $True AdditionalProperties = @{ @@ -204,7 +203,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' @@ -260,7 +258,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' minimumSupportedOperatingSystem = @{ @@ -307,7 +304,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' From b46b69e79d082349159ad729a77572e7ee720559 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Wed, 23 Oct 2024 14:28:10 +0530 Subject: [PATCH 82/98] Updating change log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 756b3e9f19..235fb7d6f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ * Initial release. * AADIdentityGovernanceProgram * Initial release. +* AADIdentityAPIConnector + * Initial release. * SPOTenantSettings * Added support for AllowSelectSGsInODBListInTenant, DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, From 72c5ac2c9380f204504c0ff5f763242a69f62465 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 10:06:09 +0000 Subject: [PATCH 83/98] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md index 2d7d5b3efe..da90863d02 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md @@ -14,12 +14,12 @@ | **Owner** | Write | String | The owner of the app. Inherited from mobileApp. | | | **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | | **Publisher** | Write | String | The publisher of the app. Inherited from mobileApp. | | -| **PublishingState** | Write | String | The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp. | `notPublished`, `processing`, `published` | | **BundleId** | Write | String | The bundleId of the app. | | | **BuildNumber** | Write | String | The build number of the app. | | | **VersionNumber** | Write | String | The version number of the app. | | | **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | | **IgnoreVersionDetection** | Write | Boolean | Whether to ignore the version of the app or not. | | +| **InstallAsManaged** | Write | Boolean | Install the app as managed. Requires macOS 11.0. | | | **LargeIcon** | Write | MSFT_DeviceManagementMimeContent | The icon for this app. | | | **MinimumSupportedOperatingSystem** | Write | MSFT_DeviceManagementMinimumOperatingSystem | The minimum supported operating system to install the app. | | | **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | @@ -234,7 +234,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' From 3b89b8da348d2065dac25d2276aaaa7ab736abd7 Mon Sep 17 00:00:00 2001 From: "Arpita Mohapatra (from Dev Box)" Date: Wed, 23 Oct 2024 15:46:14 +0530 Subject: [PATCH 84/98] Resolved comments --- ...MSFT_EXOMailboxAuditBypassAssociation.psm1 | 17 -------- ...XOMailboxAuditBypassAssociation.schema.mof | 1 - .../settings.json | 3 +- .../2-Update.ps1 | 5 ++- ...EXOMailboxAuditBypassAssociation.Tests.ps1 | 39 ------------------- 5 files changed, 5 insertions(+), 60 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 index b38f64321c..0d2fc291bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 @@ -12,11 +12,6 @@ function Get-TargetResource [System.Boolean] $AuditBypassEnabled, - [Parameter()] - [ValidateSet('Present', 'Absent')] - [System.String] - $Ensure, - [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -58,7 +53,6 @@ function Get-TargetResource #endregion $nullResult = $PSBoundParameters - $nullResult.Ensure = 'Absent' try { if ($null -ne $Script:exportedInstances -and $Script:ExportMode) @@ -77,7 +71,6 @@ function Get-TargetResource $results = @{ Identity = [System.String]$Identity AuditBypassEnabled = [System.Boolean]$instance.AuditBypassEnabled - Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -112,11 +105,6 @@ function Set-TargetResource [System.Boolean] $AuditBypassEnabled, - [Parameter()] - [ValidateSet('Present', 'Absent')] - [System.String] - $Ensure, - [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -175,11 +163,6 @@ function Test-TargetResource [System.Boolean] $AuditBypassEnabled, - [Parameter()] - [ValidateSet('Present', 'Absent')] - [System.String] - $Ensure, - [Parameter()] [System.Management.Automation.PSCredential] $Credential, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof index 59381b5ba7..318977aa0b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof @@ -3,7 +3,6 @@ class MSFT_EXOMailboxAuditBypassAssociation : OMI_BaseResource { [Key, Description("The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property.")] String Identity; [Write, Description("The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer.")] Boolean AuditBypassEnabled; - [Write, Description("Specifies if this instance should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json index 35a9d6c51d..476fa8a84d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json @@ -28,7 +28,8 @@ ], "requiredrolegroups": [ "Organization Management", - "Compliance Management" + "Compliance Management", + "Records Management" ] } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 index 0d7c78206c..ede62c46c9 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 @@ -26,9 +26,10 @@ Configuration Example EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" { AuditBypassEnabled = $True; #Updated Property - Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 index 882ae49894..8e71aa877c 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 @@ -52,7 +52,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ AuditBypassEnabled = $False; Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; } @@ -60,7 +59,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return @{ AuditBypassEnabled = $True; #Drift Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; } } @@ -74,10 +72,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Set-TargetResource @testParams Should -Invoke -CommandName Set-MailboxAuditBypassAssociation -Exactly 1 } - - It 'Should return Present from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } } Context -Name 'Settings are already in the desired state' -Fixture { @@ -85,7 +79,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ AuditBypassEnabled = $False; Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; } @@ -93,7 +86,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return @{ AuditBypassEnabled = $False; Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; } } @@ -102,38 +94,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should return false from the Test method' { Test-TargetResource @testParams | Should -Be $true } - - It 'Should return Present from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } } - Context -Name "User doesn't exist" -Fixture { - BeforeAll { - $testParams = @{ - AuditBypassEnabled = $False; - Credential = $Credscredential; - Ensure = "Present"; - Identity = "TestMailbox109"; - } - - Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { - return $null - } - } - - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should return Absent from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - } - } - - - - Context -Name 'ReverseDSC Tests' -Fixture { BeforeAll { $Global:CurrentModeIsExport = $true @@ -146,7 +108,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return @{ AuditBypassEnabled = $False; Credential = $Credscredential; - Ensure = "Present"; Identity = "TestMailbox109"; } } From 62d1fdc7bf9ff98eaa8ea3b1fede87a861c70e06 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 10:18:05 +0000 Subject: [PATCH 85/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 33d014f36c..89ecaf7dc0 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -36862,11 +36862,6 @@ "Name": "Publisher", "Option": "Write" }, - { - "CIMType": "String", - "Name": "PublishingState", - "Option": "Write" - }, { "CIMType": "String", "Name": "BundleId", @@ -36892,6 +36887,11 @@ "Name": "IgnoreVersionDetection", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "InstallAsManaged", + "Option": "Write" + }, { "CIMType": "MSFT_DeviceManagementMimeContent", "Name": "LargeIcon", From b9a5da6236c5abbf4c3c8d6024d740fbd065771e Mon Sep 17 00:00:00 2001 From: "Arpita Mohapatra (from Dev Box)" Date: Wed, 23 Oct 2024 16:15:27 +0530 Subject: [PATCH 86/98] Added changelog.md file --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index da4bf910c4..33bc3f85e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ * Initial release. * AADSocialIdentityProvider * Fixed missing permissions in settings.json +* EXOMailboxAuditBypassAssociation + * Initial release. * Intune workload * Fixed missing permissions in settings.json * SentinelAlertRule From 8bea1c3758db359815ff00b8624a464e3d7c903a Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Wed, 23 Oct 2024 16:19:42 +0530 Subject: [PATCH 87/98] minor --- .../MSFT_AADServicePrincipal.psm1 | 5 +---- Tests/Unit/Stubs/Microsoft365.psm1 | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index 85a0ee97c7..cee000347d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -428,7 +428,7 @@ function Set-TargetResource if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) { $currentParameters.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentParameters.CustomSecurityAttributes } else { - $currentParameters.CustomSecurityAttributes = @() + $currentParameters.Remove('CustomSecurityAttributes') } # ServicePrincipal should exist but it doesn't @@ -879,9 +879,6 @@ function Export-TargetResource -ErrorAction Stop foreach ($AADServicePrincipal in $Script:exportedInstances) { - if($AADServicePrincipal.AppId -ne '0b750897-174f-4aed-ad21-ab3799c7e404') { - continue - } if ($null -ne $Global:M365DSCExportResourceInstancesCount) { $Global:M365DSCExportResourceInstancesCount++ diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 816dc46565..f0d7eb3b2e 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -17378,6 +17378,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -18023,6 +18027,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -50034,6 +50042,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -50679,6 +50691,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, From 0365d28af199e7e6405cc578242a22ce338d85c9 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Wed, 23 Oct 2024 16:27:15 +0530 Subject: [PATCH 88/98] Added Stub files --- Tests/Unit/Stubs/Microsoft365.psm1 | 264 +++++++++++++++++++++++++++++ 1 file changed, 264 insertions(+) diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 7fc7c2ef08..0c9e839660 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -98721,4 +98721,268 @@ function Remove-MgBetaOrganizationCertificateBasedAuthConfiguration ) } +function Update-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function New-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function Remove-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} + +function Invoke-MgBetaUploadIdentityApiConnectorClientCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Password, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Pkcs12Value, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + #endregion From 1badbec356bc0d6c8727df3fbfe31f2dbee31079 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 11:40:13 +0000 Subject: [PATCH 89/98] Updated Resources and Cmdlet documentation pages --- .../resources/azure-ad/AADServicePrincipal.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index fc48241314..6e564a95c8 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -22,6 +22,7 @@ | **ServicePrincipalType** | Write | String | The type of the service principal. | | | **Tags** | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp} | | | **DelegatedPermissionClassifications** | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | | +| **CustomSecurityAttributes** | Write | MSFT_AADServicePrincipalAttributeSet[] | The list of custom security attributes attached to this SPN | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -49,6 +50,28 @@ | **Classification** | Write | String | Classification of the delegated permission | `low`, `medium`, `high` | | **PermissionName** | Write | String | Name of the permission | | +### MSFT_AADServicePrincipalAttributeValue + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeName** | Write | String | Name of the Attribute | | +| **StringArrayValue** | Write | StringArray[] | If the attribute has a string array value | | +| **IntArrayValue** | Write | UInt32Array[] | If the attribute has a int array value | | +| **StringValue** | Write | String | If the attribute has a string value | | +| **IntValue** | Write | UInt32 | If the attribute has a int value | | +| **BoolValue** | Write | Boolean | If the attribute has a boolean value | | + +### MSFT_AADServicePrincipalAttributeSet + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeSetName** | Write | String | Attribute Set Name. | | +| **AttributeValues** | Write | MSFT_AADServicePrincipalAttributeValue[] | List of attribute values. | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. From 67bd706cd7166b813036d485d0e91b332f24a79d Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 11:42:39 +0000 Subject: [PATCH 90/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 89ecaf7dc0..34aef93300 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -6924,6 +6924,56 @@ } ] }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeValue", + "Parameters": [ + { + "CIMType": "String", + "Name": "AttributeName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "StringArrayValue", + "Option": "Write" + }, + { + "CIMType": "UInt32[]", + "Name": "IntArrayValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StringValue", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "IntValue", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BoolValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeSet", + "Parameters": [ + { + "CIMType": "String", + "Name": "AttributeSetName", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADServicePrincipalAttributeValue[]", + "Name": "AttributeValues", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADServicePrincipal", "Parameters": [ @@ -7017,6 +7067,11 @@ "Name": "DelegatedPermissionClassifications", "Option": "Write" }, + { + "CIMType": "MSFT_AADServicePrincipalAttributeSet[]", + "Name": "CustomSecurityAttributes", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", From 093ef2bcdf7095e22021299c9d7dcf2ea2e0e9fd Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:03:52 +0000 Subject: [PATCH 91/98] Updated Resources and Cmdlet documentation pages --- .../azure-ad/AADIdentityAPIConnector.md | 185 ++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADIdentityAPIConnector.md diff --git a/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md new file mode 100644 index 0000000000..914b4b7df6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md @@ -0,0 +1,185 @@ +# AADIdentityAPIConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Required | String | The name of the API connector. | | +| **TargetUrl** | Write | String | The URL of the API endpoint to call. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Username** | Write | String | The username of the password | | +| **Password** | Write | PSCredential | The password of certificate/basic auth | | +| **Certificates** | Write | MSFT_AADIdentityAPIConnectionCertificate[] | List of certificates to be used in the API connector | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADIdentityAPIConnectionCertificate + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pkcs12Value** | Write | PSCredential | Pkcs12Value of the certificate as a secure string in Base64 encoding | | +| **Thumbprint** | Write | String | Thumbprint of the certificate in Base64 encoding | | +| **Password** | Write | PSCredential | Password of the certificate as a secure string | | +| **IsActive** | Write | Boolean | Tells if the certificate is in use or not | | + + +## Description + +Azure AD Identity API Connector + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + From 2c5029f421e93cce05f413c396e9d74b09a67ca2 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:10:32 +0000 Subject: [PATCH 92/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 34aef93300..1d6b236341 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -5559,6 +5559,106 @@ } ] }, + { + "ClassName": "MSFT_AADIdentityAPIConnectionCertificate", + "Parameters": [ + { + "CIMType": "MSFT_Credential", + "Name": "Pkcs12Value", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Thumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Password", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsActive", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityAPIConnector", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "TargetUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Username", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Password", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityAPIConnectionCertificate[]", + "Name": "Certificates", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration", "Parameters": [ From c5793def0a77612c6eafcbab16cbd2a72114642a Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:25:05 +0000 Subject: [PATCH 93/98] Updated Resources and Cmdlet documentation pages --- .../EXOMailboxAuditBypassAssociation.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md diff --git a/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md new file mode 100644 index 0000000000..cb604b3bed --- /dev/null +++ b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md @@ -0,0 +1,73 @@ +# EXOMailboxAuditBypassAssociation + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property. | | +| **AuditBypassEnabled** | Write | Boolean | The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Compliance Admin, View-Only Configuration, Journaling + +#### Role Groups + +- Organization Management, Compliance Management, Records Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + From 877a14bd39e20ac4aefefa081d9e9203a37c36ce Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:25:33 +0000 Subject: [PATCH 94/98] Updated {Create} AAD Integration Tests --- .../M365DSCIntegration.AAD.Create.Tests.ps1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index a1bb9f2373..5d87e99d81 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -504,6 +504,18 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' { ApplicationId = $ApplicationId From ba6279a1194362daaab6effd83eb60ea63997e6c Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:25:57 +0000 Subject: [PATCH 95/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Update.Tests.ps1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index c02ddde277..a7082349e2 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -1005,6 +1005,18 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' { ApplicationId = $ApplicationId From cc9f7f4bd94fedc077ba3e7b76ccd0cc48989802 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:26:16 +0000 Subject: [PATCH 96/98] Updated {Update} AAD Integration Tests --- .../M365DSCIntegration.AAD.Remove.Tests.ps1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index dc4a4a0fb6..77b24db586 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -312,6 +312,18 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' { ApplicationId = $ApplicationId From ad4f8d84ee6eb58dc1a26ce4f35f17d056494f8b Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:28:04 +0000 Subject: [PATCH 97/98] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 1d6b236341..b1d3c54e71 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -12549,6 +12549,51 @@ } ] }, + { + "ClassName": "MSFT_EXOMailboxAuditBypassAssociation", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AuditBypassEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOMailboxAutoReplyConfiguration", "Parameters": [ From cbe5a16c113582a9a35ca3034c5baa4602ee393e Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 23 Oct 2024 12:29:18 +0000 Subject: [PATCH 98/98] Updated {Update} EXO Integration Tests --- .../M365DSCIntegration.EXO.Update.Tests.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index 30dc923214..d5ef0c950b 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -607,6 +607,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMailboxAuditBypassAssociation 'EXOMailboxAuditBypassAssociation-Test' + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOMailboxAutoReplyConfiguration 'EXOMailboxAutoReplyConfiguration' { AutoDeclineFutureRequestsWhenOOF = $False;