diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a08c7cea0..82953e563d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,26 +2,99 @@ # UNRELEASED +* AADServicePrincipal + * Added support for KeyCredentials and PasswordCredentials. * AADAccessReviewDefinition * Initial release. +* AADAccessReviewPolicy + * Initial release. * AADAuthenticationMethodPolicyExternal * Initial release. +* AADConditionalAccessPolicy + * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282) * AADCustomSecurityAttributeDefinition * Fixed missing permissions in settings.json +* AADEnrichedAuditLogs + * Initial release. +* AADFilteringPolicy + * Initial release. +* AADFilteringPolicyRule + * Initial release. +* AADFilteringProfile + * Initial release. +* AADHomeRealmDiscoveryPolicy + * Initial Release +* AADIdentityAPIConnector + * Initial release. * AADIdentityB2XUserFlow * Initial release. +* AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + * Initial release. * AADIdentityGovernanceProgram * Initial release. -* AADIdentityAPIConnector +* AADIdentityProtectionPolicySettings + * Initial release. +* AADNamedLocationPolicy + * Fixed issue where duplicate names were not detected correctly. +* AADNetworkAccessForwardingProfile + * Initial release. +* AADNetworkAccessForwardingPolicy + * Initial release. +* AADNetworkAccessSettingConditionalAccess + * Initial release. +* AADNetworkAccessSettingCrossTenantAccess * Initial release. * AADOrganizationCertificateBasedAuthConfiguration * Initial release. * AADSocialIdentityProvider * Fixed missing permissions in settings.json +* AADVerifiedIdAuthority + * Initial release. +* AADVerifiedIdAuthorityContract + * Initial release. +* AzureBillingAccountsAssociatedTenant + * Initial release. +* AzureBillingAccountsRoleAssignment + * Initial release. +* AzureVerifiedIdFaceCheck + * Initial release. +* EXOArcConfig + * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` + when it has an array +* AADUserFlowAttribute + * Initial Release * EXOMailboxAuditBypassAssociation * Initial release. +* EXOServicePrincipal + * Initial release. +* EXOTenantAllowBlockListItems + * Fixed `Test-TargetResource` to correctly mark when this resource is removed +* IntuneAppCategory + * Fixed retrieval of resource which could then result in multiple categories + being created with same name. +* IntuneAppleMDMPushNotificationCertificate + * Initial release. +* IntuneDerivedCredential + * Fixed export and deployment when `NotificationType` had more than one option + selected + * Fixed retrieval of resource when it cannot be found by `Id` + * Added a few verbose messages +* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + * Initial release. +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Fixes an issue with `AutoFromConnector` as the Configuration package type. + FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246) +* IntuneMobileThreatDefenseConnector + * Initial release. +* IntuneSecurityBaselineDefenderForEndpoint + * Initial release. * Intune workload * Fixed missing permissions in settings.json +* SCPolicyConfig + * Initial release. +* SCSensitivityLabel + * Fixed issue with setting label priority + FIXES [#5266](https://github.com/microsoft/Microsoft365DSC/issues/5266) * PPPowerAppsEnvironment * FIXES [#5207](https://github.com/microsoft/Microsoft365DSC/issues/5207) * SentinelAlertRule @@ -34,11 +107,16 @@ AllowSelectSecurityGroupsInSPSitesList, ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. * TenantDefaultTimezone changed to String instead of Array. +* TeamsMeetingPolicy + * Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking, + AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls, + ContentSharingInExternalMeetings, Copilot, CopyRestriction, + DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange, + VoiceIsolation * M365DSCDRGUtil * Fixes an issue where non-unique properties were not combined properly with their respective parent setting. * DEPENDENCIES - * Updated ExchangeOnlineManagement to version 3.6.0. * Updated Microsoft.Graph to version 2.24.0. * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. * Updated MSCloudLoginAssistant to version 1.1.27 @@ -91,6 +169,8 @@ * Initial release. * IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 * Added deprecation notice. +* IntuneDeviceManagementEnrollmentAndroidGooglePlay + * Initial release * IntuneEndpointDetectionAndResponsePolicyWindows10 * Migrate to new Settings Catalog cmdlets. * IntuneMobileAppsMacOSLobApp diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 new file mode 100644 index 0000000000..226e9f3c22 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 @@ -0,0 +1,330 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop + if ($null -eq $instance) + { + throw 'Could not retrieve the Access Review Policy' + } + + $results = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $instance.IsGroupOwnerManagementEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $updateParameters = @{ + IsGroupOwnerManagementEnabled = $IsGroupOwnerManagementEnabled + } + + $updateJSON = ConvertTo-Json $updateParameters + Write-Verbose -Message "Updating the Entra Id Access Review Policy with values: $updateJSON" + Update-MgBetaPolicyAccessReviewPolicy -BodyParameter $updateParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = 'Access Review Policy' + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof new file mode 100644 index 0000000000..a5ddb2612b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADAccessReviewPolicy")] +class MSFT_AADAccessReviewPolicy : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("If true, group owners can create and manage access reviews on groups they own.")] Boolean IsGroupOwnerManagementEnabled; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md new file mode 100644 index 0000000000..70b59b7f25 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADAccessReviewPolicy + +## Description + +Use this resource to monitor the access review policy object. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json new file mode 100644 index 0000000000..64be16a4f7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADAccessReviewPolicy", + "description": "Use this resource to monitor the access review policy object.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AccessReview" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 1db024c015..6ffe138e4f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -92,6 +92,23 @@ function Get-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] @@ -642,6 +659,11 @@ function Get-TargetResource ExcludeExternalTenantsMembershipKind = [System.String]$Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind ExcludeExternalTenantsMembers = [System.String[]](@() + $Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.AdditionalProperties.members) + IncludeServicePrincipals = $Policy.Conditions.ClientApplications.IncludeServicePrincipals + ExcludeServicePrincipals = $Policy.Conditions.ClientApplications.ExcludeServicePrincipals + ServicePrincipalFilterMode = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Mode + ServicePrincipalFilterRule = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Rule + IncludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.IncludePlatforms) #no translation needed, return empty string array if undefined ExcludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.ExcludePlatforms) @@ -794,6 +816,23 @@ function Set-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] @@ -1340,6 +1379,49 @@ function Set-TargetResource $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers) } + Write-Verbose -Message 'Set-Targetresource: process includeServicePrincipals' + if ($currentParameters.ContainsKey('IncludeServicePrincipals')) + { + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('includeServicePrincipals', $IncludeServicePrincipals) + } + + Write-Verbose -Message 'Set-Targetresource: process excludeServicePrincipals' + if ($currentParameters.ContainsKey('ExcludeServicePrincipals')) + { + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('excludeServicePrincipals', $ExcludeServicePrincipals) + } + + Write-Verbose -Message 'Set-Targetresource: process servicePrincipalFilter' + if ($currentParameters.ContainsKey('ServicePrincipalFilterMode') -and $currentParameters.ContainsKey('ServicePrincipalFilterRule')) + { + #check if the custom attribute exist. + $customattribute = Invoke-MgGraphRequest -Method GET -Uri https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions + $ServicePrincipalFilterRule -match "CustomSecurityAttribute.(?.*) -.*" + $attrinrule = $matches.attribute + if ($customattribute.value.id -contains $attrinrule){ + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('servicePrincipalFilter', @{}) + $conditions.clientApplications.servicePrincipalFilter.Add('mode', $ServicePrincipalFilterMode) + $conditions.clientApplications.servicePrincipalFilter.Add('rule', $ServicePrincipalFilterRule) + } + else{ + $message = "Couldn't find the custom attribute $attrinrule in the tenant, couldn't add the filter to policy $DisplayName" + Write-Verbose -Message $message + New-M365DSCLogEntry -Message $message ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } + } + Write-Verbose -Message 'Set-Targetresource: process platform condition' if ($currentParameters.ContainsKey('IncludePlatforms') -or $currentParameters.ContainsKey('ExcludePlatforms')) { @@ -1661,6 +1743,9 @@ function Set-TargetResource $NewParameters.Add('sessionControls', $sessioncontrols) #add SessionControls to the parameter list } + + Write-Host "newparameters: $($NewParameters | ConvertTo-Json -Depth 5)" + if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Set-Targetresource: Change policy $DisplayName" @@ -1829,6 +1914,23 @@ function Test-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index c1f6d5283f..6898850da0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -21,6 +21,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[]; [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind; [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[]; + [Write, Description("Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed.")] String IncludeServicePrincipals[]; + [Write, Description("Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed.")] String ExcludeServicePrincipals[]; + [Write, Description("Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ServicePrincipalFilterMode; + [Write, Description("Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.")] String ServicePrincipalFilterRule; [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[]; [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[]; [Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json index bf18ad856d..939c56e122 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json @@ -27,6 +27,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ], "update": [ @@ -47,6 +50,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ] }, @@ -69,6 +75,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ], "update": [ @@ -92,6 +101,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ] } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 new file mode 100644 index 0000000000..5680e644c1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 @@ -0,0 +1,349 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + $nullResults = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingEnrichedAuditLog + + $results = @{ + IsSingleInstance = 'Yes' + Exchange = $instance.Exchange.Status + SharePoint = $instance.SharePoint.Status + Teams = $instance.Teams.Status + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Updating Enriched Audit Logs settings' + + $values = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogs" + exchange = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $ExchangeOnline + } + sharepoint = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $SharePoint + } + teams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $Teams + } + } + $body = ConvertTo-Json $values -Depth 10 -Compress + Invoke-MgGraphRequest -Uri 'https://graph.microsoft.com/beta/networkAccess/settings/enrichedAuditLogs' -Method PATCH -Body $body +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $i = 1 + $dscContent = '' + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof new file mode 100644 index 0000000000..3cfbbe13a0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof @@ -0,0 +1,14 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADEnrichedAuditLogs")] +class MSFT_AADEnrichedAuditLogs : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Accepted values are enabled or disabled.")] String Exchange; + [Write, Description("Accepted values are enabled or disabled.")] String SharePoint; + [Write, Description("Accepted values are enabled or disabled.")] String Teams; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md new file mode 100644 index 0000000000..c4449028ef --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md @@ -0,0 +1,6 @@ + +# AADEnrichedAuditLogs + +## Description + +Configures advanced audit logs for Global Secure Access in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json new file mode 100644 index 0000000000..4aac873820 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADEnrichedAuditLogs", + "description": "Configures advanced audit logs for Global Secure Access in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 new file mode 100644 index 0000000000..5727a13f23 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 @@ -0,0 +1,419 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving policy by id {$Id}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving policy by name {$Name}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving policy by id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving policy by name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Name = $instance.Name + Id = $instance.Id + Description = $instance.Description + Action = $instance.Action + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + name = $Name + action = $Action + description = $Description + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new filtering policy {$Name}" + New-MgBetaNetworkAccessFilteringPolicy -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating filtering policy {$Name}" + Update-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id ` + -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing filtering policy {$Name}" + Remove-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof new file mode 100644 index 0000000000..eebd9161ae --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicy")] +class MSFT_AADFilteringPolicy : OMI_BaseResource +{ + [Key, Description("Name of the policy.")] String Name; + [Write, Description("Unique identifier of the policy.")] String Id; + [Write, Description("Description for the policy.")] String Description; + [Write, Description("Action associated with the policy.")] String Action; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md new file mode 100644 index 0000000000..80f4aa8ee0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringPolicy + +## Description + +Configures filtering policies in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json new file mode 100644 index 0000000000..7f973ccc72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringPolicy", + "description": "Configures filtering policies in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 new file mode 100644 index 0000000000..861197e4f2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 @@ -0,0 +1,535 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy} + if ($null -ne $policyInstance) + { + Write-Verbose -Message "Found existing Policy {$Policy}" + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving Filtering Policy Rule by Id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving Filtering Policy Rule by Name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $DestinationsValue = @() + foreach ($destination in $instance.AdditionalProperties.destinations) + { + if ($instance.AdditionalProperties.ruleType -eq 'fqdn') + { + $DestinationsValue += @{ + value = $destination.value + } + } + elseif ($instance.AdditionalProperties.ruleType -eq 'webCategory') + { + $DestinationsValue += @{ + name = $destination.name + } + } + } + + $results = @{ + Name = $instance.Name + Policy = $Policy + Id = $instance.Id + RuleType = $instance.AdditionalProperties.ruleType + Destinations = $DestinationsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Entering the Set-TargetResource function" + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy} + + if ($RuleType -eq 'webCategory') + { + $instanceParams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.webCategoryFilteringRule" + name = $Name + ruleType = $RuleType + destinations = @() + } + + foreach ($destination in $Destinations) + { + $instanceParams.destinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess.webCategory" + name = $destination.name + } + } + } + elseif ($RuleType -eq 'fqdn') + { + $instanceParams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.fqdnFilteringRule" + name = $Name + ruleType = $RuleType + destinations = @() + } + + foreach ($destination in $Destinations) + { + $instanceParams.destinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess.fqdn" + value = $destination.value + } + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Filtering Policy Rule {$Name}" + New-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Filtering Policy Rule {$Name}" + $instanceParams.Remove('ruleType') | Out-Null + Update-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId $currentInstance.Id ` + -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Filtering Policy Rule {$Name}" + Remove-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $policies = Get-MgBetaNetworkAccessFilteringPolicy + + $i = 1 + $dscContent = '' + if ($policies.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($policy in $policies) + { + $displayedKey = $policy.Name + Write-Host " |---[$i/$($policies.Count)] $displayedKey" -NoNewline + $rules = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policy.Id ` + -ErrorAction SilentlyContinue + if ($rules.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $j = 1 + foreach ($rule in $rules) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $rule.Name + Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $rule.Name + Policy = $policy.Name + Id = $rule.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Destinations) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Destinations -CIMInstanceName 'AADFilteringPolicyRuleDestination' + if ($complexTypeStringResult) + { + $Results.Destinations = $complexTypeStringResult + } + else + { + $Results.Remove('Destinations') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Destinations) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Destinations' -IsCIMArray:$false + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof new file mode 100644 index 0000000000..7a35e43160 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof @@ -0,0 +1,24 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADFilteringPolicyRuleDestination +{ + [Write, Description("Name of the destination.")] String name; + [Write, Description("FQDN value for the destination.")] String value; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicyRule")] +class MSFT_AADFilteringPolicyRule : OMI_BaseResource +{ + [Key, Description("Name of the rule.")] String Name; + [Key, Description("Name of the associated policy.")] String Policy; + [Write, Description("Unique Id for the rule.")] String Id; + [Write, Description("Type of rule.")] String RuleType; + [Write, Description("List of associated destinations with the rule."), EmbeddedInstance("MSFT_AADFilteringPolicyRuleDestination")] String Destinations[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md new file mode 100644 index 0000000000..dcfb67c298 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringPolicyRule + +## Description + +Configures filtering rules in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json new file mode 100644 index 0000000000..8bbc6f8277 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringPolicyRule", + "description": "Configures filtering rules in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 new file mode 100644 index 0000000000..0735e28f72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 @@ -0,0 +1,530 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving profile by Id {$Id}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving profile by Name {$Name}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving profile by Id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -FilteringProfileId $Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving profile by Name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringProfile -All -ExpandProperty Policies | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $PolicyValue = @() + if ($null -ne $instance.Policies -and $instance.Policies.Length -gt 0) + { + $policyLinks = Get-MgBetaNetworkAccessFilteringProfilePolicy -FilteringProfileId $instance.Id -ExpandProperty Policy + foreach ($link in $policyLinks) + { + $policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $link.Policy.Id + if ($null -ne $policyInfo) + { + $entry = @{ + State = $link.State + Priority = $link.AdditionalProperties.priority + LoggingState = $link.AdditionalProperties.loggingState + PolicyName = $policyInfo.Name + } + $PolicyValue += $entry + } + } + } + + $results = @{ + Name = $instance.Name + Id = $instance.Id + Description = $instance.Description + State = $instance.State + Priority = $instance.Priority + Policies = $PolicyValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + description = $Description + name = $Name + priority = $Priority + state = $State + policies = @() + } + + foreach ($policy in $Policies) + { + $policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $policy.PolicyName} + if ($null -ne $policyInfo) + { + $entry = @{ + "@odata.type" = "#microsoft.graph.networkaccess.filteringPolicyLink" + loggingState = $policy.LoggingState + priority = $policy.Priority + state = $policy.State + policy = @{ + "@odata.type" = "#microsoft.graph.networkaccess.filteringPolicy" + id = $policyInfo.Id + } + } + $instanceParams.policies += $entry + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new filtering profile {$Name}" + New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating filtering profile {$Name} by removing and recreating" + Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id + New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing filtering profile {$Name}" + Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -All -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Policies) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Policies -CIMInstanceName AADFilteringProfilePolicyLink + if ($complexTypeStringResult) + { + $Results.Policies = $complexTypeStringResult + } + else + { + $Results.Remove('Policies') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Policies) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Policies' -IsCIMArray:$true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof new file mode 100644 index 0000000000..40d40b0a4c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof @@ -0,0 +1,27 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADFilteringProfilePolicyLink +{ + [Write, Description("Logging state for the associated policy.")] String LoggingState; + [Write, Description("Priority of the associated policy.")] UInt32 Priority; + [Write, Description("State of the associated policy.")] String State; + [Write, Description("Name of the associated policy.")] String PolicyName; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringProfile")] +class MSFT_AADFilteringProfile : OMI_BaseResource +{ + [Key, Description("Profile name.")] String Name; + [Write, Description("Unique identifier for the profile.")] String Id; + [Write, Description("Description of the profile.")] String Description; + [Write, Description("State of the profile.")] String State; + [Write, Description("Priority level for the profile.")] UInt32 Priority; + [Write, Description("List of filtering policy names associated with the profile."), EmbeddedInstance("MSFT_AADFilteringProfilePolicyLink")] String Policies[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md new file mode 100644 index 0000000000..8f174e58ff --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringProfile + +## Description + +Configures filtering profiles in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json new file mode 100644 index 0000000000..0b85fa3e50 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringProfile", + "description": "Configures filtering profiles in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 new file mode 100644 index 0000000000..bd3c930dee --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 @@ -0,0 +1,567 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter "DisplayName eq '$DisplayName'" + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}." + return $nullResult + } + # if multiple objects with same name exist + if ($getValue -is [array]) { + Write-Verbose -Message "Multiple Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} found. Skipping Operation." + return $nullResult + } + + Write-Verbose -Message "An Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} was found" + + $DefinitionArray = @() + foreach ($definitionValue in $getValue.definition) { + $value = ConvertFrom-Json $definitionValue + $DefinitionArray += @{ + AccelerateToFederatedDomain = $value.HomeRealmDiscoveryPolicy.AccelerateToFederatedDomain + AllowCloudPasswordValidation = $value.HomeRealmDiscoveryPolicy.AllowCloudPasswordValidation + PreferredDomain = $value.HomeRealmDiscoveryPolicy.PreferredDomain + AlternateIdLogin = @{ + Enabled = $value.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled + } + } + } + + $results = @{ + #region resource generator code + Definition = [Array]$DefinitionArray + IsOrganizationDefault = $getValue.isOrganizationDefault + Description = $getValue.description + DisplayName = $getValue.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # to get the id parameter + $getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter "DisplayName eq '$DisplayName'" + + $newDefinitions = @() + foreach ($Def in $Definition) { + $HomeRealmDiscoveryPolicy = @{} + if ($null -ne $Def.AccelerateToFederatedDomain){ + $HomeRealmDiscoveryPolicy.Add('AccelerateToFederatedDomain', $Def.AccelerateToFederatedDomain) + } + if ($null -ne $Def.AllowCloudPasswordValidation){ + $HomeRealmDiscoveryPolicy.Add('AllowCloudPasswordValidation', $Def.AllowCloudPasswordValidation) + } + if ($null -ne $Def.PreferredDomain){ + $HomeRealmDiscoveryPolicy.Add('PreferredDomain', $Def.PreferredDomain) + } + if ($null -ne $Def.AlternateIdLogin.Enabled){ + $HomeRealmDiscoveryPolicy.Add('AlternateIdLogin', @{Enabled = $Def.AlternateIdLogin.Enabled}) + } + $temp = @{ + HomeRealmDiscoveryPolicy = $HomeRealmDiscoveryPolicy + } + $newDefinitions += ConvertTo-Json $temp -Depth 10 -Compress + } + + $BoundParameters.Definition = $newDefinitions + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + + #region resource generator code + $policy = New-MgBetaPolicyHomeRealmDiscoveryPolicy -BodyParameter $createParameters + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + #region resource generator code + Update-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -HomeRealmDiscoveryPolicyId $getValue.Id ` + -BodyParameter $UpdateParameters + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}" + #region resource generator code + Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId $getValue.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.DisplayName + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.Definition) + { + $Results.Definition = Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString $Results.Definition + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.Definition) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'Definition' + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Definitions + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($definition in $Definitions) + { + $StringContent.Append("`n MSFT_AADHomeRealDiscoveryPolicyDefinition {`r`n") | Out-Null + $StringContent.Append(" PreferredDomain = '" + $definition.PreferredDomain + "'`r`n") | Out-Null + if ($null -ne $definition.AccelerateToFederatedDomain) { + $StringContent.Append(" AccelerateToFederatedDomain = $" + $definition.AccelerateToFederatedDomain + "`r`n") | Out-Null + } + if ($null -ne $definition.AllowCloudPasswordValidation) { + $StringContent.Append(" AllowCloudPasswordValidation = $" + $definition.AllowCloudPasswordValidation + "`r`n") | Out-Null + } + $StringContent.Append(" AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin {`r`n") | Out-Null + $StringContent.Append(" Enabled = $" + $definition.AlternateIdLogin.Enabled + "`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof new file mode 100644 index 0000000000..b352209efe --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof @@ -0,0 +1,33 @@ +[ClassVersion("1.0.0")] +class MSFT_AADHomeRealDiscoveryPolicyDefinition +{ + [Write, Description("Accelerate to Federated Domain.")] Boolean AccelerateToFederatedDomain; + [Write, Description("Allow cloud password validation.")] Boolean AllowCloudPasswordValidation; + [Write, Description("AlternateIdLogin complex object."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin")] String AlternateIdLogin; + [Write, Description("Preffered Domain value.")] String PreferredDomain; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin +{ + [Write, Description("Boolean for whether AlternateIdLogin is enabled.")] Boolean Enabled; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADHomeRealmDiscoveryPolicy")] +class MSFT_AADHomeRealmDiscoveryPolicy : OMI_BaseResource +{ + [Key, Description("Display name for this policy. Required.")] String DisplayName; + [Write, Description("A string collection containing a complex object array that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinition")] String Definition[]; + [Write, Description("If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.")] Boolean IsOrganizationDefault; + [Write, Description("Description for this policy. Required.")] String Description; + + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md new file mode 100644 index 0000000000..97b2da84f0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADHomeRealmDiscoveryPolicy + +## Description + +Azure AD Home Realm Discovery Policy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json new file mode 100644 index 0000000000..b3c6ae18bd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "AADHomeRealmDiscoveryPolicy", + "description": "This resource configures an Azure AD Home Realm Discovery Policy.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 new file mode 100644 index 0000000000..7837cbb294 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 @@ -0,0 +1,589 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $Id + } + if ($null -eq $instance) + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Filter "DisplayName eq '$($DisplayName)'" + } + } + if ($null -eq $instance) + { + return $nullResult + } + + # Callback Configuration + $CallbackConfigurationValue = $null + if ($null -ne $instance.CallbackConfiguration.TimeoutDuration) + { + $CallbackConfigurationValue = @{ + TimeoutDuration = "PT$($instance.CallbackConfiguration.TimeoutDuration.Minutes.ToString())M" + AuthorizedApps = @() + } + + foreach ($app in $instance.CallbackConfiguration.AdditionalProperties.authorizedApps) + { + $appInstance = Get-MgApplication -Filter "AppId eq '$($app['id'])'" -ErrorAction SilentlyContinue + if ($null -ne $appInstance) + { + $CallbackConfigurationValue.AuthorizedApps += $appInstance.DisplayName + } + } + } + + # Client Configuration + $ClientConfigurationValue = @{ + MaximumRetries = $instance.ClientConfiguration.MaximumRetries + TimeoutInMilliseconds = $instance.ClientConfiguration.TimeoutInMilliseconds + } + + # EndpointConfiguration + $EndpointConfigurationValue = @{ + SubscriptionId = $instance.EndpointConfiguration.AdditionalProperties.subscriptionId + resourceGroupName = $instance.EndpointConfiguration.AdditionalProperties.resourceGroupName + logicAppWorkflowName = $instance.EndpointConfiguration.AdditionalProperties.logicAppWorkflowName + url = $instance.EndpointConfiguration.AdditionalProperties.url + } + + $results = @{ + DisplayName = $DisplayName + Id = $instance.Id + Description = $instance.Description + CallbackConfiguration = $CallbackConfigurationValue + ClientConfiguration = $ClientConfigurationValue + EndpointConfiguration = $EndpointConfigurationValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + displayName = $DisplayName + description = $Description + endpointConfiguration = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = $EndpointConfiguration.subscriptionId + resourceGroupName = $EndpointConfiguration.resourceGroupName + logicAppWorkflowName = $EndpointConfiguration.logicAppWorkflowName + url = $EndpointConfiguration.url + } + clientConfiguration = @{ + "@odata.type" = "#microsoft.graph.customExtensionClientConfiguration" + maximumRetries = $clientConfiguration.maximumRetries + timeoutInMilliseconds = $clientConfiguration.timeoutInMilliseconds + } + authenticationConfiguration = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + + if ($null -ne $CallbackConfiguration) + { + $instanceParams.Add('callbackConfiguration', @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + timeoutDuration = $CallbackConfiguration.timeoutDuration + }) + + if ($null -ne $CallbackConfiguration.AuthorizedApps) + { + $appsValue = @() + foreach ($app in $CallbackConfiguration.AuthorizedApps) + { + $appInfo = Get-MgApplication -Filter "DisplayName eq '$app'" -ErrorAction SilentlyContinue + if ($null -ne $appInfo) + { + $appsValue += $appInfo.Id + } + } + $instanceParams.callbackConfiguration.Add('authorizedApps', $appsValue) + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)" + New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)" + Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Workflow Custom Task Extension {$DisplayName}" + Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.EndpointConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EndpointConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EndpointConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('EndpointConfiguration') | Out-Null + } + } + + if ($null -ne $Results.ClientConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ClientConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ClientConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('ClientConfiguration') | Out-Null + } + } + + if ($null -ne $Results.CallbackConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CallbackConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CallbackConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('CallbackConfiguration') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EndpointConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EndpointConfiguration' -IsCIMArray:$False + } + if ($Results.ClientConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ClientConfiguration' -IsCIMArray:$False + } + if ($Results.CallbackConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CallbackConfiguration' -IsCIMArray:$False + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof new file mode 100644 index 0000000000..28ae9aea30 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof @@ -0,0 +1,41 @@ +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration +{ + [Write, Description("The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between 200 and 2000 milliseconds. Default duration is 1000.")] UInt32 timeoutInMilliseconds; + [Write, Description("The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If null, the default for the service applies.")] UInt32 maximumRetries; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration +{ + [Write, Description("The name of the logic app.")] String logicAppWorkflowName; + [Write, Description("The Azure resource group name for the logic app.")] String resourceGroupName; + [Write, Description("Identifier of the Azure subscription for the logic app.")] String subscriptionId; + [Write, Description("Url of the logic app.")] String url; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration +{ + [Write, Description("Callback time out in ISO 8601 time duration. Accepted time durations are between five minutes to three hours. For example, PT5M for five minutes and PT3H for three hours. Inherited from customExtensionCallbackConfiguration.")] String timeoutDuration; + [Write, Description("List of apps names that are allowed to resume a task processing result.")] String authorizedApps[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension : OMI_BaseResource +{ + [Key, Description("Display name of the custom extension.")] String DisplayName; + [Write, Description("Unique Id of the extension.")] String Id; + [Write, Description("Description of the extension.")] String Description; + [Write, Description("Client configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration")] String ClientConfiguration; + [Write, Description("Endpoint configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration")] String EndpointConfiguration; + [Write, Description("Callback configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration")] String CallbackConfiguration; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md new file mode 100644 index 0000000000..d49730fec1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + +## Description + +Configures custom extensions for Lifecycle workflows in Entra id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json new file mode 100644 index 0000000000..77f6457772 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension", + "description": "Configures custom extensions for Lifecycle workflows in Entra id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "LifecycleWorkflows.Read.All" + } + ], + "update": [ + { + "name": "LifecycleWorkflows.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 new file mode 100644 index 0000000000..6839f70e99 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 @@ -0,0 +1,336 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + $instance = Invoke-MgGraphRequest -Method Get -Uri $url + + if ($null -eq $instance) + { + throw 'Could not retrieve the AAD Identity Protection Policy settings.' + } + + $results = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $instance.IsUserRiskClearedOnPasswordReset + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $updateParameters = @{ + IsUserRiskClearedOnPasswordReset = $IsUserRiskClearedOnPasswordReset + } + + $updateJSON = ConvertTo-Json $updateParameters + Write-Verbose -Message "Updating the AAD Identity Protection Policy settings with values: $updateJSON" + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + + Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $updateJSON +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + [array] $Script:exportedInstances = Invoke-MgGraphRequest -Method Get -Uri $url + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = 'AAD Identity Protection Policy Settings' + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof new file mode 100644 index 0000000000..e4beabfe26 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityProtectionPolicySettings")] +class MSFT_AADIdentityProtectionPolicySettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("If true, user risk is cleared on password reset.")] Boolean IsUserRiskClearedOnPasswordReset; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md new file mode 100644 index 0000000000..40bedfad33 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityProtectionPolicySettings + +## Description + +Use this resource to monitor the identity protection policy settings in AAD. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json new file mode 100644 index 0000000000..baab496c16 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json @@ -0,0 +1,36 @@ +{ + "resourceName": "AADIdentityProtectionPolicySettings", + "description": "Use this resource to monitor the identity protection policy settings in AAD", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.Read.IdentityProtection" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.IdentityProtection" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.IdentityProtection" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.IdentityProtection" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 index b395185678..1d5005bb88 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 @@ -121,6 +121,8 @@ function Get-TargetResource -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential + + return $nullReturn } } if ($null -eq $NamedLocation) @@ -252,6 +254,26 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + try + { + if ($Id) + { + $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -NamedLocationId $Id -ErrorAction Stop + } + } + catch + { + Write-Verbose -Message "Could not retrieve AAD Named Location by ID {$Id}" + } + if ($null -eq $NamedLocation) + { + $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName } + if ($NamedLocation.Length -gt 1) + { + throw "More than one instance of a Named Location Policy with name {$DisplayName} was found. Please provide the ID parameter." + } + } + $currentAADNamedLocation = Get-TargetResource @PSBoundParameters $desiredValues = @{ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 new file mode 100644 index 0000000000..47acfe16dd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 @@ -0,0 +1,493 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + else + { + $instance = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name } + } + if ($null -eq $instance) + { + throw "Could not retrieve the Forwarding Policy with name: $Name" + } + + $complexPolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules $instance.PolicyRules + + $results = @{ + Name = $instance.name + PolicyRules = $complexPolicyRules + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $currentPolicy = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $setParameters.Name } + if ($Name -eq "Custom Bypass") { + foreach ($rule in $currentPolicy.PolicyRules) { + Remove-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -PolicyRuleId $rule.Id + } + + foreach ($rule in $setParameters.PolicyRules) { + $complexDestinations = @() + foreach ($destination in $rule.Destinations) { + $complexDestinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess." + $rule.RuleType + value = $destination + } + } + $params = @{ + "@odata.type" = "#microsoft.graph.networkaccess.internetAccessForwardingRule" + name = $rule.Name + action = $rule.ActionValue + ruleType = $rule.RuleType + ports = ($rule.Ports | ForEach-Object { $_.ToString() }) + protocol = $rule.Protocol + destinations = $complexDestinations + } + + New-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -BodyParameter $params + } + } elseif ($currentPolicy.TrafficForwardingType -eq "m365") { + $rulesParam = @() + foreach ($desiredRule in $setParameters.PolicyRules) { + $desiredRuleHashtable = Convert-M365DSCDRGComplexTypeToHashtable $desiredRule + $desiredRuleHashtable.Remove('actionValue') + $testResult = $false + foreach ($currentRule in $currentPolicy.PolicyRules) { + $currentRuleHashtable = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules @($currentRule) + $currentRuleHashtable.Remove('ActionValue'); + $testResult = Compare-M365DSCComplexObject ` + -Source ($currentRuleHashtable) ` + -Target ($desiredRuleHashtable) + if ($testResult) { + Write-Verbose "Updating: $($currentRule.Name), $($currentRule.Id)" + $rulesParam += @{ + ruleId = $currentRule.Id + action = $desiredRule.ActionValue + } + break + } + } + if($testResult -eq $false){ + Write-Verbose "Could not find rule with the given specification: $(Convert-M365DscHashtableToString -Hashtable $desiredRuleHashtable), skipping set for this." + } + } + $updateParams = @{ + rules = $rulesParam + } + + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/networkAccess/forwardingPolicies/$($currentPolicy.ID)/updatePolicyRules" -Method Post -Body $updateParams + } + else { + Write-Verbose "Can not modify the list of poilicy rules for the forwarding policy with name: $($setParameters.Name)" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $testTargetResource = $true + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.PolicyRules) + { + $Results.PolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString -PolicyRules $Results.PolicyRules + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.PolicyRules) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'PolicyRules' + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-MicrosoftGraphNetworkAccessForwardingPolicyRules +{ + [CmdletBinding()] + [OutputType([System.Collections.ArrayList])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PolicyRules + ) + + $newPolicyRules = @() + foreach ($rule in $PolicyRules) { + $destinations = @() + foreach ($destination in $rule.AdditionalProperties.destinations) { + $destinations += $destination.value + } + $newPolicyRules += @{ + Name = $rule.Name + ActionValue = $rule.AdditionalProperties.action + RuleType = $rule.AdditionalProperties.ruleType + Ports = $rule.AdditionalProperties.ports + Protocol = $rule.AdditionalProperties.protocol + Destinations = $destinations + } + } + + return $newPolicyRules +} + +function Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PolicyRules + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($rule in $PolicyRules) + { + $StringContent.Append("`n MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule {`r`n") | Out-Null + $StringContent.Append(" Name = '" + $rule.Name + "'`r`n") | Out-Null + $StringContent.Append(" ActionValue = '" + $rule.ActionValue + "'`r`n") | Out-Null + $StringContent.Append(" RuleType = '" + $rule.RuleType + "'`r`n") | Out-Null + $StringContent.Append(" Protocol = '" + $rule.Protocol + "'`r`n") | Out-Null + $StringContent.Append(" Ports = @(" + $($rule.Ports -join ", ") + ")`r`n") | Out-Null + $StringContent.Append(" Destinations = @(" + $(($rule.Destinations | ForEach-Object { "'$_'" }) -join ", ") + ")`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof new file mode 100644 index 0000000000..78c92d1747 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof @@ -0,0 +1,24 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule +{ + [Write, Description("Policy Rule Name. Required")] String Name; + [Write, Description("Action value.")] String ActionValue; + [Write, Description("Type of Rule")] String RuleType; + [Write, Description("List of Ports.")] UInt32 Ports[]; + [Write, Description("Protocol Value")] String Protocol; + [Write, Description("List of destinations.")] String Destinations[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingPolicy")] +class MSFT_AADNetworkAccessForwardingPolicy : OMI_BaseResource +{ + [Key, Description("Name of the forwarding policy")] String Name; + [Write, Description("List of rules associated to this forwarding policy."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule")] String PolicyRules[]; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md new file mode 100644 index 0000000000..0eb3e52feb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessForwardingPolicy + +## Description + +Use this resource to monitor the forwarding policy rules associated with the forwarding policies. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json new file mode 100644 index 0000000000..1c3b2ce323 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADNetworkAccessForwardingPolicy", + "description": "Use this resource to monitor the forwarding policy rules associated with the forwarding policies.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "NetworkAccessPolicy.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccessPolicy.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "NetworkAccessPolicy.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccessPolicy.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 new file mode 100644 index 0000000000..a1e6c27217 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 @@ -0,0 +1,534 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + + $getValue = $null + #region resource generator code + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $getValue = Get-MgBetaNetworkAccessForwardingProfile -ForwardingProfileId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with Id:{$Id}" + + if (-not [System.String]::IsNullOrEmpty($Name)) + { + $getValue = Get-MgBetaNetworkAccessForwardingProfile -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name } + } + } + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with name {$Name}." + return $nullResult + } + + Write-Verbose -Message "An Azure AD Network Access Forwarding Profile with {$Id} and {$Name} was found" + + $forwardingProfilePolicies = Get-MgBetaNetworkAccessForwardingProfilePolicy -ForwardingProfileId $getValue.Id -ErrorAction SilentlyContinue + + if ($null -ne $forwardingProfilePolicies) + { + Write-Verbose -Message "An Azure AD Network Access Forwarding Profile Policy with $($forwardingProfilePolicies.Id) and $($forwardingProfilePolicies.Name) was found" + } + + $complexPolicies = @() + foreach ($currentPolicy in $forwardingProfilePolicies) + { + $myPolicies = @{} + $myPolicies.Add('Name', $currentPolicy.Policy.Name) + $myPolicies.Add('State', $currentPolicy.State) + $myPolicies.Add('PolicyLinkId', $currentPolicy.Id) + if ($myPolicies.values.Where({ $null -ne $_ }).Count -gt 0) + { + $complexPolicies += $myPolicies + } + } + + + $results = @{ + Name = $getValue.Name + Id = $getValue.Id + State = $getValue.State + Policies = $complexPolicies + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + # Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($null -ne $currentInstance) + { + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$updateParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $updateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*') + { + $updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.$key + } + } + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)} {$($currentInstance.Name)} State" + Update-MgBetaNetworkAccessForwardingProfile ` + -ForwardingProfileId $currentInstance.Id ` + -State $updateParameters.State + + $currentPolicies = $currentInstance.Policies + $updatedPolicies = $updateParameters.Policies + + # update the current policy's state with the updated policy's state. + foreach ($currentPolicy in $currentPolicies) + { + $updatedPolicy = $updatedPolicies | Where-Object { $_.Name -eq $currentPolicy.Name } + if ($null -ne $updatedPolicy) + { + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile Policy with Id {$($currentPolicy.PolicyLinkId)} {$($currentPolicy.Name)}" + Update-MgBetaNetworkAccessForwardingProfilePolicy ` + -ForwardingProfileId $currentInstance.Id ` + -PolicyLinkId $currentPolicy.PolicyLinkId ` + -State $updatedPolicy.State + } + } + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Network Access Forwarding Profile with Id:{$Id} and Name:{$Name}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($null -eq $CurrentValues) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaNetworkAccessForwardingProfile ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Policies.Count -gt 0) + { + $Results.Policies = Get-PoliciesAsString $Results.Policies + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.Policies) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'Policies' + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-PoliciesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Policies + ) + + $StringContent = '@(' + foreach ($policy in $Policies) + { + $StringContent += "MSFT_MicrosoftGraphNetworkaccessPolicyLink {`r`n" + $StringContent += " State = '" + $policy.State + "'`r`n" + $StringContent += " PolicyLinkId = '" + $policy.PolicyLinkId + "'`r`n" + $StringContent += " Name = '" + $policy.Name + "'`r`n" + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof new file mode 100644 index 0000000000..4bd1149ec8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof @@ -0,0 +1,24 @@ + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphNetworkaccessPolicyLink +{ + [Write, Description("Policy Name. Required")] String Name; + [Write, Description("Policy Link Id")] String PolicyLinkId; + [Write, Description("status")] String state; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingProfile")] +class MSFT_AADNetworkAccessForwardingProfile : OMI_BaseResource +{ + [Key, Description("Profile Name. Required.")] String Name; + [Write, Description("Id of the profile. Unique Identifier")] String Id; + [Write, Description("status of the profile")] String State; + [Write, Description("Traffic forwarding policies associated with this profile."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkaccessPolicyLink")] String Policies[]; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md new file mode 100644 index 0000000000..385d36537f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md @@ -0,0 +1,7 @@ + +# AADNetworkAccessForwardingProfile + +## Description + +This resource configure the Azure AD Network Access Forwarding Profile + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json new file mode 100644 index 0000000000..4a473ad41b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json @@ -0,0 +1,33 @@ + +{ + "resourceName": "AADNetworkAccessForwardingProfile", + "description": "This resource configures an Azure AD Network Access Forwarding Profile.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 new file mode 100644 index 0000000000..4b80f2f5c9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 @@ -0,0 +1,304 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingCOnditionalAccess + $results = @{ + IsSingleInstance = 'Yes' + SignalingStatus = $instance.SignalingStatus + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Updating the Conditional Access Settings" + Update-MgBetaNetworkAccessSettingConditionalAccess -SignalingStatus $SignalingStatus +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $Global:M365DSCExportResourceInstancesCount++ + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof new file mode 100644 index 0000000000..d547a01e5f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingConditionalAccess")] +class MSFT_AADNetworkAccessSettingConditionalAccess : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Enable CA Signaling for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String SignalingStatus; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md new file mode 100644 index 0000000000..d1a3be1a6d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessSettingConditionalAccess + +## Description + +Configures the adaptive access settings in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json new file mode 100644 index 0000000000..7c5706db4b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADNetworkAccessSettingConditionalAccess", + "description": "Configures the adaptive access settings in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 new file mode 100644 index 0000000000..00cb645cea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 @@ -0,0 +1,304 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingCrossTenantAccess + $results = @{ + IsSingleInstance = 'Yes' + NetworkPacketTaggingStatus = $instance.NetworkPacketTaggingStatus + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Updating the Cross Tenant Access Settings" + Update-MgBetaNetworkAccessSettingCrossTenantAccess -NetworkPacketTaggingStatus $NetworkPacketTaggingStatus +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $Global:M365DSCExportResourceInstancesCount++ + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof new file mode 100644 index 0000000000..17ab4b7810 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingCrossTenantAccess")] +class MSFT_AADNetworkAccessSettingCrossTenantAccess : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String NetworkPacketTaggingStatus; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md new file mode 100644 index 0000000000..911270ed2b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessSettingCrossTenantAccess + +## Description + +Configures the universal tenant restrictions in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json new file mode 100644 index 0000000000..fc96fbdfea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADNetworkAccessSettingCrossTenantAccess", + "description": "Configures the universal tenant restrictions in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index cee000347d..2dfbda00b9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -80,6 +80,14 @@ function Get-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -230,6 +238,60 @@ function Get-TargetResource $complexDelegatedPermissionClassifications += $hashtable } + $complexKeyCredentials = @() + foreach ($currentkeyCredentials in $AADServicePrincipal.keyCredentials) + { + $mykeyCredentials = @{} + if($null -ne $currentkeyCredentials.customKeyIdentifier) + { + $mykeyCredentials.Add('CustomKeyIdentifier', [convert]::ToBase64String($currentkeyCredentials.customKeyIdentifier)) + } + $mykeyCredentials.Add('DisplayName', $currentkeyCredentials.displayName) + if ($null -ne $currentkeyCredentials.endDateTime) + { + $mykeyCredentials.Add('EndDateTime', ([DateTimeOffset]$currentkeyCredentials.endDateTime).ToString('o')) + } + $mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId) + + + if($null -ne $currentkeyCredentials.Key) + { + $mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key)) + } + + if ($null -ne $currentkeyCredentials.startDateTime) + { + $mykeyCredentials.Add('StartDateTime', ([DateTimeOffset]$currentkeyCredentials.startDateTime).ToString('o')) + } + $mykeyCredentials.Add('Type', $currentkeyCredentials.type) + $mykeyCredentials.Add('Usage', $currentkeyCredentials.usage) + if ($mykeyCredentials.values.Where({$null -ne $_}).Count -gt 0) + { + $complexKeyCredentials += $mykeyCredentials + } + } + + $complexPasswordCredentials = @() + foreach ($currentpasswordCredentials in $AADServicePrincipal.passwordCredentials) + { + $mypasswordCredentials = @{} + $mypasswordCredentials.Add('DisplayName', $currentpasswordCredentials.displayName) + if ($null -ne $currentpasswordCredentials.endDateTime) + { + $mypasswordCredentials.Add('EndDateTime', ([DateTimeOffset]$currentpasswordCredentials.endDateTime).ToString('o')) + } + $mypasswordCredentials.Add('Hint', $currentpasswordCredentials.hint) + $mypasswordCredentials.Add('KeyId', $currentpasswordCredentials.keyId) + if ($null -ne $currentpasswordCredentials.startDateTime) + { + $mypasswordCredentials.Add('StartDateTime', ([DateTimeOffset]$currentpasswordCredentials.startDateTime).ToString('o')) + } + if ($mypasswordCredentials.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPasswordCredentials += $mypasswordCredentials + } + } + $complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -AppId $AppId) if ($null -eq $complexCustomSecurityAttributes) { $complexCustomSecurityAttributes = @() @@ -255,6 +317,8 @@ function Get-TargetResource ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType Tags = $AADServicePrincipal.Tags + KeyCredentials = $complexKeyCredentials + PasswordCredentials = $complexPasswordCredentials Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -362,6 +426,14 @@ function Set-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -462,7 +534,7 @@ function Set-TargetResource $newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body } - #adding delegated permissions classifications + # Adding delegated permissions classifications if($null -ne $DelegatedPermissionClassifications){ foreach ($permissionClassification in $DelegatedPermissionClassifications){ $params = @{ @@ -721,6 +793,14 @@ function Test-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -851,6 +931,7 @@ function Export-TargetResource [Parameter()] [System.String[]] $AccessTokens + ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters @@ -909,6 +990,34 @@ function Export-TargetResource { $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications } + if ($null -ne $Results.KeyCredentials) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.KeyCredentials ` + -CIMInstanceName 'MicrosoftGraphkeyCredential' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.KeyCredentials = $complexTypeStringResult + } + else + { + $Results.Remove('KeyCredentials') | Out-Null + } + } + if ($null -ne $Results.PasswordCredentials) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.PasswordCredentials ` + -CIMInstanceName 'MicrosoftGraphpasswordCredential' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.PasswordCredentials = $complexTypeStringResult + } + else + { + $Results.Remove('PasswordCredentials') | Out-Null + } + } if ($Results.CustomSecurityAttributes.Count -gt 0) { $Results.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString -CustomSecurityAttributes $Results.CustomSecurityAttributes @@ -928,11 +1037,24 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'DelegatedPermissionClassifications' } + if ($null -ne $Results.KeyCredentials) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName "KeyCredentials" -IsCIMArray:$True + } + + if ($null -ne $Results.PasswordCredentials) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName "PasswordCredentials" -IsCIMArray:$True + } + if ($null -ne $Results.CustomSecurityAttributes) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'CustomSecurityAttributes' } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 3b2c37bc14..229f10d7c0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -61,4 +61,29 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("Credentials of the Azure AD Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; + [Write, Description("The collection of password credentials associated with the service principal. Not nullable."), EmbeddedInstance("MSFT_MicrosoftGraphpasswordCredential")] String PasswordCredentials[]; + [Write, Description("The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le)."), EmbeddedInstance("MSFT_MicrosoftGraphkeyCredential")] String KeyCredentials[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphKeyCredential +{ + [Write, Description("A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate.")] String CustomKeyIdentifier; + [Write, Description("Friendly name for the key. Optional.")] String DisplayName; + [Write, Description("The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String EndDateTime; + [Write, Description("The unique identifier (GUID) for the key.")] String KeyId; + [Write, Description("The certificate's raw data in byte array converted to Base64 string.")] String Key; + [Write, Description("The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String StartDateTime; + [Write, Description("The type of key credential for example, Symmetric, AsymmetricX509Cert.")] String Type; + [Write, Description("A string that describes the purpose for which the key can be used for example, Verify.")] String Usage; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphPasswordCredential +{ + [Write, Description("Friendly name for the password. Optional.")] String DisplayName; + [Write, Description("The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String EndDateTime; + [Write, Description("Contains the first three characters of the password. Read-only.")] String Hint; + [Write, Description("The unique identifier for the password.")] String KeyId; + [Write, Description("The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String StartDateTime; }; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 new file mode 100644 index 0000000000..fe59ebd78f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 @@ -0,0 +1,444 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Getting configuration of user flow attribute: $DisplayName" + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + Write-Verbose -Message 'Getting configuration of user flow attribute' + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullReturn = $PSBoundParameters + $nullReturn.Ensure = 'Absent' + + $userFlowAttribute = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $userFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id } + } + elseif (-not [System.String]::IsNullOrEmpty($Id)) + { + $UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $UserFlowAttribute -and -not [System.String]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $UserFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName } + } + else + { + $UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -Filter "displayName eq '$DisplayName'" + } + } + + if ($null -eq $UserFlowAttribute) + { + return $nullReturn + } + try + { + Write-Verbose -Message "Found configuration of user flow attribute $($DisplayName)" + $result = @{ + Id = $UserFlowAttribute.Id + DisplayName = $UserFlowAttribute.DisplayName + Description = $UserFlowAttribute.Description + DataType = $UserFlowAttribute.DataType + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" + return $result + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullReturn + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Setting configuration of user flow attribute: $DisplayName" + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentUserFlowAttribute = Get-TargetResource @PSBoundParameters + + # doesn't exist but it should + if ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Absent') + { + Write-Verbose -Message "The user flow attribute '$($DisplayName)' does not exist but it should. Creating it." + + try + { + New-MgBetaIdentityUserFlowAttribute -DataType $DataType -Description $Description -DisplayName $DisplayName + } + catch + { + Write-Error -ErrorRecord $_ + } + } + #exists but shouldn't + elseif ($Ensure -eq 'Absent' -and $currentUserFlowAttribute.Ensure -eq 'Present') + { + Write-Verbose -Message "User flow attribute '$($DisplayName)' exists but shouldn't. Removing it." + Remove-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id + } + elseif ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Present') + { + Write-Verbose -Message "User flow attribute '$($DisplayNameName)' already exists. Updating settings" + + if ($currentUserFlowAttribute.DisplayName -ne $DisplayName -or $currentUserFlowAttribute.DataType -ne $DataType) + { + Write-Warning -Message "There is a deviation in display name and data type for the resource with ID '$($Id)' but these values are not settable so cannot update them." + } + + Write-Verbose -Message "Updating description of user flow attribute with display name '$($DisplayName)'" + Update-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -Description $Description + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + $Script:ExportMode = $false + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of User flow attribute : $DisplayName" + + $CurrentValues = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $ValuesToCheck = $PSBoundParameters + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityUserFlowAttribute -Filter "userFlowAttributeType ne 'builtIn'" -Sort DisplayName -ErrorAction Stop + $i = 1 + $dscContent = '' + Write-Host "`r`n" -NoNewline + foreach ($userFlowAttribute in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($userFlowAttribute.DisplayName)" -NoNewline + $Params = @{ + Id = $userFlowAttribute.Id + DisplayName = $userFlowAttribute.DisplayName + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + ApplicationSecret = $ApplicationSecret + Credential = $Credential + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + } + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + return $dscContent + } + + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof new file mode 100644 index 0000000000..85ea343f0a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADUserFlowAttribute")] +class MSFT_AADUserFlowAttribute : OMI_BaseResource +{ + [Write, Description("User flow attribute Id.")] String Id; + [Key, Description("Display name of the user flow attribute.")] String DisplayName; + [Write, Description("Description of the user flow attribute.")] String Description; + [Write, Description("Defines the user flow attribute data type.")] String DataType; + [Write, Description("Specify if the Azure AD role setting should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md new file mode 100644 index 0000000000..11fae742e2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md @@ -0,0 +1,5 @@ +# AADUserFlowAttribute + +## Description + +This resource configure User flow attributes which are custom attributes that you can define and use in your user flows, which are predefined, configurable policies that control the user experience during sign-up, sign-in, and profile editing processes. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json new file mode 100644 index 0000000000..d2178e7964 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADUserflowAttribute", + "description": "This resource configures an Azure User Flow attribute..", + "roles": { + "read": [], + "update": [ + "External ID User Flow Attribute Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + }, + { + "name": "IdentityUserFlow.ReadWrite.All" + } + ], + "update": [ + { + "name": "IdentityUserFlow.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 new file mode 100644 index 0000000000..e986ac2baf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 @@ -0,0 +1,591 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instances = $Script:exportedInstances + } + else + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $instances = $response.value + } + if ($null -eq $instances) + { + return $nullResult + } + + $instance = Get-M365DSCVerifiedIdAuthorityObject -Authority ($instances | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $LinkedDomainUrl}) + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Id = $instance.Id + Name = $instance.Name + LinkedDomainUrl = $instance.LinkedDomainUrl + DidMethod = $instance.DidMethod + KeyVaultMetadata = $instance.KeyVaultMetadata + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters | Out-Null + + $currentInstance = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)" + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/" + $currentInstance.Id + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + $body = @{ + name = $Name + linkedDomainUrl = $LinkedDomainUrl + didMethod = $DidMethod + keyVaultMetadata = @{ + subscriptionId = $KeyVaultMetadata.SubscriptionId + resourceGroup = $KeyVaultMetadata.ResourceGroup + resourceName = $KeyVaultMetadata.ResourceName + resourceUrl = $KeyVaultMetadata.ResourceUrl + } + } + Write-Verbose -Message "Creating VerifiedId Authority with body $($body | ConvertTo-Json -Depth 5)" + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + Write-Warning -Message "You can only update Name of the VerifiedId Authority, if you want to update other properties, please delete and recreate the VerifiedId Authority." + $body = @{ + name = $Name + } + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + $uri = "https://verifiedid.did.msidentity.com/beta/verifiableCredentials/authorities/" + $currentInstance.Id + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'DELETE' + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthority' + + $CurrentValues = Get-TargetResource @PSBoundParameters + + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testTargetResource = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*' -and $source -notlike '*Permission*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource + + +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $dscContent = [System.Text.StringBuilder]::new() + $i = 1 + Write-Host "`r`n" -NoNewline + try + { + $Script:ExportMode = $true + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + [array] $Script:exportedInstances = $response.value + + foreach ($authority in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($authority.didModel.linkedDomainUrls[0])" -NoNewline + $Params = @{ + LinkedDomainUrl = $authority.didModel.linkedDomainUrls[0] + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + $Results = Get-TargetResource @Params + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.KeyVaultMetadata) + { + $complexMapping = @( + @{ + Name = 'KeyVaultMetadata' + CimInstanceName = 'AADVerifiedIdAuthorityKeyVaultMetadata' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.KeyVaultMetadata ` + -CIMInstanceName 'AADVerifiedIdAuthorityKeyVaultMetadata' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.KeyVaultMetadata = $complexTypeStringResult + } + else + { + $Results.Remove('KeyVaultMetadata') | Out-Null + } + } + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.KeyVaultMetadata) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "KeyVaultMetadata" -IsCIMArray:$False + } + + $dscContent.Append($currentDSCBlock) | Out-Null + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + } + return $dscContent.ToString() + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + + +function Get-M365DSCVerifiedIdAuthorityObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Authority + ) + + if ($null -eq $Authority) + { + return $null + } + + Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}" + $did = ($Authority.didModel.did -split ":")[1] + $values = @{ + Id = $Authority.Id + Name = $Authority.Name + LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0] + DidMethod = $did + } + if ($null -ne $Authority.KeyVaultMetadata) + { + $KeyVaultMetadata = @{ + SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId + ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup + ResourceName = $Authority.KeyVaultMetadata.ResourceName + ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl + } + + $values.Add('KeyVaultMetadata', $KeyVaultMetadata) + } + return $values +} + +function Invoke-M365DSCVerifiedIdWebRequest +{ + [OutputType([PSCustomObject])] + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + "Content-Type" = "application/json" + } + + if($Method -eq 'PATCH' -or $Method -eq 'POST') + { + $BodyJson = $body | ConvertTo-Json + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson + } + else { + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers + } + + if($Method -eq 'DELETE') + { + return $null + } + $result = ConvertFrom-Json $response.Content + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof new file mode 100644 index 0000000000..f22542ecdd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof @@ -0,0 +1,28 @@ +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityKeyVaultMetadata +{ + [Write, Description("Subscription ID of the Key Vault.")] String SubscriptionId; + [Write, Description("Resource group of the Key Vault.")] String ResourceGroup; + [Write, Description("Resource name of the Key Vault.")] String ResourceName; + [Write, Description("Resource URL of the Key Vault.")] String ResourceUrl; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthority")] +class MSFT_AADVerifiedIdAuthority : OMI_BaseResource +{ + [Write, Description("Name of the Verified ID Authority.")] String Name; + [Write, Description("Id of the Verified ID Authority.")] String Id; + [Key, Description("URL of the linked domain.")] String LinkedDomainUrl; + [Write, Description("DID method used by the Verified ID Authority.")] String DidMethod; + [Write, Description("Key Vault metadata for the Verified ID Authority."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityKeyVaultMetadata")] String KeyVaultMetadata; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md new file mode 100644 index 0000000000..b68d06b45e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md @@ -0,0 +1,8 @@ + +# AADVerifiedIdAuthority + +## Description + +Azure AD Verified Identity Authority +Use the VerifiableCredential.Authority.ReadWrite permission to read and write the authority. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#authorities diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json new file mode 100644 index 0000000000..cf3ac1ac16 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json @@ -0,0 +1,17 @@ +{ + "resourceName": "AADVerifiedIdAuthority", + "description": "This resource configures an Azure AD Verified Identity Authority.", + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 new file mode 100644 index 0000000000..1282f29af5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 @@ -0,0 +1,938 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instances = $Script:exportedInstances + } + else + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $authorities = $response.value + if ($null -eq $authorities) + { + return $nullResult + } + $authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl}) + + if ($null -eq $authority) + { + return $nullResult + } + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $contracts = $response.value + } + if ($null -eq $contracts) + { + return $nullResult + } + + $contract = Get-M365DSCVerifiedIdAuthorityContractObject -Contract ($contracts | Where-Object -FilterScript {$_.name -eq $name}) + if ($null -eq $contract) + { + return $nullResult + } + + $results = @{ + id = $contract.id + name = $contract.name + linkedDomainUrl = $linkedDomainUrl + authorityId = $authority.Id + displays = $contract.displays + rules = $contract.rules + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters | Out-Null + + $currentInstance = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)" + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $rulesHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $rules + $displaysHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $displays + if($rulesHashmap.attestations.idTokens -ne $null) + { + foreach($idToken in $rulesHashmap.attestations.idTokens) + { + if($idToken.scopeValue -ne $null) + { + $idToken.Add('scope', $idToken.scopeValue) + $idToken.Remove('scopeValue') | Out-Null + } + } + + } + + $body = @{ + name = $Name + rules = $rulesHashmap + displays = $displaysHashmap + } + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $authorities = $response.value + $authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl}) + + Write-Verbose -Message "Creating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)" + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)" + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts/$($currentInstance.id)" + $body.Remove('name') | Out-Null + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Warning -Message "Removal of Contracts is not supported" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthorityContract' + + $CurrentValues = Get-TargetResource @PSBoundParameters + + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testTargetResource = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource + + +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $dscContent = [System.Text.StringBuilder]::new() + $i = 1 + Write-Host "`r`n" -NoNewline + try + { + $Script:ExportMode = $true + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + [array] $authorities = $response.value + + + [array] $Script:exportedInstances = $() + + foreach ($authority in $authorities) + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $contracts = $response.value + + foreach($contract in $contracts) + { + $Script:exportedInstances += $contract + + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($contract.name)" -NoNewline + $Params = @{ + linkedDomainUrl = $authority.didModel.linkedDomainUrls[0] + name = $contract.name + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.displays) + { + $complexMapping = @( + @{ + Name = 'displays' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayModel' + IsRequired = $False + } + @{ + Name = 'logo' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCredentialLogo' + IsRequired = $False + } + @{ + Name = 'card' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCard' + IsRequired = $False + } + @{ + Name = 'consent' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayConsent' + IsRequired = $False + } + @{ + Name = 'claims' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayClaims' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.displays ` + -CIMInstanceName 'AADVerifiedIdAuthorityContractDisplayModel' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.displays = $complexTypeStringResult + } + else + { + $Results.Remove('displays') | Out-Null + } + } + + + if ($null -ne $Results.rules) + { + $complexMapping = @( + @{ + Name = 'rules' + CimInstanceName = 'AADVerifiedIdAuthorityContractRulesModel' + IsRequired = $False + } + @{ + Name = 'attestations' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestations' + IsRequired = $False + } + @{ + Name = 'vc' + CimInstanceName = 'AADVerifiedIdAuthorityContractVcType' + IsRequired = $False + } + @{ + Name = 'customStatusEndpoint' + CimInstanceName = 'AADVerifiedIdAuthorityContractCustomStatusEndpoint' + IsRequired = $False + } + @{ + Name = 'idTokenHints' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'idTokens' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'presentations' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'selfIssued' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'accessTokens' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'mapping' + CimInstanceName = 'AADVerifiedIdAuthorityContractClaimMapping' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.rules` + -CIMInstanceName 'AADVerifiedIdAuthorityContractRulesModel' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.rules = $complexTypeStringResult + } + else + { + $Results.Remove('rules') | Out-Null + } + } + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.displays) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "displays" -IsCIMArray:$true + } + + if ($Results.rules) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "rules" -IsCIMArray:$false + } + + $dscContent.Append($currentDSCBlock) | Out-Null + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + } + } + return $dscContent.ToString() + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + + +function Get-M365DSCVerifiedIdAuthorityContractObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Contract + ) + + if ($null -eq $Contract) + { + return $null + } + + Write-Verbose -Message "Retrieving values for contract {$($Contract.name)}" + $values = @{ + id = $Contract.id + name = $Contract.name + } + if ($null -ne $Contract.displays) + { + $displays = @() + foreach ($display in $Contract.displays) + { + $claims = @() + foreach ($claim in $display.claims) + { + $claims += @{ + claim = $claim.claim + label = $claim.label + type = $claim.type + } + } + $displays += @{ + locale = $display.locale + card = @{ + title = $display.card.title + issuedBy = $display.card.issuedBy + backgroundColor = $display.card.backgroundColor + textColor = $display.card.textColor + logo = @{ + uri = $display.card.logo.uri + description = $display.card.logo.description + } + description = $display.card.description + } + consent = @{ + title = $display.consent.title + instructions = $display.consent.instructions + } + claims = $claims + } + } + + $values.Add('displays', $displays) + } + + + if ($null -ne $Contract.rules) + { + $rules = @{} + $attestations = @{} + if($null -ne $Contract.rules.attestations.idTokenHints) + { + $idTokenHints = @() + foreach($idTokenHint in $Contract.rules.attestations.idTokenHints) + { + $mapping = @() + foreach($map in $idTokenHint.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $idTokenHints += @{ + required = $idTokenHint.required + mapping = $mapping + trustedIssuers = $idTokenHint.trustedIssuers + } + } + $attestations.Add('idTokenHints', $idTokenHints) + } + + if($null -ne $Contract.rules.attestations.idTokens) + { + $idTokens = @() + foreach($idToken in $Contract.rules.attestations.idTokens) + { + $mapping = @() + foreach($map in $idToken.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $idTokens += @{ + required = $idToken.required + mapping = $mapping + configuration = $idToken.configuration + clientId = $idToken.clientId + redirectUri = $idToken.redirectUri + scopeValue = $idToken.scope + } + } + $attestations.Add('idTokens', $idTokens) + } + + if($null -ne $Contract.rules.attestations.presentations) + { + $presentations = @() + foreach($presentation in $Contract.rules.attestations.presentations) + { + $mapping = @() + foreach($map in $presentation.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $presentations += @{ + required = $presentation.required + mapping = $mapping + trustedIssuers = $presentation.trustedIssuers + credentialType = $presentation.credentialType + } + } + $attestations.Add('presentations', $presentations) + } + + if($null -ne $Contract.rules.attestations.selfIssued) + { + $mySelfIssueds = @() + foreach($mySelfIssued in $Contract.rules.attestations.selfIssued) + { + $mapping = @() + foreach($map in $mySelfIssued.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $mySelfIssueds += @{ + required = $mySelfIssued.required + mapping = $mapping + } + } + $attestations.Add('selfIssued', $mySelfIssueds) + } + + if($null -ne $Contract.rules.attestations.accessTokens) + { + $accessTokens = @() + foreach($accessToken in $Contract.rules.attestations.accessTokens) + { + $mapping = @() + foreach($map in $accessToken.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $accessTokens += @{ + required = $accessToken.required + mapping = $mapping + } + } + $attestations.Add('accessTokens', $accessTokens) + } + + + $rules.Add('attestations', $attestations) + $rules.Add('vc', @{ + type = $Contract.rules.vc.type + }) + $rules.Add('validityInterval', $Contract.rules.validityInterval) + + $values.Add('rules', $rules) + } + + return $values +} + + +function Get-M365DSCVerifiedIdAuthorityObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Authority + ) + + if ($null -eq $Authority) + { + return $null + } + + Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}" + $did = ($Authority.didModel.did -split ":")[1] + $values = @{ + Id = $Authority.Id + Name = $Authority.Name + LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0] + DidMethod = $did + } + if ($null -ne $Authority.KeyVaultMetadata) + { + $KeyVaultMetadata = @{ + SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId + ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup + ResourceName = $Authority.KeyVaultMetadata.ResourceName + ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl + } + + $values.Add('KeyVaultMetadata', $KeyVaultMetadata) + } + return $values +} + +function Invoke-M365DSCVerifiedIdWebRequest +{ + [OutputType([PSCustomObject])] + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + "Content-Type" = "application/json" + } + + if($Method -eq 'PATCH' -or $Method -eq 'POST') + { + $BodyJson = $body | ConvertTo-Json -Depth 10 + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson + } + else { + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers + } + + if($Method -eq 'DELETE') + { + return $null + } + $result = ConvertFrom-Json $response.Content + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof new file mode 100644 index 0000000000..75ec079246 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof @@ -0,0 +1,105 @@ +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo { + [Write, Description("URI of the logo. If this is a URL, it must be reachable over the public internet anonymously.")] String uri; + [Write, Description("Description of the logo.")] String description; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayCard { + [Write, Description("Title of the credential.")] String title; + [Write, Description("The name of the issuer of the credential.")] String issuedBy; + [Write, Description("Background color of the credential in hex, for example, #FFAABB.")] String backgroundColor; + [Write, Description("Text color of the credential in hex, for example, #FFAABB.")] String textColor; + [Write, Description("Supplemental text displayed alongside each credential.")] String description; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo"), Description("The logo to use for the credential.")] String logo; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayConsent { + [Write, Description("Title of the consent.")] String title; + [Write, Description("Supplemental text to use when displaying consent.")] String instructions; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayClaims { + [Write, Description("The label of the claim in display.")] String label; + [Write, Description("The name of the claim to which the label applies.")] String claim; + [Write, Description("The type of the claim.")] String type; + [Write, Description("The description of the claim.")] String description; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayModel { + [Write, Description("The locale of this display.")] String locale; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCard"), Description("The display properties of the verifiable credential.")] String card; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayConsent"), Description("Supplemental data when the verifiable credential is issued.")] String consent; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayClaims"), Description("Labels for the claims included in the verifiable credential.")] String claims[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractClaimMapping { + [Write, Description("The name of the claim to use from the input.")] String inputClaim; + [Write, Description("The name of the claim in the verifiable credential.")] String outputClaim; + [Write, Description("Indicating whether the value of this claim is used for searching.")] Boolean indexed; + [Write, Description("Indicating whether this mapping is required or not.")] Boolean required; + [Write, Description("Type of claim.")] String type; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractAttestationValues { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractClaimMapping"), Description("Rules to map input claims into output claims in the verifiable credential.")] String mapping[]; + [Write, Description("Indicating whether this attestation is required or not.")] Boolean required; + [Write, Description("A list of DIDs allowed to issue the verifiable credential for this contract.")] String trustedIssuers[]; + [Write, Description("Required credential type of the input.")] String credentialType; + [Write, Description("Location of the identity provider's configuration document.")] String configuration; + [Write, Description("Client ID to use when obtaining the ID token.")] String clientId; + [Write, Description("Redirect URI to use when obtaining the ID token. MUST BE vcclient://openid/")] String redirectUri; + [Write, Description("Space delimited list of scopes to use when obtaining the ID token.")] String scopeValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractAttestations { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token hints attestations.")] String idTokenHints[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token attestations.")] String idTokens[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Presentations attestations.")] String presentations[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Self Issued attestations.")] String selfIssued[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Access Token attestations.")] String accessTokens[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint { + [Write, Description("The URL of the custom status endpoint.")] String url; + [Write, Description("The type of the endpoint.")] String type; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractVcType { + [Write, Description("The type of the vc.")] String type[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADVerifiedIdAuthorityContractRulesModel { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestations"), Description("Describing supported inputs for the rules.")] String attestations; + [Write, Description("This value shows the lifespan of the credential.")] UInt32 validityInterval; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractVcType"), Description("Types for this contract.")] String vc; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint"), Description("Status endpoint to include in the verifiable credential for this contract.")] String customStatusEndpoint; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthorityContract")] +class MSFT_AADVerifiedIdAuthorityContract : OMI_BaseResource +{ + [Write, Description("Id of the Verified ID Authority Contract.")] String id; + [Key, Description("URL of the linked domain of the authority.")] String linkedDomainUrl; + [Write, Description("Id of the Verified ID Authority.")] String authorityId; + [Key, Description("Name of the Verified ID Authority Contract.")] String name; + [Write, Description("Display settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayModel")] String displays[]; + [Write, Description("Rules settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractRulesModel")] String rules; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md new file mode 100644 index 0000000000..730d008e03 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md @@ -0,0 +1,7 @@ +# AADVerifiedIdAuthorityContract + +## Description + +Azure AD Verified Identity Authority Contract +Use the VerifiableCredential.Contract.ReadWrite permission to read and write the authority contract. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#contracts diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json new file mode 100644 index 0000000000..83269c5f65 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AADVerifiedIdAuthorityContract", + "description": "This resource configures an Azure AD Verified Identity Authority Contracts.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 index 1af5a2f77b..ea47dd6dec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 @@ -457,7 +457,6 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload $ConnectionMode = New-M365DSCConnection -Workload 'AzureDevOPS' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 new file mode 100644 index 0000000000..c769d49b29 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 @@ -0,0 +1,434 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $accounts = Get-M365DSCAzureBillingAccount + $currentAccount = $accounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + if ($null -ne $currentAccount) + { + $instances = Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $currentAccount.Name -ErrorAction Stop + $instance = $instances.value | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + BillingAccount = $BillingAccount + DisplayName = $DisplayName + AssociatedTenantId = $instance.properties.tenantId + BillingManagementState = $instance.properties.billingManagementState + ProvisioningManagementState = $instance.properties.provisioningManagementState + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $billingAccounts = Get-M365DSCAzureBillingAccount + $account = $billingAccounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + $instanceParams = @{ + properties = @{ + displayName = $DisplayName + tenantId = $AssociatedTenantId + billingManagementState = $BillingManagementState + provisioningManagementState = $ProvisioningManagementState + } + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Adding associated tenant {$AssociatedTenantId}" + New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId ` + -Body $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating associated tenant {$AssociatedTenantId}" + New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId ` + -Body $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing associated tenant {$AssociatedTenantId}" + Remove-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + #Get all billing account + $accounts = Get-M365DSCAzureBillingAccount + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + [array] $Script:exportedInstances = @() + foreach ($config in $accounts.value) + { + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($accounts.Count)] $displayedKey" + + $associatedTenants += Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $config.name + + $j = 1 + foreach ($associatedTenant in $associatedTenants.value) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + Write-Host " |---[$j/$($associatedTenants.value.Length)] $($associatedTenant.properties.DisplayName)" -NoNewline + $params = @{ + BillingAccount = $config.properties.displayName + DisplayName = $associatedTenant.properties.displayName + AssociatedTenantId = $associatedTenant.properties.tenantId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof new file mode 100644 index 0000000000..d5a700ae3c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureBillingAccountsAssociatedTenant")] +class MSFT_AzureBillingAccountsAssociatedTenant : OMI_BaseResource +{ + [Key, Description("The ID that uniquely identifies a tenant.")] String AssociatedTenantId; + [Write, Description("The name of the associated tenant.")] String DisplayName; + [Write, Description("Name of the billing account.")] String BillingAccount; + [Write, Description("The state determines whether users from the associated tenant can be assigned roles for commerce activities like viewing and downloading invoices, managing payments, and making purchases.")] String BillingManagementState; + [Write, Description("The state determines whether subscriptions and licenses can be provisioned in the associated tenant. It can be set to 'Pending' to initiate a billing request.")] String ProvisioningManagementState; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md new file mode 100644 index 0000000000..c1162d9567 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md @@ -0,0 +1,6 @@ + +# AzureBillingAccountsAssociatedTenant + +## Description + +Configures associated tenants to billing accounts in the Microsoft Admin Center. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json new file mode 100644 index 0000000000..0b91a4be2d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureBillingAccountsAssociatedTenant", + "description": "Configures associated tenants to billing accounts in the Microsoft Admin Center.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 new file mode 100644 index 0000000000..e94068b043 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 @@ -0,0 +1,547 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $accounts = Get-M365DSCAzureBillingAccount + $currentAccount = $accounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + if ($null -ne $currentAccount) + { + $instances = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $currentAccount.Name -ErrorAction Stop + $PrincipalIdValue = Get-M365DSCPrincipalIdFromName -PrincipalName $PrincipalName ` + -PrincipalType $PrincipalType + $instance = $instances.value | Where-Object -FilterScript {$_.properties.principalId -eq $PrincipalIdValue} + + if ($null -ne $instance) + { + $roleDefinitionId = $instance.properties.roleDefinitionId.Split('/') + $roleDefinitionId = $roleDefinitionId[$roleDefinitionId.Length -1] + $RoleDefinitionValue = Get-M365DSCAzureBillingAccountsRoleDefinition -BillingAccountId $currentAccount.Name ` + -RoleDefinitionId $roleDefinitionId + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + BillingAccount = $BillingAccount + PrincipalName = $PrincipalName + PrincipalType = $PrincipalType + PrincipalTenantId = $instance.properties.principalTenantId + RoleDefinition = $RoleDefinitionValue.properties.roleName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $currentInstance = Get-TargetResource @PSBoundParameters + $billingAccounts = Get-M365DSCAzureBillingAccount + $account = $billingAccounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + $PrincipalIdValue = Get-M365DSCPrincipalIdFromName -PrincipalName $PrincipalName ` + -PrincipalType $PrincipalType + $RoleDefinitionValues = Get-M365DSCAzureBillingAccountsRoleDefinition -BillingAccountId $account.Name + $roleDefinitionInstance = $RoleDefinitionValues.value | Where-Object -FilterScript {$_.properties.roleName -eq $currentInstance.RoleDefinition} + $instanceParams = @{ + principalId = $PrincipalIdValue + principalTenantId = $currentInstance.PrincipalTenantId + roleDefinitionId = $roleDefinitionInstance.id + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Adding new role assignment for user {$PrincipalName} for role {$RoleDefinition}" + New-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -Body $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating role assignment for user {$PrincipalName} for role {$RoleDefinition}" + New-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -Body $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $instances = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name -ErrorAction Stop + $instance = $instances.value | Where-Object -FilterScript {$_.properties.principalId -eq $PrincipalIdValue} + $AssignmentId = $instance.Id.Split('/') + $AssignmentId = $AssignmentId[$roleDefinitionId.Length -1] + Write-Verbose -Message "Removing role assignment for user {$PrincipalName} for role {$RoleDefinition}" + Remove-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -AssignmentId $AssignmentId + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + #Get all billing account + $accounts = Get-M365DSCAzureBillingAccount + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $accounts.value) + { + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($accounts.Count)] $displayedKey" + + $assignments = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $config.name + + $j = 1 + foreach ($assignment in $assignments.value) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $PrincipalNameValue = Get-M365DSCPrincipalNameFromId -PrincipalId $assignment.properties.principalId ` + -PrincipalType $assignment.properties.principalType + $roleDefinitionId = $assignment.properties.roleDefinitionId.Split('/') + $roleDefinitionId = $roleDefinitionId[$roleDefinitionId.Length -1] + + Write-Host " |---[$j/$($assignments.value.Length)] $($assignment.properties.principalId)" -NoNewline + $params = @{ + BillingAccount = $config.properties.displayName + PrincipalName = $PrincipalNameValue + PrincipalType = $assignment.properties.principalType + PrincipalTenantId = $assignment.properties.principalTenantId + RoleDefinition = "AnyRole" + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCPrincipalNameFromId +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalId, + + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType + ) + + $result = $null + if ($PrincipalType -eq 'User') + { + $userInfo = Get-MgUser -UserId $PrincipalId + if ($null -ne $userInfo) + { + $result = $userInfo.UserPrincipalName + } + } + elseif ($PrincipalType -eq 'ServicePrincipal') + { + $spnInfo = Get-MgServicePrincipal -ServicePrincipalId $PrincipalId + if ($null -ne $spnInfo) + { + $result = $spnInfo.DisplayName + } + } + elseif ($PrincipalType -eq 'Group') + { + $groupInfo = Get-MgGroup -GroupId $PrincipalId + if ($null -ne $groupInfo) + { + $result = $groupInfo.DisplayName + } + } + return $result +} + +function Get-M365DSCPrincipalIdFromName +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType + ) + + $result = $null + if ($PrincipalType -eq 'User') + { + $userInfo = Get-MgUser -Filter "UserPrincipalName eq '$PrincipalName'" + if ($null -ne $userInfo) + { + $result = $userInfo.Id + } + } + elseif ($PrincipalType -eq 'ServicePrincipal') + { + $spnInfo = Get-MgServicePrincipal -Filter "DisplayName eq '$PrincipalName'" + if ($null -ne $spnInfo) + { + $result = $spnInfo.Id + } + } + elseif ($PrincipalType -eq 'Group') + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$PrincipalName'" + if ($null -ne $groupInfo) + { + $result = $groupInfo.Id + } + } + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof new file mode 100644 index 0000000000..f58dbe74f1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureBillingaccountsRoleAssignment")] +class MSFT_AzureBillingaccountsRoleAssignment : OMI_BaseResource +{ + [Key, Description("Name of the principal associated to the role assignment.")] String PrincipalName; + [Key, Description("Name of the role assigned to the principal.")] String RoleDefinition; + [Write, Description("Principal type. Can be User, Group or ServicePrincipal.")] String PrincipalType; + [Write, Description("Name of the billing account.")] String BillingAccount; + [Write, Description("The principal tenant id of the user to whom the role was assigned.")] String PrincipalTenantId; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md new file mode 100644 index 0000000000..db4e49895b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md @@ -0,0 +1,6 @@ + +# AzureBillingaccountsRoleAssignment + +## Description + +Manages roles on billing accounts. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json new file mode 100644 index 0000000000..bd7e79a40f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureBillingaccountsRoleAssignment", + "description": "Manages roles on billing accounts.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 new file mode 100644 index 0000000000..4e9907eafa --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 @@ -0,0 +1,437 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $resourceGroupInstance = Get-AzResourceGroup -Id "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)" -ErrorAction SilentlyContinue + if ($null -eq $resourceGroupInstance) + { + return $nullResult + } + + $uri = "https://management.azure.com/$($resourceGroupInstance.ResourceId)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $response = Invoke-AzRest -Uri $uri -Method Get + $authorities = ConvertFrom-Json $response.Content + + $EnabledValue = $false + if ($null -eq $authorities.error -and $null -ne $authorities.id) + { + $EnabledValue = $true + } + + $results = @{ + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + VerifiedIdAuthorityId = $VerifiedIdAuthorityId + VerifiedIdAuthorityLocation = $authorities.location + FaceCheckEnabled = $EnabledValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + if ($FaceCheckEnabled) + { + Write-Verbose -Message "Enabling FaceCheck on Verified ID Authority {$($VerifiedIDAuthorityId)}" + $uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $payload = '{"location": "' + $VerifiedIdAuthorityLocation + '"}' + $response = Invoke-AzRest -Uri $uri -Method Put -Payload $payload + } + else + { + Write-Verbose -Message "Disabling FaceCheck on Verified ID Authority {$($VerifiedIDAuthorityId)}" + $uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $payload = '{"location": null}' + $response = Invoke-AzRest -Uri $uri -Method DELETE + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + } + $uri = 'https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities' + $response = Invoke-WebRequest -Uri $uri -Method Get -Headers $headers + $authorities = ConvertFrom-Json $response.Content + + $resourceGroups = Get-AzResourceGroup -ErrorAction Stop + $i = 1 + $dscContent = '' + if ($resourceGroups.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $j = 1 + foreach ($resourceGroup in $resourceGroups) + { + $displayedKey = $resourceGroup.ResourceGroupName + Write-Host " |---[$j/$($resourceGroups.Length)] $displayedKey" -NoNewline + + if ($authorities.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + $i = 1 + foreach ($authority in $authorities.value) + { + $uri = "https://management.azure.com/$($resourceGroup.ResourceId)/providers/Microsoft.VerifiedId/authorities/$($authority.id)?api-version=2024-01-26-preview" + $response = Invoke-AzRest -Uri $uri -Method Get + $entries = ConvertFrom-Json $response.Content + + $Global:M365DSCExportResourceInstancesCount++ + + $displayedKey = $authority.name + Write-Host " |---[$i/$($authorities.value.Length)] $displayedKey" -NoNewline + + $SubscriptionId = $resourceGroup.ResourceId.Split('/') + $SubscriptionId = $SubscriptionId[2] + + $params = @{ + VerifiedIdAuthorityId = $authority.id + SubscriptionId = $SubscriptionId + ResourceGroupName = $resourceGroup.ResourceGroupName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $j++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof new file mode 100644 index 0000000000..aaf9f6f876 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureVerifiedIdFaceCheck")] +class MSFT_AzureVerifiedIdFaceCheck : OMI_BaseResource +{ + [Key, Description("Id of the Azure subscription.")] String SubscriptionId; + [Key, Description("Name of the associated resource group.")] String ResourceGroupName; + [Key, Description("Id of the verified ID authority.")] String VerifiedIdAuthorityId; + [Write, Description("Represents whether or not FaceCheck is enabled for the authrotiy.")] Boolean FaceCheckEnabled; + [Write, Description("Location of the Verified ID Authority.")] String VerifiedIdAuthorityLocation; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md new file mode 100644 index 0000000000..4c2750472f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md @@ -0,0 +1,6 @@ + +# AzureVerifiedIdFaceCheck + +## Description + +Configures Azure Verified Id FaceCheck. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json new file mode 100644 index 0000000000..84f791e02a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureVerifiedIdFaceCheck", + "description": "Configures Azure Verified Id FaceCheck.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 index 3da9fdc728..a79d3e4da8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 @@ -256,15 +256,17 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of Arc Config settings' $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = $PSBoundParameters - + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck # Need to remove Identity as Get-ArcConfig doesn't return Identity $ValuesToCheck.Remove('Identity') | Out-Null + $PSBoundParameters.ArcTrustedSealers = $PSBoundParameters.ArcTrustedSealers -Join ',' + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 new file mode 100644 index 0000000000..da092793e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 @@ -0,0 +1,400 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + Confirm-M365DSCDependencies + + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'" + + if ($null -eq $servicePrincipal) + { + return $nullResult + } + + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.AppId -eq $servicePrincipal.AppId} + } + else + { + $instance = Get-ServicePrincipal -Identity $servicePrincipal.Id -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = $servicePrincipal.Id + AppName = $servicePrincipal.AppDisplayName + DisplayName = $instance.DisplayName + AppId = $instance.AppId + ObjectId = $instance.ObjectId + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'" + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-ServicePrincipal -AppId $servicePrincipal.AppId -ObjectId $servicePrincipal.Id + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + $setParameters.Remove("AppId") + $setParameters.Remove("ObjectId") + Set-ServicePrincipal -DisplayName $DisplayName -Identity $servicePrincipal.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-ServicePrincipal -Identity $servicePrincipal.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ServicePrincipal -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $servicePrincipal = Get-MgServicePrincipal -ServicePrincipalId $config.Identity + + $displayedKey = $servicePrincipal.AppDisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + AppName = $servicePrincipal.AppDisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof new file mode 100644 index 0000000000..c8d3020df9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOServicePrincipal")] +class MSFT_EXOServicePrincipal : OMI_BaseResource +{ + [Key, Description("The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal.")] string AppName; + [Write, Description("The DisplayName parameter specifies the friendly name of the service principal.")] string DisplayName; + [Write, Description("The Identity parameter specifies the service principal that you want to view.")] string Identity; + [Write, Description("The AppId parameter specifies the unique AppId GUID value for the service principal.")] string AppId; + [Write, Description("Present ensures the group exists, absent ensures it is removed"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Exchange Global Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md new file mode 100644 index 0000000000..46d431783d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md @@ -0,0 +1,27 @@ +# EXOServicePrincipal + +## Description + +Use the ServicePrincipal cmdlets to create, change service principals in your cloud-based organization. + +## Parameters + +- Identity: The Identity parameter specifies the service principal that you want to modify. You can use any value that uniquely identifies the service principal. For example: Name, Distinguished name (DN), GUID, AppId, ObjectId +- AppName: The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. +- DisplayName: The DisplayName parameter specifies the friendly name of the service principal. If the name contains spaces, enclose the name in quotation marks ("). +- AppId: The AppId parameter specifies the unique AppId GUID value for the service principal. +- ObjectId: The ObjectId parameter specifies the unique ObjectId GUID value for the service principal. + +## Examples + +- Set-ServicePrincipal -Identity dc873ad4-0397-4d74-b5c0-897cd3a94731 -DisplayName "Another App Name" +- New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId 6233fba6-0198-4277-892f-9275bf728bcc + +## Parameters present in New and not in Set + +- AppId +- ObjectId + +## Parameters present in Set and not in New + +- Identity diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json new file mode 100644 index 0000000000..4886d3193d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json @@ -0,0 +1,24 @@ +{ + "resourceName": "EXOServicePrincipal", + "description": "Use this resource to to view information about service principals, create service principals, to remove service principals, to change service principals in your cloud-based organization.", + "roles": { + "read": [ + "Exchange Admin" + ], + "update": [ + "Exchange Admin" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 index 08fd6b85e3..01778e9c2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 @@ -378,18 +378,21 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $ValuesToCheck.Remove('Entries') | Out-Null - if ($null -ne $ValuesToCheck.ExpirationDate -and $ValuesToCheck.ExpirationDate.Kind -eq 'Local') - { - $ValuesToCheck.ExpirationDate = $ValuesToCheck.ExpirationDate.ToUniversalTime().ToString() - } - if ($CurrentValues.Ensure -eq 'Absent') + if ($CurrentValues.Ensure -ne $Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" return $false } + if ($null -ne $ValuesToCheck.ExpirationDate -and $ValuesToCheck.ExpirationDate.Kind -eq 'Local') + { + $ValuesToCheck.ExpirationDate = $ValuesToCheck.ExpirationDate.ToUniversalTime().ToString() + } + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Entries') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 index bb74801759..479083759f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 @@ -78,25 +78,25 @@ function Get-TargetResource if ($null -eq $instance) { - $instance = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $Id -ErrorAction Stop - - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find MobileAppCategory by Id {$Id}." - - if (-Not [string]::IsNullOrEmpty($DisplayName)) - { - $instance = Get-MgBetaDeviceAppManagementMobileAppConfiguration ` - -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue - } - } - - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find MobileAppCategory by DisplayName {$DisplayName}." - return $nullResult - } + $instance = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $Id -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileAppCategory by Id {$Id}." + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceAppManagementMobileAppCategory ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileAppCategory by DisplayName {$DisplayName}." + return $nullResult + } } $results = @{ @@ -192,22 +192,27 @@ function Set-TargetResource $currentInstance = Get-TargetResource @PSBoundParameters $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $setParameters.remove('Id') | Out-Null - $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Id') | Out-Null # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + Write-Verbose -Message "Creating an Intune App Category with DisplayName {$DisplayName}" + New-MgBetaDeviceAppManagementMobileAppCategory @SetParameters } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Updating the Intune App Category with DisplayName {$DisplayName}" + Update-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $currentInstance.Id @SetParameters } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Removing the Intune App Category with DisplayName {$DisplayName}" + Remove-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $currentInstance.Id -Confirm:$false } } @@ -279,13 +284,26 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $testResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 new file mode 100644 index 0000000000..e94848b1ab --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 @@ -0,0 +1,478 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + try + { + $instance = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + if ($null -eq $instance) + { + # There is only one Apple push notification certificate per tenant so no need to filter by Id + $instance = Get-MgBetaDeviceManagementApplePushNotificationCertificate -ErrorAction Stop + + if ($null -eq $instance) + { + Write-Verbose -Message "Apple push notification certificate." + return $nullResult + } + } + + $results = @{ + Id = $instance.Id + AppleIdentifier = $instance.AppleIdentifier + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + if (-not [String]::IsNullOrEmpty($instance.Certificate)) { + $results.Add('Certificate', $instance.Certificate) + } + else { + $results.Add('Certificate', "") + } + + # Get the value of Data sharing consent between Intune and Apple. The id is hardcoded to "appleMDMPushCertificate". + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + $results.Add('DataSharingConsetGranted', $consentInstance.Granted) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $SetParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $SetParameters.Remove('Id') | Out-Null + $SetParameters.Remove('DataSharingConsetGranted') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier'." + + # Post data sharing consent as granted between Intune and Apple. NOTE: It's a one-way operation. Once agreed, it can't be revoked. + # so first check if it is $false, then make a post call to agree to the consent, this set the DataSharingConsetGranted to $true. + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + If($consentInstance.Granted -eq $False) { + Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/dataSharingConsents/appleMDMPushCertificate/consentToDataSharing" -Headers @{ "Content-Type" = "application/json" } + } + else { + Write-Host "Data sharing conset is already granted, so it can't be revoked." + } + + # There is only PATCH request hence using Update cmdlet to post the certificate + Update-MgBetaDeviceManagementApplePushNotificationCertificate @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier'." + Update-MgBetaDeviceManagementApplePushNotificationCertificate @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier' by patching with empty certificate." + + # There is only PATCH request hence using Update cmdlet to remove the certificate by passing empty certificate as param. + $params = @{ + appleIdentifier = "" + certificate = "" + } + Update-MgBetaDeviceManagementApplePushNotificationCertificate -BodyParameter $params + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementApplePushNotificationCertificate -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + + $Params = @{ + Id = $config.Id + AppleIdentifier = $config.AppleIdentifier + Certificate = $config.Certificate + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + # Get the value of Data sharing consent between Intune and Apple. The id is hardcoded to "appleMDMPushCertificate". + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + $Params.Add('DataSharingConsetGranted', $consentInstance.Granted) + + $Results = Get-TargetResource @Params + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof new file mode 100644 index 0000000000..34227230e9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppleMDMPushNotificationCertificate")] +class MSFT_IntuneAppleMDMPushNotificationCertificate : OMI_BaseResource +{ + [Key, Description("The name of the Apple Identifier.")] String AppleIdentifier; + [Write, Description("The Apple Push notification certificate.")] String Certificate; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The boolean indicating DataSharing Conset agreement granted or not between Intune and Apple.")] Boolean DataSharingConsetGranted; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md new file mode 100644 index 0000000000..37a95a0750 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md @@ -0,0 +1,6 @@ + +# IntuneAppleMDMPushNotificationCertificate + +## Description + +Configures a resource for Apple MDM Push notification certificate used for device enrollment. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json new file mode 100644 index 0000000000..dfefc450b3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json @@ -0,0 +1,44 @@ +{ + "resourceName": "IntuneAppleMDMPushCertificate", + "description": "Configures a resource for Apple MDM Push notification certificate used for device enrollment.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementManagedDevices.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementManagedDevices.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 index af4ecd222e..a3208e9ae9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 @@ -23,7 +23,7 @@ function Get-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -96,17 +96,18 @@ function Get-TargetResource { if ($null -eq $instance) { - $instance = Get-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $Id -ErrorAction Stop + $instance = Get-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $Id -ErrorAction SilentlyContinue - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find Derived Credential by Id {$Id}." + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find Derived Credential by Id {$Id}." + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceManagementDerivedCredential ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue - if (-Not [string]::IsNullOrEmpty($DisplayName)) - { - $instance = Get-MgBetaDeviceManagementDerivedCredential ` - -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue if ($null -eq $instance) { Write-Verbose -Message "Could not find Derived Credential by DisplayName {$DisplayName}." @@ -178,7 +179,7 @@ function Set-TargetResource { #endregion resource params [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -231,18 +232,21 @@ function Set-TargetResource { $currentInstance = Get-TargetResource @PSBoundParameters $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $setParameters.remove('Id') | Out-Null - $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Id') | Out-Null # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + Write-Verbose -Message "Creating an Intune Derived Credential with DisplayName {$DisplayName}" + New-MgBetaDeviceManagementDerivedCredential @SetParameters } # UPDATE is not supported API, it always creates a new Derived Credential instance # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Removing the Intune Derived Credential with DisplayName {$DisplayName}" + Remove-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $currentInstance.Id -Confirm:$false } } @@ -272,7 +276,7 @@ function Test-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -330,13 +334,26 @@ function Test-TargetResource { $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $testResult" @@ -368,7 +385,7 @@ function Export-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof index e893173409..b04d7ad2b8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof @@ -12,8 +12,8 @@ class MSFT_IntuneDerivedCredential : OMI_BaseResource String Issuer; [Write, Description("Supported values for the notification type to use."), - ValueMap{"none", "email", "companyPortal"}, - Values{"none", "email", "companyPortal"}] + ValueMap{"none", "email", "companyPortal", "companyPortal,email"}, + Values{"none", "email", "companyPortal", "companyPortal,email"}] String NotificationType; [Write, Description("Supported values for the notification type to use."), diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 index cf73c2b59a..8fc3e91fd8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 @@ -225,6 +225,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + $ValuesToCheck = $PSBoundParameters Write-Verbose -Message "Testing configuration of Intune Device Management Compliance Settings" $CurrentValues = Get-TargetResource @PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 new file mode 100644 index 0000000000..32316a56e5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 @@ -0,0 +1,516 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $allSettings = Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting + $specificSetting = $allSettings | Where-Object { $_.id -eq $Id } + + if (-not $specificSetting) { + Write-Verbose "No Android Managed Store Account Enterprise Setting found with Id $Id." + return $nullResult + } + + $result = @{ + Id = $specificSetting.id + BindStatus = $specificSetting.bindStatus + # OwnerUserPrincipalName = $specificSetting.ownerUserPrincipalName + # OwnerOrganizationName = $specificSetting.ownerOrganizationName + # EnrollmentTarget = $specificSetting.enrollmentTarget + # DeviceOwnerManagementEnabled = $specificSetting.deviceOwnerManagementEnabled + # AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $specificSetting.androidDeviceOwnerFullyManagedEnrollmentEnabled + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return $result + + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Management Android Google Play Enrollment with id {$Id}" + # Check data sharing consent status + $dataSharingConsent = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId 'androidManagedStore' + if ($dataSharingConsent.granted -eq $false) + { + Write-Verbose -Message "Consent not granted, requesting consent..." + $consentResult = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/dataSharingConsents/androidManagedStore/consentToDataSharing" -Method 'POST' -Body @{ + DataSharingConsentId = "androidManagedStore" + } -ContentType "application/json" + } + + # Request enrollment signup URL if necessary + # TO DO: Once Android team has added adjusted code, uncomment the following code block + # if ($BindStatus -eq 'notBound') { + # Write-Verbose -Message "Requesting signup URL for enrollment..." + # $params = @{ + # hostName = "intune.microsoft.com" + # } + + # $signupUrl = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/requestSignupUrl" -Method 'POST' -Body @{ + # hostName = "intune.microsoft.com" + # } -ContentType "application/json" + + # return $nullResult + # } + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove the Intune Device Management Android Google Play Enrollment with Id {$($currentInstance.Id)}" + $unbindResult = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/unbind" -Method 'POST' -Body @{} -ContentType "application/json" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Management Android Google Play Enrollment with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:getInstances = Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:getInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:getInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:getInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Id = $config.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof new file mode 100644 index 0000000000..9e2721e9ed --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof @@ -0,0 +1,19 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagementEnrollmentAndroidGooglePlay")] +class MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay : OMI_BaseResource +{ + [Key, Description("Primary key identifier of the Android Managed Store Account Enterprise Setting.")] String Id; + [Write, Description("Binding status of the Android Managed Store Account Enterprise Setting (e.g., 'bound', 'notBound').")] String BindStatus; + [Write, Description("The user principal name of the owner of the Android Managed Store Account.")] String OwnerUserPrincipalName; + [Write, Description("The organization name of the owner of the Android Managed Store Account.")] String OwnerOrganizationName; + [Write, Description("Specifies the enrollment target for the account enterprise setting (e.g., 'defaultEnrollmentRestrictions', 'targetedAsEnrollmentRestrictions').")] String EnrollmentTarget; + [Write, Description("Specifies whether device owner management is enabled.")] Boolean DeviceOwnerManagementEnabled; + [Write, Description("Specifies whether fully managed enrollment is enabled for Android devices.")] Boolean AndroidDeviceOwnerFullyManagedEnrollmentEnabled; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] String Ensure; + [Write, Description("Credentials of the workload's Admin."), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Credential for the application secret used in authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Indicates whether a Managed Identity is used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access tokens used for authentication in scenarios requiring multiple tokens.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md new file mode 100644 index 0000000000..d01aadb29b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md @@ -0,0 +1,7 @@ + +# IntuneDeviceManagementEnrollmentAndroidGooglePlay + +## Description + +This resource configures Android Enterprise enrollment settings for device management within Microsoft Intune. +Note: Currently the bind API to enroll is waiting for the product team to make changes so the API can be called outside of an Intune portal. Until those changes are made, we can only unbind (disconnect/unenroll). For that reason we have commented out certain parameters that cannot be set. This will be uncommented once those changes are made. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json new file mode 100644 index 0000000000..789eb4dbb4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneDeviceManagementEnrollmentAndroidGooglePlay", + "description": "This resource configures Intune Android enrollment settings.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 new file mode 100644 index 0000000000..b895ea034d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 @@ -0,0 +1,628 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Checking for the Intune Android Device Owner Enrollment Profile {$DisplayName}" + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Trying to retrieve profile by Id" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -AndroidDeviceOwnerEnrollmentProfileId $Id + } + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "Trying to retrieve profile by DisplayName" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -Filter "displayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "No AndroidDeviceOwnerEnrollmentProfiles with {$Id} was found." + return $nullResult + } + + $results = @{ + Id = $androidDeviceOwnerEnrollmentProfile.Id + DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName + AccountId = $androidDeviceOwnerEnrollmentProfile.AccountId + ConfigureWifi = $androidDeviceOwnerEnrollmentProfile.ConfigureWifi + Description = $androidDeviceOwnerEnrollmentProfile.Description + EnrolledDeviceCount = $androidDeviceOwnerEnrollmentProfile.EnrolledDeviceCount + EnrollmentMode = $androidDeviceOwnerEnrollmentProfile.EnrollmentMode.ToString() + EnrollmentTokenType = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenType.ToString() + EnrollmentTokenUsageCount = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenUsageCount + IsTeamsDeviceProfile = $androidDeviceOwnerEnrollmentProfile.IsTeamsDeviceProfile + QrCodeContent = $androidDeviceOwnerEnrollmentProfile.QrCodeContent + QrCodeImage = $androidDeviceOwnerEnrollmentProfile.QrCodeImage + RoleScopeTagIds = $androidDeviceOwnerEnrollmentProfile.RoleScopeTagIds + TokenCreationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenCreationDateTime.ToString() + TokenExpirationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenExpirationDateTime.ToString() + TokenValue = $androidDeviceOwnerEnrollmentProfile.TokenValue + WifiHidden = $androidDeviceOwnerEnrollmentProfile.WifiHidden + WifiPassword = $androidDeviceOwnerEnrollmentProfile.WifiPassword + WifiSecurityType = $androidDeviceOwnerEnrollmentProfile.WifiSecurityType.ToString() + WifiSsid = $androidDeviceOwnerEnrollmentProfile.WifiSsid + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Create AndroidDeviceOwnerEnrollmentProfile: $DisplayName with Enrollment Mode: $EnrollmentMode" + + $setParameters.remove('Id') | Out-Null + $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Verbose') | Out-Null + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of AndroidDeviceOwnerEnrollmentProfile: {$DisplayName}" + + $ValuesToCheck = $PSBoundParameters + $ValuesToCheck.Remove('WifiPassword') | Out-Null + $CurrentValues = Get-TargetResource @PSBoundParameters + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $TestResult = Test-M365DSCParameterState ` + -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof new file mode 100644 index 0000000000..22fe3fc6f1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0.0")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage +{ + [Write, Description("Indicates the content mime type.")] String type; + [Write, Description("The byte array that contains the actual content.")] String value; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseResource +{ + [Key, Description("Display name for the enrollment profile.")] String DisplayName; + [Write, Description("Unique GUID for the enrollment profile. Read-Only.")] String Id; + + [Write, Description("Intune AccountId GUID the enrollment profile belongs to.")] String AccountId; + [Write, Description("Description for the enrollment profile.")] String Description; + [Write, Description("The enrollment mode of devices that use this enrollment profile."), ValueMap{"corporateOwnedDedicatedDevice", "corporateOwnedFullyManaged", "corporateOwnedWorkProfile", "corporateOwnedAOSPUserlessDevice", "corporateOwnedAOSPUserAssociatedDevice"}] String EnrollmentMode; + [Write, Description("The enrollment token type for an enrollment profile."), ValueMap{"default", "corporateOwnedDedicatedDeviceWithAzureADSharedMode", "deviceStaging"}] String EnrollmentTokenType; + [Write, Description("Value of the most recently created token for this enrollment profile.")] String TokenValue; + [Write, Description("Date time the most recently created token was created.")] String TokenCreationDateTime; + [Write, Description("Date time the most recently created token will expire.")] String TokenExpirationDateTime; + [Write, Description("Total number of Android devices that have enrolled using this enrollment profile.")] UInt32 EnrolledDeviceCount; + [Write, Description("Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000")] UInt32 EnrollmentTokenUsageCount; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeContent; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeImage; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default.")] Boolean ConfigureWifi; + [Write, Description("String that contains the wi-fi login ssid")] String WifiSsid; + [Write, Description("String that contains the wi-fi login password. The parameter is a PSCredential object."), EmbeddedInstance("MSFT_Credential")] String WifiPassword; + [Write, Description("String that contains the wi-fi security type."), ValueMap{"none", "wpa", "wep"}] String WifiSecurityType; + [Write, Description("Boolean that indicates if hidden wifi networks are enabled")] Boolean WifiHidden; + [Write, Description("Boolean indicating if this profile is an Android AOSP for Teams device profile.")] Boolean IsTeamsDeviceProfile; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md new file mode 100644 index 0000000000..14e5fe1b0d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md @@ -0,0 +1,5 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json new file mode 100644 index 0000000000..8507274e9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "description": "Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index a7a6ad3a6e..987f41812b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -126,18 +126,11 @@ function Get-TargetResource $policySettings = @{} $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings - if ($policySettings.ClientConfigurationPackageType -eq 'onboarding_fromconnector') - { - $policySettings.Add('ConfigurationType', 'AutoFromConnector') - } - else - { - $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) - } + $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) $policySettings.Remove('ClientConfigurationPackageType') $policySettings.Remove('onboarding') $policySettings.Remove('offboarding') - $policySettings.Remove('onboarding_fromconnector') + $policySettings.Remove('autofromconnector') # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced $policySettings.Remove('telemetryreportingfrequency') @@ -273,8 +266,8 @@ function Set-TargetResource { 'AutoFromConnector' { - $BoundParameters.Add('ClientConfigurationPackageType', 'onboarding_fromconnector') - $BoundParameters.Add('onboarding_fromconnector', $ConfigurationBlob) + $BoundParameters.Add('ClientConfigurationPackageType', 'autofromconnector') + $BoundParameters.Add('onboarding_fromconnector', 'autoConnectPlaceholder') $BoundParameters.Remove('ConfigurationBlob') | Out-Null } 'Onboard' @@ -291,9 +284,9 @@ function Set-TargetResource } } - if ([System.String]::IsNullOrEmpty($ConfigurationBlob)) + if ($ConfigurationType -ne 'AutoFromConnector' -and [System.String]::IsNullOrEmpty($ConfigurationBlob)) { - throw "ConfigurationBlob is required for configurationType '$($DSCParams.ConfigurationType)'" + throw "ConfigurationBlob is required for configurationType '$($ConfigurationType)'" } $BoundParameters.Remove('ConfigurationType') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 new file mode 100644 index 0000000000..2eac6e4eca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 @@ -0,0 +1,693 @@ +# https://learn.microsoft.com/en-us/graph/api/resources/intune-onboarding-mobilethreatdefenseconnector?view=graph-rest-1.0 +# https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement.administration/new-mgdevicemanagementmobilethreatdefenseconnector?view=graph-powershell-1.0 + +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + else + { + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id -ErrorAction Stop + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by Id: {$Id}." + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + # There is no API which searches MobileThreatDefenseConnector by its DisplayName so the below code is commented out. + # $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + # -Filter "DisplayName eq '$DisplayName'" ` + + # The DisplayName property is not supported by the any API of this resource, hence hard-coded in below function for convenience. + $connectorId = (Get-MobileThreatDefenseConnectorIdOrDisplayName -DisplayName $DisplayName).Id + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + -MobileThreatDefenseConnectorId $connectorId + -ErrorAction SilentlyContinue + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by DisplayName: {$DisplayName}." + return $nullResult + } + } + + if([string]::IsNullOrEmpty($DisplayName)) + { + $DisplayName = (Get-MobileThreatDefenseConnectorIdOrDisplayName -Id $instance.Id).DisplayName + } + + $results = @{ + Id = $instance.Id + DisplayName = $DisplayName + ResponseHeadersVariable = $instance.ResponseHeadersVariable + AllowPartnerToCollectIosApplicationMetadata = $instance.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $instance.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $instance.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $instance.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $instance.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $instance.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $instance.IosEnabled + IosMobileApplicationManagementEnabled = $instance.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $instance.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $instance.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $instance.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $instance.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $instance.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $instance.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $instance.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $SetParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # Remove the DisplayName parameter as the Graph API does not support it + $SetParameters.Remove('DisplayName') | Out-Null + $SetParameters.Remove('Id') | Out-Null + $SetParameters.Remove('LastHeartbeatDateTime') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MgBetaDeviceManagementMobileThreatDefenseConnector @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + [ValidateSet('unavailable', 'available', 'enabled', 'unresponsive', 'notSetUp', 'error')] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + AllowPartnerToCollectIosApplicationMetadata = $config.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $config.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $config.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $config.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $config.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $config.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $config.IosEnabled + IosMobileApplicationManagementEnabled = $config.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $config.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $config.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $config.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $config.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $config.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $config.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $config.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +#region Helper functions + +function Get-MobileThreatDefenseConnectorIdOrDisplayName { + param ( + [Parameter(Mandatory = $false)] + [string]$Id, + + [Parameter(Mandatory = $false)] + [string]$DisplayName + ) + + # Hashtable mapping IDs to Display Names + $IdToDisplayNameMap = @{ + "fc780465-2017-40d4-a0c5-307022471b92" = "Microsoft Defender for Endpoint" + "860d3ab4-8fd1-45f5-89cd-ecf51e4f92e5" = "BETTER Mobile Security" + "d3ddeae8-441f-4681-b80f-aef644f7195a" = "Check Point Harmony Mobile" + "8d0ed095-8191-4bd3-8a41-953b22d51ff7" = "Pradeo" + "1f58d6d2-02cc-4c80-b008-1bfe7396a10a" = "Jamf Trust" + "4873197-ffec-4dfc-9816-db65f34c7cb9" = "Trellix Mobile Security" + "a447eca6-a986-4d3f-9838-5862bf50776c" = "CylancePROTECT Mobile" + "4928f0f6-2660-4f69-b4c5-5170ec921f7b" = "Trend Micro" + "bb13fe25-ce1f-45aa-b278-cabbc6b9072e" = "SentinelOne" + "e6f777f8-e4c2-4a5b-be01-50b5c124bc7f" = "Windows Security Center" + "29ee2d98-e795-475f-a0f8-0802dc3384a9" = "CrowdStrike Falcon for Mobile" + "870b252b-0ef0-4707-8847-50fc571472b3" = "Sophos" + "2c7790de-8b02-4814-85cf-e0c59380dee8" = "Lookout for Work" + "28fd67fd-b179-4629-a8b0-dad420b697c7" = "Symantec Endpoint Protection" + "08a8455c-48dd-45ff-ad82-7211355354f3" = "Zimperium" + } + + # If Id is provided, look up the DisplayName + if($null -ne $Id) + { + $displayName = $IdToDisplayNameMap[$Id] + } + + # If DisplayName is provided, look up the Id + # Create a reverse lookup hashtable for DisplayName to Id + $DisplayNameToIdMap = @{} + foreach ($key in $IdToDisplayNameMap.Keys) { + $DisplayNameToIdMap[$IdToDisplayNameMap[$key]] = $key + } + if (-not [string]::IsNullOrEmpty($DisplayName)) { + $Id = $DisplayNameToIdMap[$DisplayName] + if (-not $Id) { + Write-Host "Internal func: DisplayName '$DisplayName' not found." + return + } + } + + # Create the results tuple + return @{ + Id = $Id + DisplayName = $displayName + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof new file mode 100644 index 0000000000..0930cf9803 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof @@ -0,0 +1,31 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileThreatDefenseConnector")] +class MSFT_IntuneMobileThreatDefenseConnector : OMI_BaseResource +{ + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API.")] String DisplayName; + + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosApplicationMetadata; + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosPersonalApplicationMetadata; + [Write, Description("For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean AndroidDeviceBlockedOnMissingPartnerData; + [Write, Description("For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean AndroidEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean AndroidMobileApplicationManagementEnabled; + [Write, Description("For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean IosDeviceBlockedOnMissingPartnerData; + [Write, Description("For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean IosEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean IosMobileApplicationManagementEnabled; + [Write, Description("DateTime of last Heartbeat received from the Mobile Threat Defense partner.")] DateTime LastHeartbeatDateTime; + [Write, Description("When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE.")] Boolean MicrosoftDefenderForEndpointAttachEnabled; + [Write, Description("Partner state of this tenant.")] String PartnerState; + [Write, Description("Get or Set days the per tenant tolerance to unresponsiveness for this partner integration.")] Uint32 PartnerUnresponsivenessThresholdInDays; + [Write, Description("Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner.")] Boolean PartnerUnsupportedOSVersionBlocked; + [Write, Description("When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE.")] Boolean WindowsDeviceBlockedOnMissingPartnerData; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE.")] Boolean WindowsEnabled; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md new file mode 100644 index 0000000000..19046bad50 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileThreatDefenseConnector + +## Description + +This resource configures a connection to Mobile Threat Defense partner. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json new file mode 100644 index 0000000000..448e3e179c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileThreatDefenseConnector", + "description": "This resource configures a connection to Mobile Threat Defense partner.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 new file mode 100644 index 0000000000..4640ae3064 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 @@ -0,0 +1,1061 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Defender For Endpoint with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Defender For Endpoint with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Defender For Endpoint with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + + # Add device settings with conditional checks + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny', $policySettings.DeviceSettings.deviceInstall_Classes_Deny) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_List', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_Retroactive', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXts_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXts_Name', $policySettings.DeviceSettings.encryptionMethodWithXts_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsOsDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsOsDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsOsDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsFdvDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsFdvDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsFdvDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsRdvDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsRdvDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsRdvDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryUsage_Name) { + $complexDeviceSettings.Add('FDVRecoveryUsage_Name', $policySettings.DeviceSettings.fDVRecoveryUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('FDVActiveDirectoryBackup_Name', $policySettings.DeviceSettings.fDVActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVHideRecoveryPage_Name) { + $complexDeviceSettings.Add('FDVHideRecoveryPage_Name', $policySettings.DeviceSettings.fDVHideRecoveryPage_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryPasswordUsageDropDown_Name) { + $complexDeviceSettings.Add('FDVRecoveryPasswordUsageDropDown_Name', $policySettings.DeviceSettings.fDVRecoveryPasswordUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRequireActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('FDVRequireActiveDirectoryBackup_Name', $policySettings.DeviceSettings.fDVRequireActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVAllowDRA_Name) { + $complexDeviceSettings.Add('FDVAllowDRA_Name', $policySettings.DeviceSettings.fDVAllowDRA_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVActiveDirectoryBackupDropDown_Name) { + $complexDeviceSettings.Add('FDVActiveDirectoryBackupDropDown_Name', $policySettings.DeviceSettings.fDVActiveDirectoryBackupDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('FDVRecoveryKeyUsageDropDown_Name', $policySettings.DeviceSettings.fDVRecoveryKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('FDVDenyWriteAccess_Name', $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVEncryptionType_Name) { + $complexDeviceSettings.Add('FDVEncryptionType_Name', $policySettings.DeviceSettings.fDVEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('FDVEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.fDVEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.enablePreBootPinExceptionOnDECapableDevice_Name) { + $complexDeviceSettings.Add('EnablePreBootPinExceptionOnDECapableDevice_Name', $policySettings.DeviceSettings.enablePreBootPinExceptionOnDECapableDevice_Name) + } + if ($null -ne $policySettings.DeviceSettings.enhancedPIN_Name) { + $complexDeviceSettings.Add('EnhancedPIN_Name', $policySettings.DeviceSettings.enhancedPIN_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryUsage_Name) { + $complexDeviceSettings.Add('OSRecoveryUsage_Name', $policySettings.DeviceSettings.OSRecoveryUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRequireActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('OSRequireActiveDirectoryBackup_Name', $policySettings.DeviceSettings.OSRequireActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('OSActiveDirectoryBackup_Name', $policySettings.DeviceSettings.OSActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryPasswordUsageDropDown_Name) { + $complexDeviceSettings.Add('OSRecoveryPasswordUsageDropDown_Name', $policySettings.DeviceSettings.OSRecoveryPasswordUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSHideRecoveryPage_Name) { + $complexDeviceSettings.Add('OSHideRecoveryPage_Name', $policySettings.DeviceSettings.OSHideRecoveryPage_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSAllowDRA_Name) { + $complexDeviceSettings.Add('OSAllowDRA_Name', $policySettings.DeviceSettings.OSAllowDRA_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('OSRecoveryKeyUsageDropDown_Name', $policySettings.DeviceSettings.OSRecoveryKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSActiveDirectoryBackupDropDown_Name) { + $complexDeviceSettings.Add('OSActiveDirectoryBackupDropDown_Name', $policySettings.DeviceSettings.OSActiveDirectoryBackupDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.enablePrebootInputProtectorsOnSlates_Name) { + $complexDeviceSettings.Add('EnablePrebootInputProtectorsOnSlates_Name', $policySettings.DeviceSettings.enablePrebootInputProtectorsOnSlates_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSEncryptionType_Name) { + $complexDeviceSettings.Add('OSEncryptionType_Name', $policySettings.DeviceSettings.OSEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('OSEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.OSEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureAdvancedStartup_Name) { + $complexDeviceSettings.Add('ConfigureAdvancedStartup_Name', $policySettings.DeviceSettings.configureAdvancedStartup_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMStartupKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMStartupKeyUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMStartupKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMPINKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMPINKeyUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMPINKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureNonTPMStartupKeyUsage_Name) { + $complexDeviceSettings.Add('ConfigureNonTPMStartupKeyUsage_Name', $policySettings.DeviceSettings.configureNonTPMStartupKeyUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.configurePINUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigurePINUsageDropDown_Name', $policySettings.DeviceSettings.configurePINUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVConfigureBDE) { + $complexDeviceSettings.Add('RDVConfigureBDE', $policySettings.DeviceSettings.RDVConfigureBDE) + } + if ($null -ne $policySettings.DeviceSettings.RDVAllowBDE_Name) { + $complexDeviceSettings.Add('RDVAllowBDE_Name', $policySettings.DeviceSettings.RDVAllowBDE_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVEncryptionType_Name) { + $complexDeviceSettings.Add('RDVEncryptionType_Name', $policySettings.DeviceSettings.RDVEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('RDVEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.RDVEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVDisableBDE_Name) { + $complexDeviceSettings.Add('RDVDisableBDE_Name', $policySettings.DeviceSettings.RDVDisableBDE_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('RDVDenyWriteAccess_Name', $policySettings.DeviceSettings.RDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVCrossOrg) { + $complexDeviceSettings.Add('RDVCrossOrg', $policySettings.DeviceSettings.RDVCrossOrg) + } + if ($null -ne $policySettings.DeviceSettings.EnableSmartScreen) { + $complexDeviceSettings.Add('EnableSmartScreen', $policySettings.DeviceSettings.EnableSmartScreen) + } + if ($null -ne $policySettings.DeviceSettings.EnableSmartScreenDropdown) { + $complexDeviceSettings.Add('EnableSmartScreenDropdown', $policySettings.DeviceSettings.EnableSmartScreenDropdown) + } + if ($null -ne $policySettings.DeviceSettings.DisableSafetyFilterOverrideForAppRepUnknown) { + $complexDeviceSettings.Add('DisableSafetyFilterOverrideForAppRepUnknown', $policySettings.DeviceSettings.DisableSafetyFilterOverrideForAppRepUnknown) + } + if ($null -ne $policySettings.DeviceSettings.Disable_Managing_Safety_Filter_IE9) { + $complexDeviceSettings.Add('Disable_Managing_Safety_Filter_IE9', $policySettings.DeviceSettings.Disable_Managing_Safety_Filter_IE9) + } + if ($null -ne $policySettings.DeviceSettings.IE9SafetyFilterOptions) { + $complexDeviceSettings.Add('IE9SafetyFilterOptions', $policySettings.DeviceSettings.IE9SafetyFilterOptions) + } + if ($null -ne $policySettings.DeviceSettings.AllowWarningForOtherDiskEncryption) { + $complexDeviceSettings.Add('AllowWarningForOtherDiskEncryption', $policySettings.DeviceSettings.AllowWarningForOtherDiskEncryption) + } + if ($null -ne $policySettings.DeviceSettings.AllowStandardUserEncryption) { + $complexDeviceSettings.Add('AllowStandardUserEncryption', $policySettings.DeviceSettings.AllowStandardUserEncryption) + } + if ($null -ne $policySettings.DeviceSettings.ConfigureRecoveryPasswordRotation) { + $complexDeviceSettings.Add('ConfigureRecoveryPasswordRotation', $policySettings.DeviceSettings.ConfigureRecoveryPasswordRotation) + } + if ($null -ne $policySettings.DeviceSettings.RequireDeviceEncryption) { + $complexDeviceSettings.Add('RequireDeviceEncryption', $policySettings.DeviceSettings.RequireDeviceEncryption) + } + if ($null -ne $policySettings.DeviceSettings.AllowArchiveScanning) { + $complexDeviceSettings.Add('AllowArchiveScanning', $policySettings.DeviceSettings.AllowArchiveScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowBehaviorMonitoring) { + $complexDeviceSettings.Add('AllowBehaviorMonitoring', $policySettings.DeviceSettings.AllowBehaviorMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.AllowCloudProtection) { + $complexDeviceSettings.Add('AllowCloudProtection', $policySettings.DeviceSettings.AllowCloudProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowEmailScanning) { + $complexDeviceSettings.Add('AllowEmailScanning', $policySettings.DeviceSettings.AllowEmailScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowFullScanRemovableDriveScanning) { + $complexDeviceSettings.Add('AllowFullScanRemovableDriveScanning', $policySettings.DeviceSettings.AllowFullScanRemovableDriveScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowOnAccessProtection) { + $complexDeviceSettings.Add('AllowOnAccessProtection', $policySettings.DeviceSettings.AllowOnAccessProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowRealtimeMonitoring) { + $complexDeviceSettings.Add('AllowRealtimeMonitoring', $policySettings.DeviceSettings.AllowRealtimeMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.AllowScanningNetworkFiles) { + $complexDeviceSettings.Add('AllowScanningNetworkFiles', $policySettings.DeviceSettings.AllowScanningNetworkFiles) + } + if ($null -ne $policySettings.DeviceSettings.AllowIOAVProtection) { + $complexDeviceSettings.Add('AllowIOAVProtection', $policySettings.DeviceSettings.AllowIOAVProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowScriptScanning) { + $complexDeviceSettings.Add('AllowScriptScanning', $policySettings.DeviceSettings.AllowScriptScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowUserUIAccess) { + $complexDeviceSettings.Add('AllowUserUIAccess', $policySettings.DeviceSettings.AllowUserUIAccess) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros) + } + if ($null -ne $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) + } + if ($null -ne $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockWebshellCreationForServers) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.BlockWebshellCreationForServers) + } + if ($null -ne $policySettings.DeviceSettings.BlockWebshellCreationForServers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockWebshellCreationForServers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB) + } + if ($null -ne $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockPersistenceThroughWMIEventSubscription) { + $complexDeviceSettings.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.BlockPersistenceThroughWMIEventSubscription) + } + if ($null -ne $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools) + } + if ($null -ne $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers) + } + if ($null -ne $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands) + } + if ($null -ne $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode) + } + if ($null -ne $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware) + } + if ($null -ne $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.CheckForSignaturesBeforeRunningScan) { + $complexDeviceSettings.Add('CheckForSignaturesBeforeRunningScan', $policySettings.DeviceSettings.CheckForSignaturesBeforeRunningScan) + } + if ($null -ne $policySettings.DeviceSettings.CloudBlockLevel) { + $complexDeviceSettings.Add('CloudBlockLevel', $policySettings.DeviceSettings.CloudBlockLevel) + } + if ($null -ne $policySettings.DeviceSettings.CloudExtendedTimeout) { + $complexDeviceSettings.Add('CloudExtendedTimeout', $policySettings.DeviceSettings.CloudExtendedTimeout) + } + if ($null -ne $policySettings.DeviceSettings.DisableLocalAdminMerge) { + $complexDeviceSettings.Add('DisableLocalAdminMerge', $policySettings.DeviceSettings.DisableLocalAdminMerge) + } + if ($null -ne $policySettings.DeviceSettings.EnableNetworkProtection) { + $complexDeviceSettings.Add('EnableNetworkProtection', $policySettings.DeviceSettings.EnableNetworkProtection) + } + if ($null -ne $policySettings.DeviceSettings.HideExclusionsFromLocalAdmins) { + $complexDeviceSettings.Add('HideExclusionsFromLocalAdmins', $policySettings.DeviceSettings.HideExclusionsFromLocalAdmins) + } + if ($null -ne $policySettings.DeviceSettings.HideExclusionsFromLocalUsers) { + $complexDeviceSettings.Add('HideExclusionsFromLocalUsers', $policySettings.DeviceSettings.HideExclusionsFromLocalUsers) + } + if ($null -ne $policySettings.DeviceSettings.OobeEnableRtpAndSigUpdate) { + $complexDeviceSettings.Add('OobeEnableRtpAndSigUpdate', $policySettings.DeviceSettings.OobeEnableRtpAndSigUpdate) + } + if ($null -ne $policySettings.DeviceSettings.PUAProtection) { + $complexDeviceSettings.Add('PUAProtection', $policySettings.DeviceSettings.PUAProtection) + } + if ($null -ne $policySettings.DeviceSettings.RealTimeScanDirection) { + $complexDeviceSettings.Add('RealTimeScanDirection', $policySettings.DeviceSettings.RealTimeScanDirection) + } + if ($null -ne $policySettings.DeviceSettings.ScanParameter) { + $complexDeviceSettings.Add('ScanParameter', $policySettings.DeviceSettings.ScanParameter) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleQuickScanTime) { + $complexDeviceSettings.Add('ScheduleQuickScanTime', $policySettings.DeviceSettings.ScheduleQuickScanTime) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleScanDay) { + $complexDeviceSettings.Add('ScheduleScanDay', $policySettings.DeviceSettings.ScheduleScanDay) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleScanTime) { + $complexDeviceSettings.Add('ScheduleScanTime', $policySettings.DeviceSettings.ScheduleScanTime) + } + if ($null -ne $policySettings.DeviceSettings.SignatureUpdateInterval) { + $complexDeviceSettings.Add('SignatureUpdateInterval', $policySettings.DeviceSettings.SignatureUpdateInterval) + } + if ($null -ne $policySettings.DeviceSettings.SubmitSamplesConsent) { + $complexDeviceSettings.Add('SubmitSamplesConsent', $policySettings.DeviceSettings.SubmitSamplesConsent) + } + if ($null -ne $policySettings.DeviceSettings.LsaCfgFlags) { + $complexDeviceSettings.Add('LsaCfgFlags', $policySettings.DeviceSettings.LsaCfgFlags) + } + if ($null -ne $policySettings.DeviceSettings.DeviceEnumerationPolicy) { + $complexDeviceSettings.Add('DeviceEnumerationPolicy', $policySettings.DeviceSettings.DeviceEnumerationPolicy) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenEnabled) { + $complexDeviceSettings.Add('SmartScreenEnabled', $policySettings.DeviceSettings.SmartScreenEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenPuaEnabled) { + $complexDeviceSettings.Add('SmartScreenPuaEnabled', $policySettings.DeviceSettings.SmartScreenPuaEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenDnsRequestsEnabled) { + $complexDeviceSettings.Add('SmartScreenDnsRequestsEnabled', $policySettings.DeviceSettings.SmartScreenDnsRequestsEnabled) + } + if ($null -ne $policySettings.DeviceSettings.NewSmartScreenLibraryEnabled) { + $complexDeviceSettings.Add('NewSmartScreenLibraryEnabled', $policySettings.DeviceSettings.NewSmartScreenLibraryEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenForTrustedDownloadsEnabled) { + $complexDeviceSettings.Add('SmartScreenForTrustedDownloadsEnabled', $policySettings.DeviceSettings.SmartScreenForTrustedDownloadsEnabled) + } + if ($null -ne $policySettings.DeviceSettings.PreventSmartScreenPromptOverride) { + $complexDeviceSettings.Add('PreventSmartScreenPromptOverride', $policySettings.DeviceSettings.PreventSmartScreenPromptOverride) + } + if ($null -ne $policySettings.DeviceSettings.PreventSmartScreenPromptOverrideForFiles) { + $complexDeviceSettings.Add('PreventSmartScreenPromptOverrideForFiles', $policySettings.DeviceSettings.PreventSmartScreenPromptOverrideForFiles) + } + + # Check if $complexDeviceSettings is empty + if ($complexDeviceSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexDeviceSettings = $null + } + $policySettings.Remove('DeviceSettings') | Out-Null + + $complexUserSettings = @{} + + # Add user settings with conditional checks + if ($null -ne $policySettings.UserSettings.DisableSafetyFilterOverrideForAppRepUnknown) { + $complexUserSettings.Add('DisableSafetyFilterOverrideForAppRepUnknown', $policySettings.UserSettings.DisableSafetyFilterOverrideForAppRepUnknown) + } + + # Check if $complexUserSettings is empty + if ($complexUserSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexUserSettings = $null + } + $policySettings.Remove('UserSettings') | Out-Null + #endregion + + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '49b8320f-e179-472e-8e2c-2fde00289ca2_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Defender For Endpoint with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Defender For Endpoint with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Defender For Endpoint with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Defender For Endpoint with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "49b8320f-e179-472e-8e2c-2fde00289ca2_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$False + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$False + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof new file mode 100644 index 0000000000..fd92d48936 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof @@ -0,0 +1,166 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint +{ + [Write, Description("Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny; + [Write, Description("Prevented Classes - Depends on DeviceInstall_Classes_Deny")] String DeviceInstall_Classes_Deny_List[]; + [Write, Description("Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny_Retroactive; + [Write, Description("Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EncryptionMethodWithXts_Name; + [Write, Description("Select the encryption method for operating system drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsOsDropDown_Name; + [Write, Description("Select the encryption method for fixed data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsFdvDropDown_Name; + [Write, Description("Select the encryption method for removable data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit (default), 4: AES-CBC 256-bit, 6: XTS-AES 128-bit, 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsRdvDropDown_Name; + [Write, Description("Choose how BitLocker-protected fixed drives can be recovered (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVRecoveryUsage_Name; + [Write, Description("Save BitLocker recovery information to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVActiveDirectoryBackup_Name; + [Write, Description("Omit recovery options from the BitLocker setup wizard - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVHideRecoveryPage_Name; + [Write, Description("Configure user storage of BitLocker recovery information: - Depends on FDVRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String FDVRecoveryPasswordUsageDropDown_Name; + [Write, Description("Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVRequireActiveDirectoryBackup_Name; + [Write, Description("Allow data recovery agent - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVAllowDRA_Name; + [Write, Description("Configure storage of BitLocker recovery information to AD DS: - Depends on FDVRecoveryUsage_Name (1: Backup recovery passwords and key packages, 2: Backup recovery passwords only)"), ValueMap{"1", "2"}, Values{"1", "2"}] String FDVActiveDirectoryBackupDropDown_Name; + [Write, Description(" - Depends on FDVRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String FDVRecoveryKeyUsageDropDown_Name; + [Write, Description("Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVDenyWriteAccess_Name; + [Write, Description("Enforce drive encryption type on fixed data drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) - Depends on FDVEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String FDVEncryptionTypeDropDown_Name; + [Write, Description("Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnablePreBootPinExceptionOnDECapableDevice_Name; + [Write, Description("Allow enhanced PINs for startup (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnhancedPIN_Name; + [Write, Description("Choose how BitLocker-protected operating system drives can be recovered (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSRecoveryUsage_Name; + [Write, Description("Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSRequireActiveDirectoryBackup_Name; + [Write, Description("Save BitLocker recovery information to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSActiveDirectoryBackup_Name; + [Write, Description("Configure user storage of BitLocker recovery information: - Depends on OSRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String OSRecoveryPasswordUsageDropDown_Name; + [Write, Description("Omit recovery options from the BitLocker setup wizard - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSHideRecoveryPage_Name; + [Write, Description("Allow data recovery agent - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSAllowDRA_Name; + [Write, Description(" - Depends on OSRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String OSRecoveryKeyUsageDropDown_Name; + [Write, Description("Configure storage of BitLocker recovery information to AD DS: - Depends on OSRecoveryUsage_Name (1: Store recovery passwords and key packages, 2: Store recovery passwords only)"), ValueMap{"1", "2"}, Values{"1", "2"}] String OSActiveDirectoryBackupDropDown_Name; + [Write, Description("Enable use of BitLocker authentication requiring preboot keyboard input on slates (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnablePrebootInputProtectorsOnSlates_Name; + [Write, Description("Enforce drive encryption type on operating system drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) - Depends on OSEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String OSEncryptionTypeDropDown_Name; + [Write, Description("Require additional authentication at startup (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureAdvancedStartup_Name; + [Write, Description("Configure TPM startup key: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key with TPM, 1: Require startup key with TPM, 0: Do not allow startup key with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMStartupKeyUsageDropDown_Name; + [Write, Description("Configure TPM startup key and PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key and PIN with TPM, 1: Require startup key and PIN with TPM, 0: Do not allow startup key and PIN with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMPINKeyUsageDropDown_Name; + [Write, Description("Configure TPM startup: - Depends on ConfigureAdvancedStartup_Name (2: Allow TPM, 1: Require TPM, 0: Do not allow TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMUsageDropDown_Name; + [Write, Description("Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - Depends on ConfigureAdvancedStartup_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureNonTPMStartupKeyUsage_Name; + [Write, Description("Configure TPM startup PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup PIN with TPM, 1: Require startup PIN with TPM, 0: Do not allow startup PIN with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigurePINUsageDropDown_Name; + [Write, Description("Control use of BitLocker on removable drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVConfigureBDE; + [Write, Description("Allow users to apply BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVAllowBDE_Name; + [Write, Description("Enforce drive encryption type on removable data drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RDVEncryptionTypeDropDown_Name; + [Write, Description("Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVDisableBDE_Name; + [Write, Description("Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVDenyWriteAccess_Name; + [Write, Description("Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVCrossOrg; + [Write, Description("Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableSmartScreen; + [Write, Description("Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn)"), ValueMap{"block", "warn"}, Values{"block", "warn"}] String EnableSmartScreenDropdown; + [Write, Description("Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverrideForAppRepUnknown; + [Write, Description("Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Managing_Safety_Filter_IE9; + [Write, Description("Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IE9SafetyFilterOptions; + [Write, Description("Allow Warning For Other Disk Encryption (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWarningForOtherDiskEncryption; + [Write, Description("Allow Standard User Encryption - Depends on AllowWarningForOtherDiskEncryption (0: This is the default, when the policy is not set. If current logged on user is a standard user, 'RequireDeviceEncryption' policy will not try to enable encryption on any drive., 1: 'RequireDeviceEncryption' policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowStandardUserEncryption; + [Write, Description("Configure Recovery Password Rotation (0: Refresh off (default), 1: Refresh on for Azure AD-joined devices, 2: Refresh on for both Azure AD-joined and hybrid-joined devices)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String ConfigureRecoveryPasswordRotation; + [Write, Description("Require Device Encryption (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RequireDeviceEncryption; + [Write, Description("Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowArchiveScanning; + [Write, Description("Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowBehaviorMonitoring; + [Write, Description("Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCloudProtection; + [Write, Description("Allow Email Scanning (0: Not allowed. Turns off email scanning., 1: Allowed. Turns on email scanning.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowEmailScanning; + [Write, Description("Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowFullScanRemovableDriveScanning; + [Write, Description("Allow On Access Protection (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowOnAccessProtection; + [Write, Description("Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowRealtimeMonitoring; + [Write, Description("Allow Scanning Network Files (0: Not allowed. Turns off scanning of network files., 1: Allowed. Scans network files.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScanningNetworkFiles; + [Write, Description("Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIOAVProtection; + [Write, Description("Allow Script Scanning (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScriptScanning; + [Write, Description("Allow User UI Access (0: Not allowed. Prevents users from accessing UI., 1: Allowed. Lets users access UI.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowUserUIAccess; + [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; + [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; + [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; + [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; + [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; + [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; + [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; + [Write, Description("Check For Signatures Before Running Scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CheckForSignaturesBeforeRunningScan; + [Write, Description("Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)"), ValueMap{"0", "2", "4", "6"}, Values{"0", "2", "4", "6"}] String CloudBlockLevel; + [Write, Description("Cloud Extended Timeout")] SInt32 CloudExtendedTimeout; + [Write, Description("Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableLocalAdminMerge; + [Write, Description("Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String EnableNetworkProtection; + [Write, Description("Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String HideExclusionsFromLocalAdmins; + [Write, Description("Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String HideExclusionsFromLocalUsers; + [Write, Description("Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String OobeEnableRtpAndSigUpdate; + [Write, Description("PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String PUAProtection; + [Write, Description("Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RealTimeScanDirection; + [Write, Description("Scan Parameter (1: Quick scan, 2: Full scan)"), ValueMap{"1", "2"}, Values{"1", "2"}] String ScanParameter; + [Write, Description("Schedule Quick Scan Time")] SInt32 ScheduleQuickScanTime; + [Write, Description("Schedule Scan Day (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan)"), ValueMap{"0", "1", "2", "3", "4", "5", "6", "7", "8"}, Values{"0", "1", "2", "3", "4", "5", "6", "7", "8"}] String ScheduleScanDay; + [Write, Description("Schedule Scan Time")] SInt32 ScheduleScanTime; + [Write, Description("Signature Update Interval")] SInt32 SignatureUpdateInterval; + [Write, Description("Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String SubmitSamplesConsent; + [Write, Description("Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LsaCfgFlags; + [Write, Description("Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DeviceEnumerationPolicy; + [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenPuaEnabled; + [Write, Description("Enable Microsoft Defender SmartScreen DNS requests (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenDnsRequestsEnabled; + [Write, Description("Enable new SmartScreen library (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NewSmartScreenLibraryEnabled; + [Write, Description("Force Microsoft Defender SmartScreen checks on downloads from trusted sources (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenForTrustedDownloadsEnabled; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverride; + [Write, Description("Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverrideForFiles; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint +{ + [Write, Description("Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverrideForAppRepUnknown; +}; +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineDefenderForEndpoint")] +class MSFT_IntuneSecurityBaselineDefenderForEndpoint : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Scope for Device Setting"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint")] String DeviceSettings; + [Write, Description("Scope for Device Setting"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint")] String UserSettings; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md new file mode 100644 index 0000000000..e80ebe6568 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineDefenderForEndpoint + +## Description + +Intune Security Baseline Defender For Endpoint diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json new file mode 100644 index 0000000000..4e92507acb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneSecurityBaselineDefenderForEndpoint", + "description": "This resource configures an Test Intune Security Baseline Defender For Endpoint.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 new file mode 100644 index 0000000000..729655eb21 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 @@ -0,0 +1,1758 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-PolicyConfig -ErrorAction Stop + $EndpointDlpGlobalSettingsValue = ConvertFrom-Json $instance.EndpointDlpGlobalSettings + $DlpPrinterGroupsObject = ConvertFrom-Json $instance.DlpPrinterGroups + $DlpAppGroupsObject = ConvertFrom-Json $instance.DlpAppGroups + $SiteGroupsObject = ConvertFrom-Json $instance.SiteGroups + $DLPRemovableMediaGroupsObject = ConvertFrom-Json $instance.DLPRemovableMediaGroups + $DlpNetworkShareGroupsObject = ConvertFrom-Json $instance.DlpNetworkShareGroups + + # AdvancedClassificationEnabled + $AdvancedClassificationEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'AdvancedClassificationEnabled'}).Value + + # BandwidthLimitEnabled + $BandwidthLimitEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'BandwidthLimitEnabledValue'}).Value + + # DailyBandwidthLimitInMB + $DailyBandwidthLimitInMBValue = [UInt32]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'DailyBandwidthLimitInMB'}).Value + + # PathExclusion + $PathExclusionValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'PathExclusion'}).Value + + # MacPathExclusion + $MacPathExclusionValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'MacPathExclusion'}).Value + + # MacDefaultPathExclusionsEnabled + $MacDefaultPathExclusionsEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'MacDefaultPathExclusionsEnabled'}).Value + + #EvidenceStoreSettings + $entry = $EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'EvidenceStoreSettings'} + if ($null -ne $entry) + { + $entry = ConvertFrom-Json $entry.Value + $EvidenceStoreSettingsValue = @{ + FileEvidenceIsEnabled = $entry.FileEvidenceIsEnabled + NumberOfDaysToRetain = [Uint32]$entry.NumberOfDaysToRetain + StorageAccounts = [Array]$entry.StorageAccounts + Store = $entry.Store + } + } + + # NetworkPathEnforcementEnabled + $NetworkPathEnforcementEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'NetworkPathEnforcementEnabled'}).Value + + # NetworkPathExclusion + $NetworkPathExclusionValue = ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'NetworkPathExclusion'}).Value + + # DlpAppGroups + $DlpAppGroupsValue = @() + foreach ($group in $DlpAppGroupsObject) + { + $entry = @{ + Name = $group.Name + Id = $group.Id + Description = $group.Description + Apps = @() + } + + foreach ($appEntry in $group.Apps) + { + $app = @{ + ExecutableName = $appEntry.ExecutableName + Name = $appEntry.Name + Quarantine = [Boolean]$appEntry.Quarantine + } + $entry.Apps += $app + } + $DlpAppGroupsValue += $entry + } + + # UnallowedApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedApp'}) + $UnallowedAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedAppValue += $current + } + + # UnallowedCloudSyncApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedCloudSyncApp'}) + $UnallowedCloudSyncAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedCloudSyncAppValue += $current + } + + # IncludePredefinedUnallowedBluetoothApps + $IncludePredefinedUnallowedBluetoothAppsValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'IncludePredefinedUnallowedBluetoothApps'}).Value + + # UnallowedBluetoothApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedBluetoothApp'}) + $UnallowedBluetoothAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedBluetoothAppValue += $current + } + + # UnallowedBrowser + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedBrowser'}) + $UnallowedBrowserValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedBrowserValue += $current + } + + # CloudAppMode + $CloudAppModeValue = ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CloudAppMode'}).Value + + # CloudAppRestrictionList + $CloudAppRestrictionListValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CloudAppRestrictionList'}).Value + + # SiteGroups + $SiteGroupsValue = @() + foreach ($siteGroup in $SiteGroupsObject) + { + $entry = @{ + Id = $siteGroup.Id + Name = $siteGroup.Name + } + + $addresses = @() + foreach ($address in $siteGroup.Addresses) + { + $addresses += @{ + MatchType = $address.MatchType + Url = $address.Url + AddressLower = $address.AddressLower + AddressUpper = $address.AddressUpper + } + } + $entry.Add('Addresses', $addresses) + $SiteGroupsValue += $entry + } + + # CustomBusinessJustificationNotification + $CustomBusinessJustificationNotificationValue = [Uint32]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CustomBusinessJustificationNotification'}).Value + + if (-not [System.String]::IsNullOrEmpty($EndpointDlpGlobalSettingsValue.Setting)) + { + $entities = $EndpointDlpGlobalSettingsValue | Where-Object -FilterScript {$_.Setting -eq 'BusinessJustificationList'} + + # BusinessJustificationList + if ($null -ne $entities) + { + $entities = ConvertFrom-Json ($entities.value) + $BusinessJustificationListValue = @() + foreach ($entity in $entities) + { + $current = @{ + Id = $entity.Id + Enable = [Boolean]$entity.Enable + justificationText = $entity.justificationText + } + $BusinessJustificationListValue += $current + } + } + + # serverDlpEnabled + $serverDlpEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'serverDlpEnabled'}).Value + + # AuditFileActivity + $AuditFileActivityValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'AuditFileActivity'}).Value + + # VPNSettings + $entity = $EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'VPNSettings'} + if ($null -ne $entity) + { + $entity = ConvertFrom-Json ($entity.value) + $VPNSettingsValue = [Array]$entity.serverAddress + } + } + + # DlpPrinterGroups + $DlpPrinterGroupsValue = @() + foreach ($group in $DlpPrinterGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + groupId = $group.groupId + } + + $printers = @() + foreach ($printer in $group.printers) + { + $current = @{ + universalPrinter = [Boolean]$printer.universalPrinter + usbPrinter = [Boolean]$printer.usbPrinter + usbPrinterId = $printer.usbPrinterPID + name = $printer.name + alias = $printer.alias + usbPrinterVID = $printer.usbPrinterVID + ipRange = @{ + fromAddress = $printer.ipRange.from + toAddress = $printer.ipRange.to + } + corporatePrinter = [Boolean]$printer.CorporatePrinter + printToLocal = [Boolean]$printer.printToLocal + printToFile = [Boolean]$printer.printToFile + } + + $printers += $current + } + $entry.Add('printers', $printers) + $DlpPrinterGroupsValue += $entry + } + + # DLPRemovableMediaGroups + $DLPRemovableMediaGroupsValue = @() + foreach ($group in $DLPRemovableMediaGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + } + + $medias = @() + foreach ($media in $group.removableMedia) + { + $current = @{ + deviceId = $media.deviceId + removableMediaVID = $media.removableMediaVID + name = $media.name + alias = $media.alias + removableMediaPID = $media.removableMediaPID + instancePathId = $media.instancePathId + serialNumberId = $media.serialNumberId + hardwareId = $media.hardwareId + } + $medias += $current + } + $entry.Add('removableMedia', $medias) + + $DLPRemovableMediaGroupsValue += $entry + } + + # DlpNetworkShareGroups + $DlpNetworkShareGroupsValue = @() + foreach ($group in $DlpNetworkShareGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + groupId = $group.groupId + networkPaths = [Array]$group.networkPaths + } + $DlpNetworkShareGroupsValue += $entry + } + + $QuarantineParametersValue = @() + if ($null -ne ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'QuarantineParameters'})) + { + $quarantineInfo = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'QuarantineParameters'}).Value + $quarantineInfo = ConvertFrom-Json $quarantineInfo[0] + $QuarantineParametersValue = @{ + EnableQuarantineForCloudSyncApps = $quarantineInfo.EnableQuarantineForCloudSyncApps + QuarantinePath = $quarantineInfo.QuarantinePath + MacQuarantinePath = $quarantineInfo.MacQuarantinePath + ShouldReplaceFile = $quarantineInfo.ShouldReplaceFile + FileReplacementText = $quarantineInfo.FileReplacementText + } + } + + $results = @{ + IsSingleInstance = 'Yes' + AdvancedClassificationEnabled = $AdvancedClassificationEnabledValue + BandwidthLimitEnabled = $BandwidthLimitEnabledValue + DailyBandwidthLimitInMB = $DailyBandwidthLimitInMBValue + PathExclusion = $PathExclusionValue + MacPathExclusion = $MacPathExclusionValue + MacDefaultPathExclusionsEnabled = $MacDefaultPathExclusionsEnabledValue + EvidenceStoreSettings = $EvidenceStoreSettingsValue + NetworkPathEnforcementEnabled = $NetworkPathEnforcementEnabledValue + NetworkPathExclusion = $NetworkPathExclusionValue + DLPAppGroups = $DlpAppGroupsValue + UnallowedApp = $UnallowedAppValue + UnallowedCloudSyncApp = $UnallowedCloudSyncAppValue + IncludePredefinedUnallowedBluetoothApps = $IncludePredefinedUnallowedBluetoothAppsValue + UnallowedBluetoothApp = $UnallowedBluetoothAppValue + UnallowedBrowser = $UnallowedBrowserValue + CloudAppMode = $CloudAppModeValue + CloudAppRestrictionList = $CloudAppRestrictionListValue + SiteGroups = $SiteGroupsValue + CustomBusinessJustificationNotification = $CustomBusinessJustificationNotificationValue + BusinessJustificationList = $BusinessJustificationListValue + serverDlpEnabled = $serverDlpEnabledValue + AuditFileActivity = $AuditFileActivityValue + DLPPrinterGroups = $DlpPrinterGroupsValue + DLPRemovableMediaGroups = $DLPRemovableMediaGroupsValue + DLPNetworkShareGroups = $DlpNetworkShareGroupsValue + VPNSettings = $VPNSettingsValue + EnableLabelCoauth = $instance.EnableLabelCoauth + EnableSpoAipMigration = $instance.EnableSpoAipMigration + QuarantineParameters = $QuarantineParametersValue + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $SiteGroupsValue = @() + foreach ($site in $SiteGroups) + { + $entry = @{ + Name = $site.Name + Description = $site.Description + } + + $addressesValue = @() + foreach ($address in $site.Addresses) + { + $addressesValue += @{ + MatchType = $address.MatchType + Url = $address.Url + AddressLower = $address.AddressLower + AddressUpper = $address.AddressUpper + } + } + + $entry.Add('Addresses', (ConvertTo-Json $addressesValue -Compress -Depth 10)) + $SiteGroupsValue += $entry + } + + $EndpointDlpGlobalSettingsValue = @() + if ($null -ne $AdvancedClassificationEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'AdvancedClassificationEnabled' + Value = "$($AdvancedClassificationEnabled.ToString().ToLower())" + } + } + + if ($null -ne $BandwidthLimitEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'BandwidthLimitEnabled' + Value = "$($BandwidthLimitEnabled.ToString().ToLower())" + } + } + + if ($null -ne $DailyBandwidthLimitInMB -and $BandwidthLimitEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'DailyBandwidthLimitInMB' + Value = "$($DailyBandwidthLimitInMB.ToString().ToLower())" + } + } + + if ($null -ne $EvidenceStoreSettings) + { + $entry += @{ + Setting = 'EvidenceStoreSettings' + Value = @{ + FileEvidenceIsEnabled = $EvidenceStoreSettings.FileEvidenceIsEnabled + Store = $EvidenceStoreSettings.Store + NumberOfDaysToRetain = $EvidenceStoreSettings.NumberOfDaysToRetain + } + } + + $StorageAccountsValue = @() + foreach ($storageAccount in $EvidenceStoreSettings.StorageAccounts) + { + $StorageAccountsValue += @{ + Name = $storageAccount.Name + BlobUri = $storageAccount.BlobUri + } + } + $entry.Value.Add('StorageAccounts', $StorageAccountsValue) + $entry.Value = ConvertTo-Json $entry.Value -Depth 10 -Compress + + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $MacDefaultPathExclusionsEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'MacDefaultPathExclusionsEnabled' + Value = "$($MacDefaultPathExclusionsEnabled.ToString().ToLower())" + } + } + + foreach ($path in $PathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'PathExclusion' + Value = "$($path.ToString())" + } + } + + foreach ($path in $MacPathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'MacPathExclusion' + Value = "$($path.ToString())" + } + } + + foreach ($app in $UnallowedApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($app in $UnallowedCloudSyncApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedCloudSyncApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + if ($null -ne $NetworkPathEnforcementEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'NetworkPathEnforcementEnabled' + Value = "$($NetworkPathEnforcementEnabled.ToString().ToLower())" + } + } + + if ($null -ne $NetworkPathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'NetworkPathExclusion' + Value = "$($NetworkPathExclusion.ToString())" + } + } + + if ($null -ne $QuarantineParameters) + { + $entry = @{ + Setting = 'QuarantineParameters' + Value = @{ + EnableQuarantineForCloudSyncApps = $QuarantineParameters.EnableQuarantineForCloudSyncApps + QuarantinePath = $QuarantineParameters.QuarantinePath + MacQuarantinePath = $QuarantineParameters.MacQuarantinePath + ShouldReplaceFile = $QuarantineParameters.ShouldReplaceFile + FileReplacementText = $QuarantineParameters.FileReplacementText + } + } + $entry.Value = (ConvertTo-Json $entry.Value -Depth 10 -Compress) + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $IncludePredefinedUnallowedBluetoothApps) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'IncludePredefinedUnallowedBluetoothApps' + Value = "$($IncludePredefinedUnallowedBluetoothApps.ToString())" + } + } + + foreach ($app in $UnallowedBluetoothApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedBluetoothApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($app in $UnallowedBrowser) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedBrowser' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($domain in $CloudAppRestrictionList) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CloudAppRestrictionList' + Value = "$($domain.ToString())" + } + } + + if ($null -ne $CloudAppMode) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CloudAppMode' + Value = "$($CloudAppMode.ToString())" + } + } + + if ($null -ne $CustomBusinessJustificationNotification) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CustomBusinessJustificationNotification' + Value = "$($CustomBusinessJustificationNotification.ToString())" + } + } + + if ($null -ne $BusinessJustificationList) + { + $valueEntry = @() + foreach ($justification in $BusinessJustificationList) + { + $valueEntry += @{ + Id = $justification.Id + Enable = $justification.Enable + justificationText = @($justification.justificationText) + } + } + + $entry = @{ + Setting = 'BusinessJustificationList' + Value = (ConvertTo-Json $valueEntry -Depth 10 -Compress) + } + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $VPNSettings) + { + $entry = @{ + Setting = 'VPNSettings' + Value = @{ + serverAddress = @() + } + } + foreach ($vpnAddress in $VPNSettings) + { + $entry.Value.serverAddress += $vpnAddress + } + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $serverDlpEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'serverDlpEnabled' + Value = "$($serverDlpEnabled.ToString().ToLower())" + } + } + + if ($null -ne $AuditFileActivity) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'AuditFileActivity' + Value = "$($AuditFileActivity.ToString().ToLower())" + } + } + + $DLPAppGroupsValue = @() + foreach ($group in $DLPAppGroups) + { + $entry = @{ + Name = "$($group.Name.ToString())" + Description = "$($group.Description.ToString())" + } + + $appsValues = @() + foreach ($app in $group.Apps) + { + $appsValues += @{ + Name = $app.Name + ExecutableName = $app.ExecutableName + Quarantine = $app.Quarantine + } + } + $entry.Add('Apps', (ConvertTo-Json $appsValues -Depth 10 -Compress)) + $DLPAppGroupsValue += $entry + } + + $DlpPrinterGroupsValue = @{ + groups = @() + } + $groupCount = 0 + foreach ($group in $DLPPrinterGroups) + { + $entry = @{ + groupName = "$($group.groupName.ToString())" + printers = @() + } + + foreach ($printer in $group.printers) + { + $entry.printers += @{ + alias = $printer.alias + name = $printer.name + usbPrinterPID = $printer.usbPrinterId + usbPrinterVID = $printer.usbPrinterVID + universalPrinter = "$($printer.universalPrinter.Tostring().ToLower())" + corporatePrinter = "$($printer.corporatePrinter.Tostring().ToLower())" + printToFile = "$($printer.printToFile.Tostring().ToLower())" + printToLocal = "$($printer.printToLocal.Tostring().ToLower())" + ipRange = @( + @{ + from = $printer.ipRange.fromAddress + to = $printer.ipRange.toAddress + } + ) + } + } + $DlpPrinterGroupsValue.groups += $entry + $groupCount++ + } + if ($groupCount -eq 0) + { + $DlpPrinterGroupsValue = $null + } + + $DLPRemovableMediaGroupsValue = @{ + groups = @() + } + $groupCount = 0 + foreach ($group in $DLPRemovableMediaGroups) + { + $entry = @{ + groupName = $group.groupName + removableMedia = @( + ) + } + + foreach ($media in $group.removableMedia) + { + $entry.removableMedia += @{ + alias = $media.alias + name = $media.name + removableMediaPID = $media.removableMediaPID + removableMediaVID = $media.removableMediaVID + serialNumberId = $media.serialNumberId + deviceId = $media.deviceId + instancePathId = $media.instancePathId + hardwareId = $media.hardwareId + } + } + $DLPRemovableMediaGroupsValue.groups += $entry + $groupCount++ + } + if ($groupCount -eq 0) + { + $DLPRemovableMediaGroupsValue = $null + } + + $params = @{ + SiteGroups = $SiteGroupsValue + EnableLabelCoauth = $EnableLabelCoauth + DlpAppGroups = $DLPAppGroupsValue + DlpPrinterGroups = ConvertTo-Json $DlpPrinterGroupsValue -Depth 10 -Compress + DLPRemovableMediaGroups = ConvertTo-Json $DLPRemovableMediaGroupsValue -Depth 10 -Compress + EnableSpoAipMigration = $EnableSpoAipMigration + EndpointDlpGlobalSettings = $EndpointDlpGlobalSettingsValue + } + Write-Verbose -Message "Updating policy config with values:`r`n$(Convert-M365DscHashtableToString -Hashtable $params)" + Set-PolicyConfig @params +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + $testResult = $true + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $Results = Get-TargetResource @Params + + if ($null -ne $Results.BusinessJustificationList) + { + $Results.BusinessJustificationList = ConvertTo-BusinessJustificationListString -ObjectHash $Results.BusinessJustificationList + } + + if ($null -ne $Results.DLPAppGroups) + { + $Results.DLPAppGroups = ConvertTo-DLPAppGroupsString -ObjectHash $Results.DLPAppGroups + } + + if ($null -ne $Results.DLPNetworkShareGroups) + { + $Results.DLPNetworkShareGroups = ConvertTo-DLPNetworkShareGroupsString -ObjectHash $Results.DLPNetworkShareGroups + } + + if ($null -ne $Results.DLPPrinterGroups -and $Results.DLPPrinterGroups.Length -gt 0) + { + $Results.DLPPrinterGroups = ConvertTo-DLPPrinterGroupsString -ObjectHash $Results.DLPPrinterGroups + } + + if ($null -ne $Results.DLPRemovableMediaGroups) + { + $Results.DLPRemovableMediaGroups = ConvertTo-DLPRemovableMediaGroupsString -ObjectHash $Results.DLPRemovableMediaGroups + } + + if ($null -ne $Results.EvidenceStoreSettings) + { + $Results.EvidenceStoreSettings = ConvertTo-EvidenceStoreSettingsString -ObjectHash $Results.EvidenceStoreSettings + } + + if ($null -ne $Results.SiteGroups) + { + $Results.SiteGroups = ConvertTo-SiteGroupsString -ObjectHash $Results.SiteGroups + } + + if ($null -ne $Results.UnallowedApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedApp)) + { + $Results.UnallowedApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedApp + } + + if ($null -ne $Results.UnallowedCloudSyncApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedCloudSyncApp)) + { + $Results.UnallowedCloudSyncApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedCloudSyncApp + } + + if ($null -ne $Results.UnallowedBluetoothApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedBluetoothApp)) + { + $Results.UnallowedBluetoothApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedBluetoothApp + } + + if ($null -ne $Results.UnallowedBrowser -and -not [System.String]::IsNullOrEmpty($Results.UnallowedBrowser)) + { + $Results.UnallowedBrowser = ConvertTo-AppsString -ObjectHash $Results.UnallowedBrowser + } + + if ($null -ne $Results.QuarantineParameters -and -not [System.String]::IsNullOrEmpty($Results.QuarantineParameters)) + { + $Results.QuarantineParameters = ConvertTo-QuarantineParametersString -ObjectHash $Results.QuarantineParameters + } + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.QuarantineParameters) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'QuarantineParameters' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.BusinessJustificationList) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'BusinessJustificationList' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPAppGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPAppGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPNetworkShareGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPNetworkShareGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPPrinterGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPPrinterGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPRemovableMediaGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPRemovableMediaGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.SiteGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'SiteGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedCloudSyncApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedCloudSyncApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedBluetoothApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedBluetoothApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedBrowser) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedBrowser' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.EvidenceStoreSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'EvidenceStoreSettings' ` + -IsCIMArray:$false + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function ConvertTo-QuarantineParametersString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + + $content = [System.Text.StringBuilder]::new() + [void]$content.AppendLine(" MSFT_PolicyConfigQuarantineParameters") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" EnableQuarantineForCloudSyncApps = `$$($ObjectHash.EnableQuarantineForCloudSyncApps)") + [void]$content.AppendLine(" QuarantinePath = '$($ObjectHash.QuarantinePath.ToString())'") + [void]$content.AppendLine(" MacQuarantinePath = '$($ObjectHash.MacQuarantinePath)'") + [void]$content.AppendLine(" ShouldReplaceFile = `$$($ObjectHash.ShouldReplaceFile.ToString())") + [void]$content.AppendLine(" FileReplacementText = '$($ObjectHash.FileReplacementText)'") + [void]$content.AppendLine(" }") + return $content.ToString() +} + +function ConvertTo-BusinessJustificationListString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigBusinessJustificationList") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Enable = `$$($instance.Enable)") + [void]$content.AppendLine(" justificationText = '$($instance.justificationText)'") + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPAppGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPAppGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Name = '$($instance.Name)'") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Description = '$($instance.Description)'") + [void]$content.AppendLine(" Apps = @(") + foreach ($app in $instance.Apps) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPApp") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" ExecutableName = '$($app.ExecutableName)'") + [void]$content.AppendLine(" Name = '$($app.Name)'") + [void]$content.AppendLine(" Quarantine = `$$($app.Quarantine)") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )}") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPNetworkShareGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPNetworkShareGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" groupId = '$($instance.groupId)'") + [void]$content.Append(" networkPaths = @(") + $countPath = 1 + foreach ($path in $instance.networkPaths) + { + [void]$content.Append("'$path'") + if ($countPath -lt $instance.networkPaths.Length) + { + [void]$content.Append(',') + } + $countPath++ + } + [void]$content.AppendLine(')') + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-EvidenceStoreSettingsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Hashtable] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + [void]$content.AppendLine(" MSFT_PolicyConfigEvidenceStoreSettings") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" FileEvidenceIsEnabled = `$$($ObjectHash.FileEvidenceIsEnabled)") + [void]$content.AppendLine(" NumberOfDaysToRetain = $($ObjectHash.NumberOfDaysToRetain)") + [void]$content.AppendLine(" StorageAccounts = @(") + foreach ($storageAccount in $ObjectHash.StorageAccounts) + { + [void]$content.AppendLine(" MSFT_PolicyConfigStorageAccount") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Name = '$($storageAccount.Name)'") + [void]$content.AppendLine(" BlobUri = '$($storageAccount.BlobUri)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" Store = '$($ObjectHash.Store)'") + [void]$content.AppendLine(" }") + return $content.ToString() +} + +function ConvertTo-DLPPrinterGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPPrinterGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" groupId = '$($instance.groupId)'") + [void]$content.AppendLine(" printers = @(") + foreach ($printer in $instance.printers) + { + [void]$content.AppendLine(" MSFT_PolicyConfigPrinter") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" universalPrinter = `$$($printer.universalPrinter)") + [void]$content.AppendLine(" usbPrinter = `$$($printer.usbPrinter)") + [void]$content.AppendLine(" usbPrinterId = '$($printer.usbPrinterId)'") + [void]$content.AppendLine(" name = '$($printer.name)'") + [void]$content.AppendLine(" alias = '$($printer.alias)'") + [void]$content.AppendLine(" usbPrinterVID = '$($printer.usbPrinterVID)'") + [void]$content.AppendLine(" ipRange = MSFT_PolicyConfigIPRange") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" fromAddress = '$($printer.ipRange.fromAddress)'") + [void]$content.AppendLine(" toAddress = '$($printer.ipRange.toAddress)'") + [void]$content.AppendLine(" }") + [void]$content.AppendLine(" corporatePrinter = `$$($printer.corporatePrinter)") + [void]$content.AppendLine(" printToLocal = `$$($printer.printToLocal)") + [void]$content.AppendLine(" printToFile = `$$($printer.printToFile)") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" }") + } + [void]$content.Append(')') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPRemovableMediaGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPRemovableMediaGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" removableMedias = @(") + foreach ($media in $instance.removableMedia) + { + [void]$content.AppendLine(" MSFT_PolicyConfigRemovableMedia") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" deviceId = '$($media.deviceId)'") + [void]$content.AppendLine(" removableMediaVID = '$($media.removableMediaVID)'") + [void]$content.AppendLine(" name = '$($media.name)'") + [void]$content.AppendLine(" alias = '$($media.alias)'") + [void]$content.AppendLine(" removableMediaPID = '$($media.removableMediaPID)'") + [void]$content.AppendLine(" instancePathId = '$($media.instancePathId)'") + [void]$content.AppendLine(" serialNumberId = '$($media.serialNumberId)'") + [void]$content.AppendLine(" hardwareId = '$($media.hardwareId)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine( "}") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} +function ConvertTo-SiteGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPSiteGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Name = '$($instance.Name)'") + [void]$content.AppendLine(" Addresses = @(") + foreach ($address in $instance.addresses) + { + [void]$content.AppendLine(" MSFT_PolicyConfigSiteGroupAddress") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" MatchType = '$($address.MatchType)'") + [void]$content.AppendLine(" Url = '$($address.Url)'") + [void]$content.AppendLine(" AddressLower = '$($address.AddressLower)'") + [void]$content.AppendLine(" AddressUpper = '$($address.AddressUpper)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-AppsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigApp") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Value = '$($instance.Value)'") + [void]$content.AppendLine(" Executable = '$($instance.Executable)'") + [void]$content.AppendLine(" }") + } + [void]$content.Append(')') + $result = $content.ToString() + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof new file mode 100644 index 0000000000..adbd968ecd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof @@ -0,0 +1,173 @@ +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigApp +{ + [Write, Description("Name of the application.")] String Value; + [Write, Description("Name of the executable file.")] String Executable; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigStorageAccount +{ + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] String BlobUri; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigSiteGroupAddress +{ + [Write, Description("TBD")] String MatchType; + [Write, Description("TBD")] String Url; + [Write, Description("TBD")] String AddressLower; + [Write, Description("TBD")] String AddressUpper; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPSiteGroups +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String Name; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigSiteGroupAddress")] String addresses[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigRemovableMedia +{ + [Write, Description("TBD")] String deviceId; + [Write, Description("TBD")] String removableMediaVID; + [Write, Description("TBD")] String name; + [Write, Description("TBD")] String alias; + [Write, Description("TBD")] String removableMediaPID; + [Write, Description("TBD")] String instancePathId; + [Write, Description("TBD")] String serialNumberId; + [Write, Description("TBD")] String hardwareId; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPRemovableMediaGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigRemovableMedia")] String removableMedia[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigIPRange +{ + [Write, Description("TBD")] String fromAddress; + [Write, Description("TBD")] String toAddress; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigPrinter +{ + [Write, Description("TBD")] Boolean universalPrinter; + [Write, Description("TBD")] Boolean usbPrinter; + [Write, Description("TBD")] String usbPrinterId; + [Write, Description("TBD")] String name; + [Write, Description("TBD")] String alias; + [Write, Description("TBD")] String usbPrinterVID; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigIPRange")] String ipRange; + [Write, Description("TBD")] Boolean corporatePrinter; + [Write, Description("TBD")] Boolean printToLocal; + [Write, Description("TBD")] Boolean printToFile; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPNetworkShareGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD")] String groupId; + [Write, Description("TBD")] String networkPaths[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPApp +{ + [Write, Description("TBD")] String ExecutableName; + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] Boolean Quarantine; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPAppGroups +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] String Description; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPApp")] String Apps[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigEvidenceStoreSettings +{ + [Write, Description("TBD")] Boolean FileEvidenceIsEnabled; + [Write, Description("TBD")] UInt32 NumberOfDaysToRetain; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigStorageAccount")] String StorageAccounts[]; + [Write, Description("TBD")] String Store; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigBusinessJustificationList +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String justificationText; + [Write, Description("TBD")] Boolean Enable; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPPrinterGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD")] String groupId; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigPrinter")] String printers[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigQuarantineParameters +{ + [Write, Description("TBD")] Boolean EnableQuarantineForCloudSyncApps; + [Write, Description("TBD")] String QuarantinePath; + [Write, Description("TBD")] String MacQuarantinePath; + [Write, Description("TBD")] Boolean ShouldReplaceFile; + [Write, Description("TBD")] String FileReplacementText; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("SCPolicyConfig")] +class MSFT_SCPolicyConfig : OMI_BaseResource +{ + [Key, Description("Accepted value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("TBD")] Boolean AdvancedClassificationEnabled; + [Write, Description("TBD")] Boolean AuditFileActivity; + [Write, Description("TBD")] Boolean BandwidthLimitEnabled; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigBusinessJustificationList")] String BusinessJustificationList[]; + [Write, Description("TBD")] String CloudAppMode; + [Write, Description("TBD")] String CloudAppRestrictionList[]; + [Write, Description("TBD")] UInt32 CustomBusinessJustificationNotification; + [Write, Description("TBD")] UInt32 DailyBandwidthLimitInMB; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPAppGroups")] String DLPAppGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPNetworkShareGroups")] String DLPNetworkShareGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPPrinterGroups")] String DLPPrinterGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPRemovableMediaGroups")] String DLPRemovableMediaGroups[]; + [Write, Description("TBD")] Boolean IncludePredefinedUnallowedBluetoothApps; + [Write, Description("TBD")] Boolean MacDefaultPathExclusionsEnabled; + [Write, Description("TBD")] String MacPathExclusion[]; + [Write, Description("TBD")] Boolean NetworkPathEnforcementEnabled; + [Write, Description("TBD")] String NetworkPathExclusion; + [Write, Description("TBD")] String PathExclusion[]; + [Write, Description("TBD")] Boolean serverDlpEnabled; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigEvidenceStoreSettings")] String EvidenceStoreSettings; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPSiteGroups")] String SiteGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedCloudSyncApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedBluetoothApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedBrowser[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigQuarantineParameters")] String QuarantineParameters; + [Write, Description("TBD")] String VPNSettings[]; + [Write, Description("TBD")] Boolean EnableLabelCoauth; + [Write, Description("TBD")] Boolean EnableSpoAipMigration; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md new file mode 100644 index 0000000000..c227e8e317 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md @@ -0,0 +1,6 @@ + +# SCPolicyConfig + +## Description + +Configures the Data Loss Prevention settings in Purview. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json new file mode 100644 index 0000000000..2796b2f6ef --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json @@ -0,0 +1,24 @@ +{ + "resourceName": "SCPolicyConfig", + "description": "Configures the Data Loss Prevention settings in Purview.", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Compliance Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 index badac1d9d5..0d5a97675e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 @@ -1133,14 +1133,14 @@ function Set-TargetResource try { Write-Verbose -Message "Creating Label {$Name}" - New-Label @CreationParams -ErrorAction Stop + $newLabel = New-Label @CreationParams -ErrorAction Stop ## Can't set priority until label created - if ($PSBoundParameters.ContainsKey('Priority')) + if ($PSBoundParameters.ContainsKey('Priority') -and $Priority -lt $newLabel.Priority) { Start-Sleep 5 Write-Verbose -Message "Updating the priority for newly created label {$Name}" - Set-label -Identity $Name -priority $Priority -ErrorAction Stop + Set-Label -Identity $Name -priority $Priority -ErrorAction Stop } } catch @@ -1705,7 +1705,7 @@ function Convert-StringToAdvancedSettings $settingString = $setting.Replace('[', '').Replace(']', '') $settingKey = $settingString.Split(',')[0] - if ($settingKey -notin @('displayname', 'contenttype', 'tooltip')) + if ($settingKey -notin @('displayname', 'contenttype', 'tooltip', 'parentid')) { $startPos = $settingString.IndexOf(',', 0) + 1 $valueString = $settingString.Substring($startPos, $settingString.Length - $startPos).Trim() diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 index de8dc6c018..3f2224c6af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 @@ -46,6 +46,7 @@ function Get-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -54,10 +55,14 @@ function Get-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -108,15 +113,15 @@ function Get-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -151,33 +156,78 @@ function Get-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -228,12 +278,18 @@ function Get-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -243,6 +299,7 @@ function Get-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -253,7 +310,7 @@ function Get-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -271,6 +328,11 @@ function Get-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -350,6 +412,7 @@ function Get-TargetResource AllowDocumentCollaboration = $policy.AllowDocumentCollaboration AllowedStreamingMediaInput = $policy.AllowedStreamingMediaInput AllowEngagementReport = $policy.AllowEngagementReport + AllowExternalNonTrustedMeetingChat = $policy.AllowExternalNonTrustedMeetingChat AllowExternalParticipantGiveRequestControl = $policy.AllowExternalParticipantGiveRequestControl AllowIPAudio = $policy.AllowIPAudio AllowIPVideo = $policy.AllowIPVideo @@ -373,13 +436,21 @@ function Get-TargetResource AllowWatermarkForCameraVideo = $policy.AllowWatermarkForCameraVideo AllowWatermarkForScreenSharing = $policy.AllowWatermarkForScreenSharing AllowWhiteboard = $policy.AllowWhiteboard + AttendeeIdentityMasking = $policy.AttendeeIdentityMasking AutoAdmittedUsers = $policy.AutoAdmittedUsers + AutomaticallyStartCopilot = $policy.AutomaticallyStartCopilot + AutoRecording = $policy.AutoRecording BlockedAnonymousJoinClientTypes = $policy.BlockedAnonymousJoinClientTypes ChannelRecordingDownload = $policy.ChannelRecordingDownload + ConnectToMeetingControls = $policy.ConnectToMeetingControls + ContentSharingInExternalMeetings = $policy.ContentSharingInExternalMeetings + Copilot = $policy.Copilot + CopyRestriction = $policy.CopyRestriction DesignatedPresenterRoleMode = $policy.DesignatedPresenterRoleMode + DetectSensitiveContentDuringScreenSharing = $policy.DetectSensitiveContentDuringScreenSharing EnrollUserOverride = $policy.EnrollUserOverride ExplicitRecordingConsent = $policy.ExplicitRecordingConsent - ForceStreamingAttendeeMode = $policy.ForceStreamingAttendeeMode + ExternalMeetingJoin = $policy.ExternalMeetingJoin InfoShownInReportMode = $policy.InfoShownInReportMode IPAudioMode = $policy.IPAudioMode IPVideoMode = $policy.IPVideoMode @@ -390,6 +461,7 @@ function Get-TargetResource MeetingChatEnabledType = $policy.MeetingChatEnabledType MeetingInviteLanguages = $policy.MeetingInviteLanguages NewMeetingRecordingExpirationDays = $policy.NewMeetingRecordingExpirationDays + ParticipantNameChange = $policy.ParticipantNameChange PreferredMeetingProviderForIslandsMode = $policy.PreferredMeetingProviderForIslandsMode QnAEngagementMode = $policy.QnAEngagementMode RoomPeopleNameUserOverride = $policy.RoomPeopleNameUserOverride @@ -397,15 +469,10 @@ function Get-TargetResource SpeakerAttributionMode = $policy.SpeakerAttributionMode StreamingAttendeeMode = $policy.StreamingAttendeeMode VideoFiltersMode = $policy.VideoFiltersMode + VoiceIsolation = $policy.VoiceIsolation TeamsCameraFarEndPTZMode = $policy.TeamsCameraFarEndPTZMode WhoCanRegister = $policy.WhoCanRegister Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens } } catch @@ -467,6 +534,7 @@ function Set-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -475,10 +543,14 @@ function Set-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -529,15 +601,15 @@ function Set-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -572,33 +644,78 @@ function Set-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -649,12 +766,18 @@ function Set-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -664,6 +787,7 @@ function Set-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -674,7 +798,7 @@ function Set-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -692,6 +816,11 @@ function Set-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -755,6 +884,10 @@ function Set-TargetResource $SetParameters.Remove('ManagedIdentity') | Out-Null $SetParameters.Remove('Verbose') | Out-Null # Needs to be implicitly removed for the cmdlet to work $SetParameters.Remove('AccessTokens') | Out-Null + + # Parameter is Deprecated + $SetParameters.Remove('ForceStreamingAttendeeMode') | Out-Null + if ($AllowCloudRecording -eq $false -and $SetParameters.Keys -contains 'AllowRecordingStorageOutsideRegion') { $SetParameters.Remove('AllowRecordingStorageOutsideRegion') | Out-Null @@ -849,6 +982,7 @@ function Test-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -857,10 +991,14 @@ function Test-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -911,15 +1049,15 @@ function Test-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -954,33 +1092,78 @@ function Test-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -1031,12 +1214,18 @@ function Test-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -1046,6 +1235,7 @@ function Test-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -1056,7 +1246,7 @@ function Test-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -1074,6 +1264,11 @@ function Test-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -1139,6 +1334,9 @@ function Test-TargetResource # The AllowUserToJoinExternalMeeting doesn't do anything based on official documentation $ValuesToCheck.Remove('AllowUserToJoinExternalMeeting') | Out-Null + # Parameter is Deprecated + $ValuesToCheck.Remove('ForceStreamingAttendeeMode') | Out-Null + if ($AllowCloudRecording -eq $false -and $ValuesToCheck.Keys -contains 'AllowRecordingStorageOutsideRegion') { $ValuesToCheck.Remove('AllowRecordingStorageOutsideRegion') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof index cec9b406f9..839b879052 100644 Binary files a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof and b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof differ diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index bfb5342628..331506aba8 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -26,7 +26,7 @@ }, @{ ModuleName = 'ExchangeOnlineManagement' - RequiredVersion = '3.6.0' + RequiredVersion = '3.4.0' }, @{ ModuleName = 'Microsoft.Graph.Applications' @@ -56,6 +56,10 @@ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' RequiredVersion = '2.24.0' }, + @{ + ModuleName = 'Microsoft.Graph.Beta.NetworkAccess' + RequiredVersion = '2.24.0' + }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' RequiredVersion = '2.24.0' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 new file mode 100644 index 0000000000..3c1dc8a687 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewPolicy "AADAccessReviewPolicy" + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 new file mode 100644 index 0000000000..5f414179b9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADEnrichedAuditLogs "AADEnrichedAuditLogs" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 new file mode 100644 index 0000000000..5db25c3ec7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 new file mode 100644 index 0000000000..4f9da4429e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..ca9aaae7b4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 new file mode 100644 index 0000000000..5b80856a90 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 @@ -0,0 +1,55 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 new file mode 100644 index 0000000000..69c04006c1 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 new file mode 100644 index 0000000000..133a330fa5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 @@ -0,0 +1,55 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 new file mode 100644 index 0000000000..6f810bd0d2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 new file mode 100644 index 0000000000..167024212f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 new file mode 100644 index 0000000000..a9423cb9d9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 new file mode 100644 index 0000000000..c6145aca64 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 new file mode 100644 index 0000000000..12c5f39fff --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..edfc129f1f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 new file mode 100644 index 0000000000..c631224b8b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 new file mode 100644 index 0000000000..a7ac05d858 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 new file mode 100644 index 0000000000..64b40d74d4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 new file mode 100644 index 0000000000..fdf8f5d246 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityProtectionPolicySettings "AADIdentityProtectionPolicySettings" + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 new file mode 100644 index 0000000000..87f8e1578a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 @@ -0,0 +1,60 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessForwardingPolicy "AADNetworkAccessForwardingPolicy-Custom Bypass" + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 new file mode 100644 index 0000000000..2a7431f519 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 @@ -0,0 +1,50 @@ +# Generated with Microsoft365DSC version 1.24.1016.1 +# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + AADNetworkAccessForwardingProfile "AADNetworkAccessForwardingProfile-Internet traffic forwarding profile" + { + + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Name = "Internet traffic forwarding profile"; + Policies = @(MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'disabled' + PolicyLinkId = 'f8a43f3f-3f44-4738-8025-088bb095a711' + Name = 'Custom Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'b45d1db0-9965-487b-afb1-f4d25174e9db' + Name = 'Default Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'dfd9cd59-90ca-44fc-b997-7cc71f08e438' + Name = 'Default Acquire' + } + ); + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 new file mode 100644 index 0000000000..0d456e5aca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingConditionalAccess "AADNetworkAccessSettingConditionalAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 new file mode 100644 index 0000000000..02c4ea6dbe --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingCrossTenantAccess "AADNetworkAccessSettingCrossTenantAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 new file mode 100644 index 0000000000..2c2f3190e9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 new file mode 100644 index 0000000000..2c2f3190e9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 new file mode 100644 index 0000000000..855930be81 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 new file mode 100644 index 0000000000..33858258a7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 new file mode 100644 index 0000000000..8bbd4acd39 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 new file mode 100644 index 0000000000..9de3d21339 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 new file mode 100644 index 0000000000..260b363842 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 new file mode 100644 index 0000000000..20abab6819 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 new file mode 100644 index 0000000000..8699f4d04f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 new file mode 100644 index 0000000000..96f3448026 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 new file mode 100644 index 0000000000..eba2a4ebfb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "NotAllowed"; # Drift + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 new file mode 100644 index 0000000000..cb1d041e05 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Absent"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 new file mode 100644 index 0000000000..c08e97899c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 new file mode 100644 index 0000000000..c21d06835a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 new file mode 100644 index 0000000000..3f34f98936 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 new file mode 100644 index 0000000000..3b5392744d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 new file mode 100644 index 0000000000..3b4575000a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 new file mode 100644 index 0000000000..f9f1639575 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 new file mode 100644 index 0000000000..c91949c36a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 new file mode 100644 index 0000000000..1b05d1358a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Patched cert"; #drift + Certificate = "PatchedFakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; #drift + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 new file mode 100644 index 0000000000..0d1ab117d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "AppleID"; + Certificate = ""; + + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 new file mode 100644 index 0000000000..9bd3d6195b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementEnrollmentAndroidGooglePlay "RemoveAndroidGooglePlayEnrollment" + { + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 new file mode 100644 index 0000000000..a5095ed687 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 new file mode 100644 index 0000000000..c3fe6117bf --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 new file mode 100644 index 0000000000..6bc56f61c7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 new file mode 100644 index 0000000000..6243030b1e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 new file mode 100644 index 0000000000..8765456e07 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 new file mode 100644 index 0000000000..c5529f47ca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 new file mode 100644 index 0000000000..1753fce3f7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 @@ -0,0 +1,45 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 new file mode 100644 index 0000000000..62a406e09d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 @@ -0,0 +1,45 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '0' #drift + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 new file mode 100644 index 0000000000..7f463cc6f0 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 new file mode 100644 index 0000000000..37f5df1376 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 @@ -0,0 +1,239 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SCPolicyConfig "SCPolicyConfig" + { + AdvancedClassificationEnabled = $True; + ApplicationId = $ApplicationId; + AuditFileActivity = $False; + BandwidthLimitEnabled = $False; + BusinessJustificationList = @( + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } + ); + CertificateThumbprint = $CertificateThumbprint; + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + MSFT_PolicyConfigDLPAppGroups + { + Name = 'Maracas' + Id = '5c124091-bb75-4d20-9c09-b00d584c6270' + Description = 'Lacucaracha' + Apps = @( + MSFT_PolicyConfigDLPApp + { + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } + ) + } + ); + DLPNetworkShareGroups = @( + MSFT_PolicyConfigDLPNetworkShareGroups + { + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } + ); + DLPPrinterGroups = @( + MSFT_PolicyConfigDLPPrinterGroups + { + groupName = 'MyGroup' + groupId = '928f8844-80af-4740-b563-232b33b29f5d' + printers = @( + MSFT_PolicyConfigPrinter + { + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = MSFT_PolicyConfigIPRange + { + fromAddress = '' + toAddress = '' + } + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } + ) + } + ); + DLPRemovableMediaGroups = @( + MSFT_PolicyConfigDLPRemovableMediaGroups + { + groupName = 'My Removable USB device group' + removablemedia = @( + MSFT_PolicyConfigRemovableMedia + { + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } + ) + } + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = MSFT_PolicyConfigEvidenceStoreSettings + { + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = @( + MSFT_PolicyConfigStorageAccount + { + Name = 'My storage' + BlobUri = 'https://contoso.com' + } + MSFT_PolicyConfigStorageAccount + { + Name = 'My 2nd storage' + BlobUri = 'https://coucou.com' + } + ) + Store = 'CustomerManaged' + }; + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = MSFT_PolicyConfigQuarantineParameters + { + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } + serverDlpEnabled = $True; + SiteGroups = @( + MSFT_PolicyConfigDLPSiteGroups + { + Id = 'cfa0d856-4dc9-4497-b0aa-93584e919a83' + Name = 'Whatever' + Addresses = @( + MSFT_PolicyConfigSiteGroupAddress + { + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } + ) + } + ); + TenantId = $TenantId; + UnallowedApp = @( + MSFT_PolicyConfigApp + { + Value = 'Caramel' + Executable = 'cara.exe' + } + MSFT_PolicyConfigApp + { + Value = 'Fudge' + Executable = 'chocolate.exe' + } + ); + UnallowedBluetoothApp = @( + MSFT_PolicyConfigApp + { + Value = 'bluetooth' + Executable = 'micase.exe' + } + MSFT_PolicyConfigApp + { + Value = 'marmelade' + Executable = 'julia.exe' + } + ); + UnallowedBrowser = @( + MSFT_PolicyConfigApp + { + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } + MSFT_PolicyConfigApp + { + Value = 'CapitainOS' + Executable = 'captn.exe' + } + ); + UnallowedCloudSyncApp = @( + MSFT_PolicyConfigApp + { + Value = 'ikochou' + Executable = 'gillex.msi' + } + MSFT_PolicyConfigApp + { + Value = 'johny' + Executable = 'boo.msi' + } + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + } + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index db41671f0b..c0ed86dc78 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -79,6 +79,7 @@ 'Modules/M365DSCDRGUtil.psm1', 'Modules/EncodingHelpers/M365DSCEmojis.psm1', 'Modules/EncodingHelpers/M365DSCStringEncoding.psm1', + 'Modules/WorkloadHelpers/M365DSCAzureHelper.psm1', 'Modules/WorkloadHelpers/M365DSCAzureDevOPSHelper.psm1', 'Modules/WorkloadHelpers/M365DSCFabricHelper.psm1', 'Modules/M365DSCConfigurationHelper.psm1' diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 955072a33d..ce3366b0db 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -190,7 +190,7 @@ function Get-M365DSCDRGComplexTypeToHashtable } else { - $keys = $ComplexObject | Get-Member | Where-Object -FilterScript { $_.MemberType -eq 'Property' } + $keys = $ComplexObject | Get-Member | Where-Object -FilterScript { $_.MemberType -eq 'Property' -or $_.MemberType -eq 'NoteProperty' } } foreach ($key in $keys) @@ -606,12 +606,12 @@ function Compare-M365DSCComplexObject if ($Source.GetType().FullName -like '*CimInstance[[\]]' -or $Source.GetType().FullName -like '*Hashtable[[\]]') { - if ($Source.Count -ne $Target.Count) + if ($Source.Length -ne $Target.Length) { - Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($Source.Count)} Target {$($Target.Count)}" + Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($Source.Length)} Target {$($Target.Length)}" return $false } - if ($Source.Count -eq 0) + if ($Source.Length -eq 0) { return $true } @@ -712,7 +712,7 @@ function Compare-M365DSCComplexObject } #One of the item is null and not the other - if (($null -eq $Source.$key) -xor ($null -eq $targetValue)) + if (($Source.$key.Length -eq 0) -xor ($targetValue.Length -eq 0)) { if ($null -eq $Source.$key) { diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 93e4d39e0f..551c1e7f87 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1829,9 +1829,9 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('Azure', 'AzureDevOPS', 'Defender', 'ExchangeOnline', 'Fabric', 'Intune', ` + [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'Defender', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` - 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks')] + 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks', 'AdminAPI')] [System.String] $Workload, diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 new file mode 100644 index 0000000000..1c7249a7b9 --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 @@ -0,0 +1,155 @@ +function Get-M365DSCAzureBillingAccount +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param() + + $uri = 'https://management.azure.com/providers/Microsoft.Billing/billingAccounts?api-version=2024-04-01&?includeAll=true' + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants?api-version=2024-04-01" + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Remove-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants/$($AssociatedTenantId)?api-version=2024-04-01" + $response = Invoke-AzRest -Method DELETE -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} +function New-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $Body + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants/$($AssociatedTenantId)?api-version=2024-04-01" + $payload = ConvertTo-Json $body -Depth 10 -Compress + $response = Invoke-AzRest -Method PUT -Uri $uri -Payload $payload + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleAssignments?api-version=2024-04-01" + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsRoleDefinition +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter()] + [System.String] + $RoleDefinitionId + ) + + if ($null -eq $RoleDefinitionId) + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleDefinitions?api-version=2024-04-01" + } + else + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleDefinitions/$($RoleDefinitionId)?api-version=2024-04-01" + } + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function New-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $Body + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/createBillingRoleAssignment?api-version=2024-04-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Method POST -Uri $uri -Payload $payload + $result = ConvertFrom-Json $response.Content + return $result +} + +function Remove-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssignmentId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleAssignments/$($AssignmentId)?api-version=2024-04-01" + $response = Invoke-AzRest -Method DELETE -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index b1d3c54e71..b2572906a8 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -339,6 +339,51 @@ } ] }, + { + "ClassName": "MSFT_AADAccessReviewPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsGroupOwnerManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADActivityBasedTimeoutPolicy", "Parameters": [ @@ -3102,6 +3147,26 @@ "Name": "ExcludeExternalTenantsMembers", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "IncludeServicePrincipals", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludeServicePrincipals", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ServicePrincipalFilterMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ServicePrincipalFilterRule", + "Option": "Write" + }, { "CIMType": "String[]", "Name": "IncludePlatforms", @@ -4039,6 +4104,61 @@ } ] }, + { + "ClassName": "MSFT_AADEnrichedAuditLogs", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Exchange", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SharePoint", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Teams", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AccessPackageResourceRoleScope", "Parameters": [ @@ -5194,6 +5314,241 @@ } ] }, + { + "ClassName": "MSFT_AADFilteringPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringPolicyRuleDestination", + "Parameters": [ + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringPolicyRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Policy", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RuleType", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADFilteringPolicyRuleDestination[]", + "Name": "Destinations", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringProfilePolicyLink", + "Parameters": [ + { + "CIMType": "String", + "Name": "LoggingState", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADFilteringProfilePolicyLink[]", + "Name": "Policies", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADGroupLicense", "Parameters": [ @@ -5559,6 +5914,106 @@ } ] }, + { + "ClassName": "MSFT_AADHomeRealDiscoveryPolicyDefinition", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "AccelerateToFederatedDomain", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowCloudPasswordValidation", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin", + "Name": "AlternateIdLogin", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreferredDomain", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADHomeRealmDiscoveryPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "MSFT_AADHomeRealDiscoveryPolicyDefinition[]", + "Name": "Definition", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsOrganizationDefault", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADIdentityAPIConnectionCertificate", "Parameters": [ @@ -5985,13 +6440,63 @@ ] }, { - "ClassName": "MSFT_AADIdentityGovernanceProgram", + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "timeoutInMilliseconds", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "maximumRetries", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "logicAppWorkflowName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "resourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "subscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "url", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "timeoutDuration", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "authorizedApps", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension", + "Parameters": [ { "CIMType": "String", "Name": "DisplayName", @@ -6002,6 +6507,26 @@ "Name": "Id", "Option": "Write" }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration", + "Name": "ClientConfiguration", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration", + "Name": "EndpointConfiguration", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration", + "Name": "CallbackConfiguration", + "Option": "Write" + }, { "CIMType": "string", "Name": "Ensure", @@ -6022,11 +6547,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6045,26 +6565,26 @@ ] }, { - "ClassName": "MSFT_AADLifecycleWorkflowSettings", + "ClassName": "MSFT_AADIdentityGovernanceProgram", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "Name": "Description", + "Option": "Write" }, { "CIMType": "String", - "Name": "SenderDomain", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "UInt32", - "Name": "WorkflowScheduleIntervalInHours", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UseCompanyBranding", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -6082,6 +6602,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6100,51 +6625,71 @@ ] }, { - "ClassName": "MSFT_AADNamedLocationPolicy", + "ClassName": "MSFT_AADIdentityProtectionPolicySettings", "Parameters": [ { - "CIMType": "string", - "Name": "OdataType", + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsUserRiskClearedOnPasswordReset", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "string", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "IpRanges", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsTrusted", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "CountriesAndRegions", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADLifecycleWorkflowSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "String", - "Name": "CountryLookupMethod", + "Name": "SenderDomain", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IncludeUnknownCountriesAndRegions", + "CIMType": "UInt32", + "Name": "WorkflowScheduleIntervalInHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "UseCompanyBranding", "Option": "Write" }, { @@ -6162,11 +6707,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6185,45 +6725,380 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphCertificateAuthority", + "ClassName": "MSFT_AADNamedLocationPolicy", "Parameters": [ { - "CIMType": "String", - "Name": "Certificate", + "CIMType": "string", + "Name": "OdataType", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateRevocationListUrl", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeltaCertificateRevocationListUrl", + "CIMType": "string", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "IpRanges", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsRootAuthority", + "Name": "IsTrusted", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADOrganizationCertificateBasedAuthConfiguration", - "Parameters": [ + }, { - "CIMType": "MSFT_MicrosoftGraphcertificateAuthority[]", - "Name": "CertificateAuthorities", + "CIMType": "String[]", + "Name": "CountriesAndRegions", "Option": "Write" }, { "CIMType": "String", - "Name": "OrganizationId", - "Option": "Key" + "Name": "CountryLookupMethod", + "Option": "Write" }, { - "CIMType": "string", + "CIMType": "Boolean", + "Name": "IncludeUnknownCountriesAndRegions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ActionValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RuleType", + "Option": "Write" + }, + { + "CIMType": "UInt32[]", + "Name": "Ports", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Protocol", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Destinations", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessForwardingPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule[]", + "Name": "PolicyRules", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphNetworkaccessPolicyLink", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PolicyLinkId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "state", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessForwardingProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphNetworkaccessPolicyLink[]", + "Name": "Policies", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessSettingConditionalAccess", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SignalingStatus", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessSettingCrossTenantAccess", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "NetworkPacketTaggingStatus", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphCertificateAuthority", + "Parameters": [ + { + "CIMType": "String", + "Name": "Certificate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeltaCertificateRevocationListUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRootAuthority", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADOrganizationCertificateBasedAuthConfiguration", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphcertificateAuthority[]", + "Name": "CertificateAuthorities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OrganizationId", + "Option": "Key" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -7211,6 +8086,16 @@ "CIMType": "String[]", "Name": "AccessTokens", "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphpasswordCredential[]", + "Name": "PasswordCredentials", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphkeyCredential[]", + "Name": "KeyCredentials", + "Option": "Write" } ] }, @@ -7580,16 +8465,31 @@ ] }, { - "ClassName": "MSFT_ADOOrganizationOwner", + "ClassName": "MSFT_AADUserFlowAttribute", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "Owner", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { @@ -7607,6 +8507,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -7625,31 +8530,36 @@ ] }, { - "ClassName": "MSFT_ADOPermissionGroup", + "ClassName": "MSFT_AADVerifiedIdAuthorityKeyVaultMetadata", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", - "Option": "Key" + "Name": "SubscriptionId", + "Option": "Write" }, { "CIMType": "String", - "Name": "PrincipalName", - "Option": "Key" + "Name": "ResourceGroup", + "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "ResourceName", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "ResourceUrl", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthority", + "Parameters": [ { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { @@ -7659,12 +8569,17 @@ }, { "CIMType": "String", - "Name": "Descriptor", - "Option": "Write" + "Name": "LinkedDomainUrl", + "Option": "Key" }, { "CIMType": "String", - "Name": "Level", + "Name": "DidMethod", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADVerifiedIdAuthorityKeyVaultMetadata", + "Name": "KeyVaultMetadata", "Option": "Write" }, { @@ -7687,6 +8602,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -7705,141 +8625,677 @@ ] }, { - "ClassName": "MSFT_ADOPermission", + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo", "Parameters": [ { "CIMType": "String", - "Name": "NamespaceId", + "Name": "uri", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "description", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayCard", + "Parameters": [ + { + "CIMType": "String", + "Name": "title", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Bit", + "CIMType": "String", + "Name": "issuedBy", "Option": "Write" }, { "CIMType": "String", - "Name": "Token", + "Name": "backgroundColor", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "textColor", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "description", "Option": "Write" } ] }, { - "ClassName": "MSFT_ADOPermissionGroupSettings", + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayConsent", "Parameters": [ { "CIMType": "String", - "Name": "GroupName", - "Option": "Key" + "Name": "title", + "Option": "Write" }, { "CIMType": "String", - "Name": "OrganizationName", + "Name": "instructions", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayClaims", + "Parameters": [ + { + "CIMType": "String", + "Name": "label", "Option": "Write" }, { "CIMType": "String", - "Name": "Descriptor", + "Name": "claim", "Option": "Write" }, { - "CIMType": "MSFT_ADOPermission[]", - "Name": "AllowPermissions", + "CIMType": "String", + "Name": "type", "Option": "Write" }, { - "CIMType": "MSFT_ADOPermission[]", - "Name": "DenyPermissions", + "CIMType": "String", + "Name": "description", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayModel", + "Parameters": [ + { + "CIMType": "String", + "Name": "locale", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractClaimMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "inputClaim", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "outputClaim", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "indexed", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "required", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractAttestationValues", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "required", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "trustedIssuers", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "credentialType", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "configuration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "clientId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "redirectUri", "Option": "Write" }, + { + "CIMType": "String", + "Name": "scopeValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractAttestations", + "Parameters": [ + + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "url", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractVcType", + "Parameters": [ { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "type", "Option": "Write" } ] }, { - "ClassName": "MSFT_ADOSecurityPolicy", + "ClassName": "MSFT_AADVerifiedIdAuthorityContractRulesModel", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "validityInterval", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContract", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", + "Name": "id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "linkedDomainUrl", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "DisallowAadGuestUserAccess", + "CIMType": "String", + "Name": "authorityId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowOAuthAuthentication", + "CIMType": "String", + "Name": "name", + "Option": "Key" + }, + { + "CIMType": "MSFT_AADVerifiedIdAuthorityContractDisplayModel[]", + "Name": "displays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowSecureShell", + "CIMType": "MSFT_AADVerifiedIdAuthorityContractRulesModel", + "Name": "rules", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LogAuditEvents", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnonymousAccess", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ArtifactsExternalPackageProtectionToken", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnforceAADConditionalAccess", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowTeamAdminsInvitationsAccessToken", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowRequestAccessToken", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOOrganizationOwner", + "Parameters": [ + { + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Owner", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOPermissionGroup", + "Parameters": [ + { + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PrincipalName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Descriptor", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Level", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOPermission", + "Parameters": [ + { + "CIMType": "String", + "Name": "NamespaceId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Bit", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Token", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOPermissionGroupSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "GroupName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Descriptor", + "Option": "Write" + }, + { + "CIMType": "MSFT_ADOPermission[]", + "Name": "AllowPermissions", + "Option": "Write" + }, + { + "CIMType": "MSFT_ADOPermission[]", + "Name": "DenyPermissions", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOSecurityPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "DisallowAadGuestUserAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisallowOAuthAuthentication", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisallowSecureShell", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LogAuditEvents", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowAnonymousAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ArtifactsExternalPackageProtectionToken", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnforceAADConditionalAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTeamAdminsInvitationsAccessToken", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowRequestAccessToken", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AzureBillingAccountsAssociatedTenant", + "Parameters": [ + { + "CIMType": "String", + "Name": "AssociatedTenantId", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BillingAccount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BillingManagementState", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ProvisioningManagementState", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AzureBillingaccountsRoleAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "PrincipalName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "RoleDefinition", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PrincipalType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BillingAccount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrincipalTenantId", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -7929,6 +9385,71 @@ } ] }, + { + "ClassName": "MSFT_AzureVerifiedIdFaceCheck", + "Parameters": [ + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "VerifiedIdAuthorityId", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "FaceCheckEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VerifiedIdAuthorityLocation", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DefenderSubscriptionPlan", "Parameters": [ @@ -18234,6 +19755,66 @@ } ] }, + { + "ClassName": "MSFT_EXOServicePrincipal", + "Parameters": [ + { + "CIMType": "string", + "Name": "AppName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "AppId", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOSharedMailbox", "Parameters": [ @@ -21985,36 +23566,26 @@ ] }, { - "ClassName": "MSFT_IntuneApplicationControlPolicyWindows10", + "ClassName": "MSFT_IntuneAppleMDMPushNotificationCertificate", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", + "Name": "AppleIdentifier", "Option": "Key" }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "Name": "Certificate", "Option": "Write" }, { "CIMType": "String", - "Name": "AppLockerApplicationControl", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SmartScreenBlockOverrideForFiles", + "Name": "Id", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SmartScreenEnableInshell", + "Name": "DataSharingConsetGranted", "Option": "Write" }, { @@ -22038,13 +23609,13 @@ "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { @@ -22060,7 +23631,7 @@ ] }, { - "ClassName": "MSFT_IntuneAppProtectionPolicyAndroid", + "ClassName": "MSFT_IntuneApplicationControlPolicyWindows10", "Parameters": [ { "CIMType": "String", @@ -22073,138 +23644,23 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "PeriodOfflineBeforeAccessCheck", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PeriodOnlineBeforeAccessCheck", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AllowedInboundDataTransferSources", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AllowedOutboundDataTransferDestinations", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "OrganizationalCredentialsRequired", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AllowedOutboundClipboardSharingLevel", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DataBackupBlocked", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DeviceComplianceRequired", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedBrowserToOpenLinksRequired", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SaveAsBlocked", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PeriodOfflineBeforeWipeIsEnforced", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PinRequired", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DisableAppPinIfDevicePinIsSet", - "Option": "write" - }, - { - "CIMType": "UInt32", - "Name": "MaximumPinRetries", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SimplePinBlocked", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "MinimumPinLength", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PinCharacterSet", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AllowedDataStorageLocations", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ContactSyncBlocked", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "String", - "Name": "PeriodBeforePinReset", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PrintBlocked", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "RequireClass3Biometrics", + "Name": "AppLockerApplicationControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequirePinAfterBiometricChange", + "Name": "SmartScreenBlockOverrideForFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FingerprintBlocked", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "Apps", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "Assignments", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ExcludedGroups", + "Name": "SmartScreenEnableInshell", "Option": "Write" }, { @@ -22242,81 +23698,6 @@ "Name": "ManagedIdentity", "Option": "Write" }, - { - "CIMType": "String", - "Name": "ManagedBrowser", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumRequiredAppVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumRequiredOSVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumRequiredPatchVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumWarningAppVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumWarningOSVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MinimumWarningPatchVersion", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AppGroupType", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsAssigned", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EncryptAppData", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DisableAppEncryptionIfDeviceEncryptionIsEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CustomBrowserDisplayName", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CustomBrowserPackageId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, { "CIMType": "String[]", "Name": "AccessTokens", @@ -22325,18 +23706,283 @@ ] }, { - "ClassName": "MSFT_IntuneAppProtectionPolicyiOS", + "ClassName": "MSFT_IntuneAppProtectionPolicyAndroid", "Parameters": [ { "CIMType": "String", "Name": "DisplayName", "Option": "Key" }, - { - "CIMType": "String", - "Name": "Identity", - "Option": "Write" - }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PeriodOfflineBeforeAccessCheck", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PeriodOnlineBeforeAccessCheck", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowedInboundDataTransferSources", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowedOutboundDataTransferDestinations", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OrganizationalCredentialsRequired", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowedOutboundClipboardSharingLevel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DataBackupBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeviceComplianceRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedBrowserToOpenLinksRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SaveAsBlocked", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PeriodOfflineBeforeWipeIsEnforced", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PinRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableAppPinIfDevicePinIsSet", + "Option": "write" + }, + { + "CIMType": "UInt32", + "Name": "MaximumPinRetries", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SimplePinBlocked", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "MinimumPinLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PinCharacterSet", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowedDataStorageLocations", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ContactSyncBlocked", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PeriodBeforePinReset", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PrintBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireClass3Biometrics", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequirePinAfterBiometricChange", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "FingerprintBlocked", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Apps", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludedGroups", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ManagedBrowser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumRequiredAppVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumRequiredOSVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumRequiredPatchVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumWarningAppVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumWarningOSVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MinimumWarningPatchVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppGroupType", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsAssigned", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ScreenCaptureBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EncryptAppData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableAppEncryptionIfDeviceEncryptionIsEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomBrowserDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomBrowserPackageId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAppProtectionPolicyiOS", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, { "CIMType": "String", "Name": "Description", @@ -35419,6 +37065,226 @@ } ] }, + { + "ClassName": "MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "BindStatus", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OwnerUserPrincipalName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OwnerOrganizationName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnrollmentTarget", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeviceOwnerManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidDeviceOwnerFullyManagedEnrollmentEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage", + "Parameters": [ + { + "CIMType": "String", + "Name": "type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AccountId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenCreationDateTime", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenExpirationDateTime", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrolledDeviceCount", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrollmentTokenUsageCount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QrCodeContent", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QrCodeImage", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ConfigureWifi", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WifiSsid", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "WifiPassword", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WifiHidden", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsTeamsDeviceProfile", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneDeviceRemediationRunSchedule", "Parameters": [ @@ -37399,6 +39265,136 @@ } ] }, + { + "ClassName": "MSFT_IntuneMobileThreatDefenseConnector", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosApplicationMetadata", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosPersonalApplicationMetadata", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidMobileApplicationManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosMobileApplicationManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "DateTime", + "Name": "LastHeartbeatDateTime", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MicrosoftDefenderForEndpointAttachEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PartnerState", + "Option": "Write" + }, + { + "CIMType": "Uint32", + "Name": "PartnerUnresponsivenessThresholdInDays", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PartnerUnsupportedOSVersionBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WindowsDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WindowsEnabled", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", "Parameters": [ @@ -37685,3016 +39681,2931 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", "Parameters": [ { "CIMType": "String", - "Name": "Pol_SecGuide_A001_Block_Flash", + "Name": "DeviceInstall_Classes_Deny", "Option": "Write" }, { - "CIMType": "String", - "Name": "Pol_SecGuide_Block_Flash", + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Deny_List", "Option": "Write" }, { "CIMType": "String", - "Name": "Pol_SecGuide_Legacy_JScript", + "Name": "DeviceInstall_Classes_Deny_Retroactive", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_powerpnt", + "CIMType": "String", + "Name": "EncryptionMethodWithXts_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_onenote", + "CIMType": "String", + "Name": "EncryptionMethodWithXtsOsDropDown_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_mspub", + "CIMType": "String", + "Name": "EncryptionMethodWithXtsFdvDropDown_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_msaccess", + "CIMType": "String", + "Name": "EncryptionMethodWithXtsRdvDropDown_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_winproj", + "CIMType": "String", + "Name": "FDVRecoveryUsage_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_visio", + "CIMType": "String", + "Name": "FDVActiveDirectoryBackup_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_outlook", + "CIMType": "String", + "Name": "FDVHideRecoveryPage_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_winword", + "CIMType": "String", + "Name": "FDVRecoveryPasswordUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "POL_SG_excel", + "CIMType": "String", + "Name": "FDVRequireActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PolicyEnableSIPHighSecurityMode", + "Name": "FDVAllowDRA_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PolicyDisableHttpConnect", + "Name": "FDVActiveDirectoryBackupDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AddonManagement", + "Name": "FDVRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe17", + "Name": "FDVDenyWriteAccess_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe15", + "Name": "FDVEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe19", + "Name": "FDVEncryptionTypeDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe26", + "Name": "EnablePreBootPinExceptionOnDECapableDevice_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe22", + "Name": "EnhancedPIN_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe18", + "Name": "OSRecoveryUsage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe21", + "Name": "OSRequireActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe24", + "Name": "OSActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe23", + "Name": "OSRecoveryPasswordUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe20", + "Name": "OSHideRecoveryPage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe14", + "Name": "OSAllowDRA_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe16", + "Name": "OSRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe27", + "Name": "OSActiveDirectoryBackupDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe25", + "Name": "EnablePrebootInputProtectorsOnSlates_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_ConsistentMimeHandling", + "Name": "OSEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe43", + "Name": "OSEncryptionTypeDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe51", + "Name": "ConfigureAdvancedStartup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe54", + "Name": "ConfigureTPMStartupKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe50", + "Name": "ConfigureTPMPINKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe46", + "Name": "ConfigureTPMUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe44", + "Name": "ConfigureNonTPMStartupKeyUsage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe47", + "Name": "ConfigurePINUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe48", + "Name": "RDVConfigureBDE", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe53", + "Name": "RDVAllowBDE_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe45", + "Name": "RDVEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe42", + "Name": "RDVEncryptionTypeDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe55", + "Name": "RDVDisableBDE_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe49", + "Name": "RDVDenyWriteAccess_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe52", + "Name": "RDVCrossOrg", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Disableusernameandpassword", + "Name": "EnableSmartScreen", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe127", + "Name": "EnableSmartScreenDropdown", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe126", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe138", + "Name": "Disable_Managing_Safety_Filter_IE9", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe139", + "Name": "IE9SafetyFilterOptions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe128", + "Name": "AllowWarningForOtherDiskEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe131", + "Name": "AllowStandardUserEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe136", + "Name": "ConfigureRecoveryPasswordRotation", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe137", + "Name": "RequireDeviceEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe135", + "Name": "AllowArchiveScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe133", + "Name": "AllowBehaviorMonitoring", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe129", + "Name": "AllowCloudProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe134", + "Name": "AllowEmailScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe132", + "Name": "AllowFullScanRemovableDriveScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe130", + "Name": "AllowOnAccessProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Informationbar", + "Name": "AllowRealtimeMonitoring", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe113", + "Name": "AllowScanningNetworkFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe114", + "Name": "AllowIOAVProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe123", + "Name": "AllowScriptScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe124", + "Name": "AllowUserUIAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe120", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winprojexe118", + "CIMType": "String[]", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe115", + "Name": "BlockWin32APICallsFromOfficeMacros", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_spdesignexe121", + "CIMType": "String[]", + "Name": "BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe112", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_visioexe117", + "CIMType": "String[]", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe125", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winwordexe119", + "CIMType": "String[]", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe122", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_pptviewexe116", + "CIMType": "String[]", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_LocalMachineZoneLockdownSecurity", + "Name": "BlockAdobeReaderFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_mse7exe41", + "CIMType": "String[]", + "Name": "BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe31", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_mspubexe30", + "CIMType": "String[]", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe36", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_pptviewexe32", + "CIMType": "String[]", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe29", + "Name": "BlockWebshellCreationForServers", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_exprwdexe38", + "CIMType": "String[]", + "Name": "BlockWebshellCreationForServers_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe28", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winwordexe35", + "CIMType": "String[]", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe39", + "Name": "BlockPersistenceThroughWMIEventSubscription", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe37", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_visioexe33", + "CIMType": "String[]", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe40", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winprojexe34", + "CIMType": "String[]", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_MimeSniffingSafetyFature", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_powerpntexe59", + "CIMType": "String[]", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe66", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_grooveexe56", + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe61", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_outlookexe64", + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe58", + "Name": "BlockRebootingMachineInSafeMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_mse7exe69", + "CIMType": "String[]", + "Name": "BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe67", + "Name": "UseAdvancedProtectionAgainstRansomware", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_pptviewexe60", + "CIMType": "String[]", + "Name": "UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe62", + "Name": "BlockExecutableContentFromEmailClientAndWebmail", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_spdesignexe65", + "CIMType": "String[]", + "Name": "BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe68", + "Name": "CheckForSignaturesBeforeRunningScan", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe63", + "Name": "CloudBlockLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_excelexe57", + "CIMType": "SInt32", + "Name": "CloudExtendedTimeout", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NavigateURL", + "Name": "DisableLocalAdminMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe177", + "Name": "EnableNetworkProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe180", + "Name": "HideExclusionsFromLocalAdmins", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe172", + "Name": "HideExclusionsFromLocalUsers", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe176", + "Name": "OobeEnableRtpAndSigUpdate", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe174", + "Name": "PUAProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe179", + "Name": "RealTimeScanDirection", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe175", + "Name": "ScanParameter", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_excelexe169", + "CIMType": "SInt32", + "Name": "ScheduleQuickScanTime", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe170", + "Name": "ScheduleScanDay", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_exprwdexe178", + "CIMType": "SInt32", + "Name": "ScheduleScanTime", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_powerpntexe171", + "CIMType": "SInt32", + "Name": "SignatureUpdateInterval", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe173", + "Name": "SubmitSamplesConsent", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe181", + "Name": "LsaCfgFlags", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe168", + "Name": "DeviceEnumerationPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "L_ObjectCachingProtection", + "Name": "SmartScreenEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe77", + "Name": "SmartScreenPuaEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe73", + "Name": "SmartScreenDnsRequestsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe79", + "Name": "NewSmartScreenLibraryEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe83", + "Name": "SmartScreenForTrustedDownloadsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe72", + "Name": "PreventSmartScreenPromptOverride", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe81", + "Name": "PreventSmartScreenPromptOverrideForFiles", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ { "CIMType": "String", - "Name": "L_onenoteexe82", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ { "CIMType": "String", - "Name": "L_outlookexe78", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe70", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "String", - "Name": "L_excelexe71", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe75", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_pptviewexe74", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "DeviceSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winprojexe76", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "UserSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_exprwdexe80", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_ProtectionFromZoneElevation", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_mspubexe100", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe103", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe101", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_excelexe99", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe111", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winwordexe105", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ { "CIMType": "String", - "Name": "L_exprwdexe108", + "Name": "Pol_SecGuide_A001_Block_Flash", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe109", + "Name": "Pol_SecGuide_Block_Flash", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe107", + "Name": "Pol_SecGuide_Legacy_JScript", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_onenoteexe110", + "CIMType": "SInt32", + "Name": "POL_SG_powerpnt", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_pptviewexe102", + "CIMType": "SInt32", + "Name": "POL_SG_onenote", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_winprojexe104", + "CIMType": "SInt32", + "Name": "POL_SG_mspub", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_grooveexe98", + "CIMType": "SInt32", + "Name": "POL_SG_msaccess", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_outlookexe106", + "CIMType": "SInt32", + "Name": "POL_SG_winproj", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_RestrictActiveXInstall", + "CIMType": "SInt32", + "Name": "POL_SG_visio", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_mse7exe", + "CIMType": "SInt32", + "Name": "POL_SG_outlook", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_powerpntexe", + "CIMType": "SInt32", + "Name": "POL_SG_winword", "Option": "Write" }, { - "CIMType": "String", - "Name": "L_spDesignexe", + "CIMType": "SInt32", + "Name": "POL_SG_excel", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe", + "Name": "L_PolicyEnableSIPHighSecurityMode", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe", + "Name": "L_PolicyDisableHttpConnect", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe", + "Name": "L_AddonManagement", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe", + "Name": "L_powerpntexe17", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe", + "Name": "L_excelexe15", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe", + "Name": "L_visioexe19", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe", + "Name": "L_onenoteexe26", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe", + "Name": "L_outlookexe22", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe", + "Name": "L_pptviewexe18", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe", + "Name": "L_winwordexe21", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe", + "Name": "L_exprwdexe24", "Option": "Write" }, { "CIMType": "String", - "Name": "L_RestrictFileDownload", + "Name": "L_spdesignexe23", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe5", + "Name": "L_winprojexe20", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe6", + "Name": "L_grooveexe14", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe11", + "Name": "L_mspubexe16", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe9", + "Name": "L_mse7exe27", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe1", + "Name": "L_msaccessexe25", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe3", + "Name": "L_ConsistentMimeHandling", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe2", + "Name": "L_excelexe43", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe10", + "Name": "L_spdesignexe51", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe8", + "Name": "L_onenoteexe54", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe4", + "Name": "L_outlookexe50", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe7", + "Name": "L_pptviewexe46", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe12", + "Name": "L_mspubexe44", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe13", + "Name": "L_visioexe47", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe0", + "Name": "L_winprojexe48", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SavedfromURL", + "Name": "L_msaccessexe53", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe158", + "Name": "L_powerpntexe45", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe164", + "Name": "L_grooveexe42", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe167", + "Name": "L_mse7exe55", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe163", + "Name": "L_winwordexe49", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe160", + "Name": "L_exprwdexe52", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe156", + "Name": "L_Disableusernameandpassword", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe159", + "Name": "L_excelexe127", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe161", + "Name": "L_grooveexe126", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe165", + "Name": "L_onenoteexe138", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe166", + "Name": "L_mse7exe139", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe162", + "Name": "L_mspubexe128", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe154", + "Name": "L_visioexe131", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe155", + "Name": "L_exprwdexe136", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe157", + "Name": "L_msaccessexe137", "Option": "Write" }, { "CIMType": "String", - "Name": "L_ScriptedWindowSecurityRestrictions", + "Name": "L_spdesignexe135", "Option": "Write" }, { "CIMType": "String", - "Name": "L_exprwdexe94", + "Name": "L_winwordexe133", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mse7exe97", + "Name": "L_powerpntexe129", "Option": "Write" }, { "CIMType": "String", - "Name": "L_mspubexe86", + "Name": "L_outlookexe134", "Option": "Write" }, { "CIMType": "String", - "Name": "L_outlookexe92", + "Name": "L_winprojexe132", "Option": "Write" }, { "CIMType": "String", - "Name": "L_msaccessexe95", + "Name": "L_pptviewexe130", "Option": "Write" }, { "CIMType": "String", - "Name": "L_powerpntexe87", + "Name": "L_Informationbar", "Option": "Write" }, { "CIMType": "String", - "Name": "L_grooveexe84", + "Name": "L_excelexe113", "Option": "Write" }, { "CIMType": "String", - "Name": "L_excelexe85", + "Name": "L_mspubexe114", "Option": "Write" }, { "CIMType": "String", - "Name": "L_pptviewexe88", + "Name": "L_msaccessexe123", "Option": "Write" }, { "CIMType": "String", - "Name": "L_spdesignexe93", + "Name": "L_onenoteexe124", "Option": "Write" }, { "CIMType": "String", - "Name": "L_visioexe89", + "Name": "L_outlookexe120", "Option": "Write" }, { "CIMType": "String", - "Name": "L_onenoteexe96", + "Name": "L_winprojexe118", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winprojexe90", + "Name": "L_powerpntexe115", "Option": "Write" }, { "CIMType": "String", - "Name": "L_winwordexe91", + "Name": "L_spdesignexe121", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", - "Parameters": [ + }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "L_grooveexe112", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_visioexe117", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_mse7exe125", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_winwordexe119", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_exprwdexe122", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Name": "L_pptviewexe116", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks", + "Name": "L_LocalMachineZoneLockdownSecurity", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Asktoupdateautomaticlinks", + "Name": "L_mse7exe41", "Option": "Write" }, { "CIMType": "String", - "Name": "L_LoadpicturesfromWebpagesnotcreatedinExcel", + "Name": "L_powerpntexe31", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableAutoRepublish", + "Name": "L_mspubexe30", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DoNotShowAutoRepublishWarningAlert", + "Name": "L_outlookexe36", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Forcefileextenstionstomatch", + "Name": "L_pptviewexe32", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Forcefileextenstionstomatch_L_Empty", + "Name": "L_excelexe29", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DeterminewhethertoforceencryptedExcel", + "Name": "L_exprwdexe38", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DeterminewhethertoforceencryptedExcelDropID", + "Name": "L_grooveexe28", "Option": "Write" }, { "CIMType": "String", - "Name": "L_BlockXLLFromInternet", + "Name": "L_winwordexe35", "Option": "Write" }, { "CIMType": "String", - "Name": "L_BlockXLLFromInternetEnum", + "Name": "L_msaccessexe39", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "L_spdesignexe37", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_visioexe33", "Option": "Write" }, { "CIMType": "String", - "Name": "L_EnableBlockUnsecureQueryFiles", + "Name": "L_onenoteexe40", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DBaseIIIANDIVFiles", + "Name": "L_winprojexe34", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DBaseIIIANDIVFilesDropID", + "Name": "L_MimeSniffingSafetyFature", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DifAndSylkFiles", + "Name": "L_powerpntexe59", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DifAndSylkFilesDropID", + "Name": "L_exprwdexe66", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel2MacrosheetsAndAddInFiles", + "Name": "L_grooveexe56", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel2MacrosheetsAndAddInFilesDropID", + "Name": "L_visioexe61", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel2Worksheets", + "Name": "L_outlookexe64", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel2WorksheetsDropID", + "Name": "L_mspubexe58", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel3MacrosheetsAndAddInFiles", + "Name": "L_mse7exe69", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel3MacrosheetsAndAddInFilesDropID", + "Name": "L_msaccessexe67", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel3Worksheets", + "Name": "L_pptviewexe60", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel3WorksheetsDropID", + "Name": "L_winprojexe62", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4MacrosheetsAndAddInFiles", + "Name": "L_spdesignexe65", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4MacrosheetsAndAddInFilesDropID", + "Name": "L_onenoteexe68", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4Workbooks", + "Name": "L_winwordexe63", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4WorkbooksDropID", + "Name": "L_excelexe57", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4Worksheets", + "Name": "L_NavigateURL", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel4WorksheetsDropID", + "Name": "L_spdesignexe177", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel95Workbooks", + "Name": "L_onenoteexe180", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel95WorkbooksDropID", + "Name": "L_pptviewexe172", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel9597WorkbooksAndTemplates", + "Name": "L_outlookexe176", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel9597WorkbooksAndTemplatesDropID", + "Name": "L_winprojexe174", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel972003WorkbooksAndTemplates", + "Name": "L_msaccessexe179", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Excel972003WorkbooksAndTemplatesDropID", + "Name": "L_winwordexe175", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Name": "L_excelexe169", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Name": "L_mspubexe170", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WebPagesAndExcel2003XMLSpreadsheets", + "Name": "L_exprwdexe178", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WebPagesAndExcel2003XMLSpreadsheetsDropID", + "Name": "L_powerpntexe171", "Option": "Write" }, { "CIMType": "String", - "Name": "L_XL4KillSwitchPolicy", + "Name": "L_visioexe173", "Option": "Write" }, { "CIMType": "String", - "Name": "L_EnableDataBaseFileProtectedView", + "Name": "L_mse7exe181", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Name": "L_grooveexe168", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Name": "L_ObjectCachingProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Name": "L_winwordexe77", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Name": "L_powerpntexe73", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Name": "L_spdesignexe79", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Name": "L_mse7exe83", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_mspubexe72", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_msaccessexe81", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_onenoteexe82", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_outlookexe78", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty4", + "Name": "L_grooveexe70", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftExcel_Security_L_TurnOffFileValidation", + "Name": "L_excelexe71", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WebContentWarningLevel", + "Name": "L_visioexe75", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WebContentWarningLevelValue", + "Name": "L_pptviewexe74", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicy", + "Name": "L_winprojexe76", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyWord", + "Name": "L_exprwdexe80", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyExcel", + "Name": "L_ProtectionFromZoneElevation", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyVisio", + "Name": "L_mspubexe100", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint", + "Name": "L_visioexe103", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPublisher", + "Name": "L_powerpntexe101", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyOutlook", + "Name": "L_excelexe99", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyProject", + "Name": "L_mse7exe111", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyAccess", + "Name": "L_winwordexe105", "Option": "Write" }, { "CIMType": "String", - "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath", + "Name": "L_exprwdexe108", "Option": "Write" }, { "CIMType": "String", - "Name": "L_ActiveXControlInitialization", + "Name": "L_msaccessexe109", "Option": "Write" }, { "CIMType": "String", - "Name": "L_ActiveXControlInitializationcolon", + "Name": "L_spdesignexe107", "Option": "Write" }, { "CIMType": "String", - "Name": "L_BasicAuthProxyBehavior", + "Name": "L_onenoteexe110", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AllowVbaIntranetRefs", + "Name": "L_pptviewexe102", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AutomationSecurity", + "Name": "L_winprojexe104", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SettheAutomationSecuritylevel", + "Name": "L_grooveexe98", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AuthenticationFBABehavior", + "Name": "L_outlookexe106", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AuthenticationFBAEnabledHostsID", + "Name": "L_RestrictActiveXInstall", "Option": "Write" }, { "CIMType": "String", - "Name": "L_authenticationFBABehaviorEnum", + "Name": "L_mse7exe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableStrictVbaRefsSecurityPolicy", + "Name": "L_powerpntexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableallTrustBarnotificationsfor", + "Name": "L_spDesignexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Encryptiontypeforirm", + "Name": "L_onenoteexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Encryptiontypeforirmcolon", + "Name": "L_excelexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Encryptiontypeforpasswordprotectedoffice972003", + "Name": "L_mspubexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_encryptiontypecolon318", + "Name": "L_visioexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Encryptiontypeforpasswordprotectedofficeopen", + "Name": "L_exprwdexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Encryptiontypecolon", + "Name": "L_outlookexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_LoadControlsinForms3", + "Name": "L_pptviewexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_LoadControlsinForms3colon", + "Name": "L_winprojexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_MacroRuntimeScanScope", + "Name": "L_winwordexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_MacroRuntimeScanScopeEnum", + "Name": "L_grooveexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Protectdocumentmetadataforrightsmanaged", + "Name": "L_msaccessexe", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Allowmixofpolicyanduserlocations", + "Name": "L_RestrictFileDownload", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisabletheOfficeclientfrompolling", + "Name": "L_visioexe5", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableSmartDocumentsuseofmanifests", + "Name": "L_winprojexe6", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OutlookSecurityMode", + "Name": "L_msaccessexe11", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMAddressAccess", + "Name": "L_spdesignexe9", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMAddressAccess_Setting", + "Name": "L_excelexe1", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMMeetingTaskRequest", + "Name": "L_powerpntexe3", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMMeetingTaskRequest_Setting", + "Name": "L_mspubexe2", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMSend", + "Name": "L_exprwdexe10", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMSend_Setting", + "Name": "L_outlookexe8", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Preventusersfromcustomizingattachmentsecuritysettings", + "Name": "L_pptviewexe4", "Option": "Write" }, { "CIMType": "String", - "Name": "L_RetrievingCRLsCertificateRevocationLists", + "Name": "L_winwordexe7", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty31", + "Name": "L_onenoteexe12", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMFormula", + "Name": "L_mse7exe13", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMFormula_Setting", + "Name": "L_grooveexe0", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AuthenticationwithExchangeServer", + "Name": "L_SavedfromURL", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SelecttheauthenticationwithExchangeserver", + "Name": "L_pptviewexe158", "Option": "Write" }, { "CIMType": "String", - "Name": "L_EnableRPCEncryption", + "Name": "L_exprwdexe164", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Enablelinksinemailmessages", + "Name": "L_mse7exe167", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMAddressBook", + "Name": "L_spdesignexe163", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMAddressBook_Setting", + "Name": "L_winprojexe160", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OutlookSecurityPolicy", + "Name": "L_mspubexe156", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AllowUsersToLowerAttachments", + "Name": "L_visioexe159", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AllowActiveXOneOffForms", + "Name": "L_winwordexe161", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty29", + "Name": "L_msaccessexe165", "Option": "Write" }, { "CIMType": "String", - "Name": "L_EnableScriptsInOneOffForms", + "Name": "L_onenoteexe166", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Level2RemoveFilePolicy", + "Name": "L_outlookexe162", "Option": "Write" }, { "CIMType": "String", - "Name": "L_removedextensions25", + "Name": "L_grooveexe154", "Option": "Write" }, { "CIMType": "String", - "Name": "L_MSGUnicodeformatwhendraggingtofilesystem", + "Name": "L_excelexe155", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OnExecuteCustomActionOOM", + "Name": "L_powerpntexe157", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OnExecuteCustomActionOOM_Setting", + "Name": "L_ScriptedWindowSecurityRestrictions", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableOutlookobjectmodelscriptsforpublicfolders", + "Name": "L_exprwdexe94", "Option": "Write" }, { "CIMType": "String", - "Name": "L_BlockInternet", + "Name": "L_mse7exe97", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SecurityLevelOutlook", + "Name": "L_mspubexe86", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SecurityLevel", + "Name": "L_outlookexe92", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Level1RemoveFilePolicy", + "Name": "L_msaccessexe95", "Option": "Write" }, { "CIMType": "String", - "Name": "L_RemovedExtensions", + "Name": "L_powerpntexe87", "Option": "Write" }, { "CIMType": "String", - "Name": "L_SignatureWarning", + "Name": "L_grooveexe84", "Option": "Write" }, { "CIMType": "String", - "Name": "L_signaturewarning30", + "Name": "L_excelexe85", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Level1Attachments", + "Name": "L_pptviewexe88", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Minimumencryptionsettings", + "Name": "L_spdesignexe93", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "L_Minimumkeysizeinbits", + "CIMType": "String", + "Name": "L_visioexe89", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DisableOutlookobjectmodelscripts", + "Name": "L_onenoteexe96", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMSaveAs", + "Name": "L_winprojexe90", "Option": "Write" }, { "CIMType": "String", - "Name": "L_OOMSaveAs_Setting", + "Name": "L_winwordexe91", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ { "CIMType": "String", - "Name": "L_JunkEmailprotectionlevel", + "Name": "MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Selectlevel", + "Name": "MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { "CIMType": "String", - "Name": "L_RunPrograms", + "Name": "MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { "CIMType": "String", - "Name": "L_RunPrograms_L_Empty", + "Name": "MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Determinewhethertoforceencryptedppt", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DeterminewhethertoforceencryptedpptDropID", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_Asktoupdateautomaticlinks", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles", + "Name": "L_LoadpicturesfromWebpagesnotcreatedinExcel", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID", + "Name": "L_DisableAutoRepublish", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Name": "L_DoNotShowAutoRepublishWarningAlert", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Name": "L_Forcefileextenstionstomatch", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Name": "L_Forcefileextenstionstomatch_L_Empty", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Name": "L_DeterminewhethertoforceencryptedExcel", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Name": "L_DeterminewhethertoforceencryptedExcelDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Name": "L_BlockXLLFromInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Name": "L_BlockXLLFromInternetEnum", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Name": "MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_EnableBlockUnsecureQueryFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_DBaseIIIANDIVFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_DBaseIIIANDIVFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty3", + "Name": "L_DifAndSylkFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPowerPoint_Security_L_TurnOffFileValidation", + "Name": "L_DifAndSylkFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_Excel2MacrosheetsAndAddInFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_Excel2MacrosheetsAndAddInFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_Excel2Worksheets", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_Excel2WorksheetsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_Excel3MacrosheetsAndAddInFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Name": "L_Excel3MacrosheetsAndAddInFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PublisherAutomationSecurityLevel", + "Name": "L_Excel3Worksheets", "Option": "Write" }, { "CIMType": "String", - "Name": "L_PublisherAutomationSecurityLevel_L_Empty", + "Name": "L_Excel3WorksheetsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "L_Excel4MacrosheetsAndAddInFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_Excel4MacrosheetsAndAddInFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_Excel4Workbooks", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_Excel4WorkbooksDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_Excel4Worksheets", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty0", + "Name": "L_Excel4WorksheetsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_Excel95Workbooks", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "L_Excel95WorkbooksDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "L_Excel9597WorkbooksAndTemplates", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio2000Files", + "Name": "L_Excel9597WorkbooksAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio2000FilesDropID", + "Name": "L_Excel972003WorkbooksAndTemplates", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio2003Files", + "Name": "L_Excel972003WorkbooksAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio2003FilesDropID", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio50AndEarlierFiles", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Visio50AndEarlierFilesDropID", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheets", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheetsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_XL4KillSwitchPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_EnableDataBaseFileProtectedView", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AllowDDE", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", "Option": "Write" }, { "CIMType": "String", - "Name": "L_AllowDDEDropID", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Name": "MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplates", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID", + "Name": "MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2000BinaryDocumentsAndTemplates", + "Name": "MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2000BinaryDocumentsAndTemplatesDropID", + "Name": "L_empty4", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2003BinaryDocumentsAndTemplates", + "Name": "MicrosoftExcel_Security_L_TurnOffFileValidation", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2003BinaryDocumentsAndTemplatesDropID", + "Name": "L_WebContentWarningLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplates", + "Name": "L_WebContentWarningLevelValue", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word6Pt0BinaryDocumentsAndTemplates", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyWord", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word6Pt0BinaryDocumentsAndTemplatesDropID", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyExcel", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word95BinaryDocumentsAndTemplates", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyVisio", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word95BinaryDocumentsAndTemplatesDropID", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word97BinaryDocumentsAndTemplates", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPublisher", "Option": "Write" }, { "CIMType": "String", - "Name": "L_Word97BinaryDocumentsAndTemplatesDropID", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyOutlook", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WordXPBinaryDocumentsAndTemplates", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyProject", "Option": "Write" }, { "CIMType": "String", - "Name": "L_WordXPBinaryDocumentsAndTemplatesDropID", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Name": "L_ActiveXControlInitialization", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Name": "L_ActiveXControlInitializationcolon", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Name": "L_BasicAuthProxyBehavior", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Name": "L_AllowVbaIntranetRefs", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Name": "L_AutomationSecurity", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Name": "L_SettheAutomationSecuritylevel", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Name": "L_AuthenticationFBABehavior", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DeterminewhethertoforceencryptedWord", + "Name": "L_AuthenticationFBAEnabledHostsID", "Option": "Write" }, { "CIMType": "String", - "Name": "L_DeterminewhethertoforceencryptedWordDropID", + "Name": "L_authenticationFBABehaviorEnum", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy", + "Name": "L_DisableStrictVbaRefsSecurityPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "L_empty19", + "Name": "L_DisableallTrustBarnotificationsfor", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_L_TurnOffFileValidation", + "Name": "L_Encryptiontypeforirm", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Name": "L_Encryptiontypeforirmcolon", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "L_Encryptiontypeforpasswordprotectedoffice972003", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "L_encryptiontypecolon318", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "L_Encryptiontypeforpasswordprotectedofficeopen", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "L_Encryptiontypecolon", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", - "Name": "DeviceSettings", + "CIMType": "String", + "Name": "L_LoadControlsinForms3", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", - "Name": "UserSettings", + "CIMType": "String", + "Name": "L_LoadControlsinForms3colon", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "L_MacroRuntimeScanScope", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "L_MacroRuntimeScanScopeEnum", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "L_Protectdocumentmetadataforrightsmanaged", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "L_Allowmixofpolicyanduserlocations", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "L_DisabletheOfficeclientfrompolling", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "L_DisableSmartDocumentsuseofmanifests", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "L_OutlookSecurityMode", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "L_OOMAddressAccess", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneSecurityBaselineMicrosoftEdge", - "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "L_OOMAddressAccess_Setting", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "Name": "L_OOMMeetingTaskRequest", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "L_OOMMeetingTaskRequest_Setting", "Option": "Write" }, { "CIMType": "String", - "Name": "InternetExplorerIntegrationReloadInIEModeAllowed", + "Name": "L_OOMSend", "Option": "Write" }, { "CIMType": "String", - "Name": "SSLErrorOverrideAllowed", + "Name": "L_OOMSend_Setting", "Option": "Write" }, { "CIMType": "String", - "Name": "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed", + "Name": "L_Preventusersfromcustomizingattachmentsecuritysettings", "Option": "Write" }, { "CIMType": "String", - "Name": "BrowserLegacyExtensionPointsBlockingEnabled", + "Name": "L_RetrievingCRLsCertificateRevocationLists", "Option": "Write" }, { "CIMType": "String", - "Name": "SitePerProcess", + "Name": "L_empty31", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeEnhanceImagesEnabled", + "Name": "L_OOMFormula", "Option": "Write" }, { "CIMType": "String", - "Name": "ExtensionInstallBlocklist", + "Name": "L_OOMFormula_Setting", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExtensionInstallBlocklistDesc", + "CIMType": "String", + "Name": "L_AuthenticationwithExchangeServer", "Option": "Write" }, { "CIMType": "String", - "Name": "WebSQLAccess", + "Name": "L_SelecttheauthenticationwithExchangeserver", "Option": "Write" }, { "CIMType": "String", - "Name": "BasicAuthOverHttpEnabled", + "Name": "L_EnableRPCEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftEdge_HTTPAuthentication_AuthSchemes", + "Name": "L_Enablelinksinemailmessages", "Option": "Write" }, { "CIMType": "String", - "Name": "authschemes", + "Name": "L_OOMAddressBook", "Option": "Write" }, { "CIMType": "String", - "Name": "NativeMessagingUserLevelHosts", + "Name": "L_OOMAddressBook_Setting", "Option": "Write" }, { "CIMType": "String", - "Name": "InsecurePrivateNetworkRequestsAllowed", + "Name": "L_OutlookSecurityPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "InternetExplorerModeToolbarButtonEnabled", + "Name": "L_AllowUsersToLowerAttachments", "Option": "Write" }, { "CIMType": "String", - "Name": "SmartScreenEnabled", + "Name": "L_AllowActiveXOneOffForms", "Option": "Write" }, { "CIMType": "String", - "Name": "SmartScreenPuaEnabled", + "Name": "L_empty29", "Option": "Write" }, { "CIMType": "String", - "Name": "PreventSmartScreenPromptOverride", + "Name": "L_EnableScriptsInOneOffForms", "Option": "Write" }, { "CIMType": "String", - "Name": "PreventSmartScreenPromptOverrideForFiles", + "Name": "L_Level2RemoveFilePolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "SharedArrayBufferUnrestrictedAccessAllowed", + "Name": "L_removedextensions25", "Option": "Write" }, { "CIMType": "String", - "Name": "TyposquattingCheckerEnabled", + "Name": "L_MSGUnicodeformatwhendraggingtofilesystem", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM_Setting", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "L_DisableOutlookobjectmodelscriptsforpublicfolders", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "L_BlockInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "L_SecurityLevelOutlook", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "L_SecurityLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "L_Level1RemoveFilePolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "L_RemovedExtensions", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneSettingCatalogASRRulesPolicyWindows10", - "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "L_SignatureWarning", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "L_signaturewarning30", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "L_Level1Attachments", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "L_Minimumencryptionsettings", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttackSurfaceReductionOnlyExclusions", + "CIMType": "SInt32", + "Name": "L_Minimumkeysizeinbits", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", + "Name": "L_DisableOutlookobjectmodelscripts", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_OOMSaveAs", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockAdobeReaderFromCreatingChildProcesses", + "Name": "L_OOMSaveAs_Setting", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_JunkEmailprotectionlevel", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", + "Name": "L_Selectlevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_RunPrograms", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", + "Name": "L_RunPrograms_L_Empty", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_Determinewhethertoforceencryptedppt", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockExecutableContentFromEmailClientAndWebmail", + "Name": "L_DeterminewhethertoforceencryptedpptDropID", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockPersistenceThroughWMIEventSubscription", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockProcessCreationsFromPSExecAndWMICommands", + "Name": "MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockRebootingMachineInSafeMode", + "Name": "L_empty3", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_L_TurnOffFileValidation", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", + "Name": "MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockUseOfCopiedOrImpersonatedSystemTools", + "Name": "MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockWebShellCreationForServers", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockWebshellCreationForServers_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockWin32APICallsFromOfficeMacros", + "Name": "L_PublisherAutomationSecurityLevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "L_PublisherAutomationSecurityLevel_L_Empty", "Option": "Write" }, { "CIMType": "String", - "Name": "UseAdvancedProtectionAgainstRansomware", + "Name": "MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions", + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ControlledFolderAccessProtectedFolders", + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ControlledFolderAccessAllowedApplications", + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" }, { "CIMType": "String", - "Name": "EnableControlledFolderAccess", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "L_empty0", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "L_Visio2000Files", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "L_Visio2000FilesDropID", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "L_Visio2003Files", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationPolicyTemplateReference", - "Parameters": [ { "CIMType": "String", - "Name": "TemplateDisplayName", + "Name": "L_Visio2003FilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "TemplateDisplayVersion", + "Name": "L_Visio50AndEarlierFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "TemplateFamily", + "Name": "L_Visio50AndEarlierFilesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "TemplateId", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSetting", - "Parameters": [ - { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance", - "Name": "SettingInstance", + "Name": "MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance", - "Parameters": [ + }, { "CIMType": "String", - "Name": "SettingDefinitionId", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstanceTemplateReference", - "Name": "SettingInstanceTemplateReference", + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue[]", - "Name": "ChoiceSettingCollectionValue", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue", - "Name": "ChoiceSettingValue", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue[]", - "Name": "GroupSettingCollectionValue", + "CIMType": "String", + "Name": "L_AllowDDE", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue", - "Name": "GroupSettingValue", + "CIMType": "String", + "Name": "L_AllowDDEDropID", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue[]", - "Name": "SimpleSettingCollectionValue", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue", - "Name": "SimpleSettingValue", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplates", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstanceTemplateReference", - "Parameters": [ + }, { "CIMType": "String", - "Name": "SettingInstanceTemplateId", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue", - "Parameters": [ - { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", - "Name": "Children", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "Value", + "Name": "L_Word2000BinaryDocumentsAndTemplates", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", - "Name": "SettingValueTemplateReference", + "CIMType": "String", + "Name": "L_Word2000BinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "L_Word2003BinaryDocumentsAndTemplates", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", - "Parameters": [ + }, { "CIMType": "String", - "Name": "settingValueTemplateId", + "Name": "L_Word2003BinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "useTemplateDefault", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue", - "Parameters": [ - { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", - "Name": "Children", + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplates", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", - "Name": "SettingValueTemplateReference", + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "Value", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplates", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue", - "Parameters": [ - { - "CIMType": "UInt32", - "Name": "IntValue", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "StringValue", + "Name": "L_Word95BinaryDocumentsAndTemplates", "Option": "Write" }, { "CIMType": "String", - "Name": "ValueState", + "Name": "L_Word95BinaryDocumentsAndTemplatesDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "L_Word97BinaryDocumentsAndTemplates", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", - "Name": "SettingValueTemplateReference", + "CIMType": "String", + "Name": "L_Word97BinaryDocumentsAndTemplatesDropID", "Option": "Write" }, - { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", - "Name": "Children", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneSettingCatalogCustomPolicyWindows10", - "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "L_WordXPBinaryDocumentsAndTemplates", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", - "Option": "Key" + "Name": "L_WordXPBinaryDocumentsAndTemplatesDropID", + "Option": "Write" }, { "CIMType": "String", - "Name": "Platforms", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", "Option": "Write" }, { "CIMType": "String", - "Name": "Technologies", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementConfigurationPolicyTemplateReference", - "Name": "TemplateReference", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementConfigurationSetting[]", - "Name": "Settings", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "L_DeterminewhethertoforceencryptedWord", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "L_DeterminewhethertoforceencryptedWordDropID", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "L_empty19", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "MicrosoftWord_Security_L_TurnOffFileValidation", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator", + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "Description", "Option": "Write" }, { @@ -40703,33 +42614,23 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ssid", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "DeviceSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "WiFiSecurityType", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "UserSettings", "Option": "Write" }, { @@ -40780,11 +42681,11 @@ ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner", + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoftEdge", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "Description", "Option": "Write" }, { @@ -40793,68 +42694,118 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "String", + "Name": "InternetExplorerIntegrationReloadInIEModeAllowed", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "SSLErrorOverrideAllowed", "Option": "Write" }, { "CIMType": "String", - "Name": "PreSharedKey", + "Name": "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PreSharedKeyIsSet", + "CIMType": "String", + "Name": "BrowserLegacyExtensionPointsBlockingEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxyAutomaticConfigurationUrl", + "Name": "SitePerProcess", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxyExclusionList", + "Name": "EdgeEnhanceImagesEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxyManualAddress", + "Name": "ExtensionInstallBlocklist", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ProxyManualPort", + "CIMType": "String[]", + "Name": "ExtensionInstallBlocklistDesc", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxySettings", + "Name": "WebSQLAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "Ssid", + "Name": "BasicAuthOverHttpEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "WiFiSecurityType", + "Name": "MicrosoftEdge_HTTPAuthentication_AuthSchemes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "authschemes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NativeMessagingUserLevelHosts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InsecurePrivateNetworkRequestsAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternetExplorerModeToolbarButtonEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenPuaEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverride", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverrideForFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SharedArrayBufferUnrestrictedAccessAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TyposquattingCheckerEnabled", "Option": "Write" }, { @@ -40905,11 +42856,11 @@ ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile", + "ClassName": "MSFT_IntuneSettingCatalogASRRulesPolicyWindows10", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "Identity", "Option": "Write" }, { @@ -40923,123 +42874,213 @@ "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "String[]", + "Name": "AttackSurfaceReductionOnlyExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "Ssid", + "Name": "BlockAdobeReaderFromCreatingChildProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "WiFiSecurityType", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String[]", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "BlockExecutableContentFromEmailClientAndWebmail", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String[]", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String[]", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidForWork", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Id", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", + "CIMType": "String[]", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "String", + "Name": "BlockPersistenceThroughWMIEventSubscription", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "Ssid", + "Name": "BlockRebootingMachineInSafeMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "WiFiSecurityType", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String[]", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockWebShellCreationForServers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockWebshellCreationForServers_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockWin32APICallsFromOfficeMacros", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UseAdvancedProtectionAgainstRansomware", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ControlledFolderAccessProtectedFolders", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ControlledFolderAccessAllowedApplications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableControlledFolderAccess", "Option": "Write" }, { @@ -41085,176 +43126,241 @@ ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject", + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationPolicyTemplateReference", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "TemplateDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "TemplateDisplayVersion", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "TemplateFamily", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", + "CIMType": "String", + "Name": "TemplateId", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSetting", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance", + "Name": "SettingInstance", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "Id", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance", + "Parameters": [ { "CIMType": "String", - "Name": "PreSharedKey", + "Name": "SettingDefinitionId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PreSharedKeyIsSet", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstanceTemplateReference", + "Name": "SettingInstanceTemplateReference", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ssid", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue[]", + "Name": "ChoiceSettingCollectionValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "WiFiSecurityType", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue", + "Name": "ChoiceSettingValue", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue[]", + "Name": "GroupSettingCollectionValue", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue", + "Name": "GroupSettingValue", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue[]", + "Name": "SimpleSettingCollectionValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue", + "Name": "SimpleSettingValue", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstanceTemplateReference", + "Parameters": [ { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "SettingInstanceTemplateId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", + "Name": "Children", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Value", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", + "Name": "SettingValueTemplateReference", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "odataType", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyIOS", + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "settingValueTemplateId", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, + "CIMType": "Boolean", + "Name": "useTemplateDefault", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationGroupSettingValue", + "Parameters": [ { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", + "Name": "Children", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAutomatically", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", + "Name": "SettingValueTemplateReference", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectWhenNetworkNameIsHidden", + "CIMType": "String", + "Name": "Value", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableMacAddressRandomization", + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementConfigurationSimpleSettingValue", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "IntValue", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkName", + "Name": "StringValue", "Option": "Write" }, { "CIMType": "String", - "Name": "PreSharedKey", + "Name": "ValueState", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxyAutomaticConfigurationUrl", + "Name": "odataType", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProxyManualAddress", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingValueTemplateReference", + "Name": "SettingValueTemplateReference", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ProxyManualPort", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance[]", + "Name": "Children", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSettingCatalogCustomPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxySettings", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Platforms", "Option": "Write" }, { "CIMType": "String", - "Name": "Ssid", + "Name": "Technologies", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphdeviceManagementConfigurationPolicyTemplateReference", + "Name": "TemplateReference", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphdeviceManagementConfigurationSetting[]", + "Name": "Settings", "Option": "Write" }, { "CIMType": "String", - "Name": "WiFiSecurityType", + "Name": "Id", "Option": "Write" }, { @@ -41305,7 +43411,7 @@ ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyMacOS", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator", "Parameters": [ { "CIMType": "String", @@ -41337,31 +43443,6 @@ "Name": "NetworkName", "Option": "Write" }, - { - "CIMType": "String", - "Name": "PreSharedKey", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ProxyAutomaticConfigurationUrl", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ProxyManualAddress", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "ProxyManualPort", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ProxySettings", - "Option": "Write" - }, { "CIMType": "String", "Name": "Ssid", @@ -41420,7 +43501,7 @@ ] }, { - "ClassName": "MSFT_IntuneWifiConfigurationPolicyWindows10", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner", "Parameters": [ { "CIMType": "String", @@ -41442,39 +43523,34 @@ "Name": "ConnectAutomatically", "Option": "Write" }, - { - "CIMType": "Boolean", - "Name": "ConnectToPreferredNetwork", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ForceFIPSCompliance", + "CIMType": "String", + "Name": "NetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "MeteredConnectionLimit", + "Name": "PreSharedKey", "Option": "Write" }, { - "CIMType": "String", - "Name": "NetworkName", + "CIMType": "Boolean", + "Name": "PreSharedKeyIsSet", "Option": "Write" }, { "CIMType": "String", - "Name": "PreSharedKey", + "Name": "ProxyAutomaticConfigurationUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "ProxyAutomaticConfigurationUrl", + "Name": "ProxyExclusionList", "Option": "Write" }, { @@ -41489,7 +43565,7 @@ }, { "CIMType": "String", - "Name": "ProxySetting", + "Name": "ProxySettings", "Option": "Write" }, { @@ -41499,7 +43575,7 @@ }, { "CIMType": "String", - "Name": "WifiSecurityType", + "Name": "WiFiSecurityType", "Option": "Write" }, { @@ -41550,101 +43626,101 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsEnrollmentStatusScreenSettings", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile", "Parameters": [ { - "CIMType": "Boolean", - "Name": "AllowDeviceUseBeforeProfileAndAppInstallComplete", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowDeviceUseOnInstallFailure", + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowLogCollectionOnInstallFailure", + "Name": "ConnectAutomatically", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BlockDeviceSetupRetryByUser", + "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomErrorMessage", + "Name": "NetworkName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HideInstallationProgress", + "CIMType": "String", + "Name": "Ssid", "Option": "Write" }, - { - "CIMType": "UInt32", - "Name": "InstallProgressTimeoutInMinutes", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphOutOfBoxExperienceSettings", - "Parameters": [ { "CIMType": "String", - "Name": "DeviceUsageType", + "Name": "WiFiSecurityType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HideEscapeLink", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HideEULA", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HidePrivacySettings", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SkipKeyboardSelectionPage", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "UserType", + "Name": "TenantId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "HybridAzureADJoinSkipConnectivityCheck", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceNameTemplate", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidForWork", + "Parameters": [ { "CIMType": "String", - "Name": "DeviceType", + "Name": "Id", "Option": "Write" }, { @@ -41653,38 +43729,33 @@ "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "EnableWhiteGlove", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsEnrollmentStatusScreenSettings", - "Name": "EnrollmentStatusScreenSettings", + "CIMType": "Boolean", + "Name": "ConnectAutomatically", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExtractHardwareHash", + "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { "CIMType": "String", - "Name": "Language", + "Name": "NetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "ManagementServiceAppId", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphoutOfBoxExperienceSettings", - "Name": "OutOfBoxExperienceSettings", + "Name": "Ssid", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "WiFiSecurityType", "Option": "Write" }, { @@ -41735,136 +43806,56 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsEnrollmentStatusScreenSettings1", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject", "Parameters": [ - { - "CIMType": "Boolean", - "Name": "AllowDeviceUseBeforeProfileAndAppInstallComplete", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowDeviceUseOnInstallFailure", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowLogCollectionOnInstallFailure", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "BlockDeviceSetupRetryByUser", - "Option": "Write" - }, { "CIMType": "String", - "Name": "CustomErrorMessage", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "HideInstallationProgress", + "Name": "Id", "Option": "Write" }, - { - "CIMType": "UInt32", - "Name": "InstallProgressTimeoutInMinutes", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphOutOfBoxExperienceSettings1", - "Parameters": [ { "CIMType": "String", - "Name": "DeviceUsageType", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "HideEscapeLink", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "HideEULA", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HidePrivacySettings", + "Name": "ConnectAutomatically", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SkipKeyboardSelectionPage", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "UserType", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined", - "Parameters": [ - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "DeviceNameTemplate", + "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceType", + "Name": "NetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "EnableWhiteGlove", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphwindowsEnrollmentStatusScreenSettings1", - "Name": "EnrollmentStatusScreenSettings", + "Name": "PreSharedKey", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExtractHardwareHash", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Language", + "Name": "PreSharedKeyIsSet", "Option": "Write" }, { "CIMType": "String", - "Name": "ManagementServiceAppId", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphoutOfBoxExperienceSettings1", - "Name": "OutOfBoxExperienceSettings", + "Name": "Ssid", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "WiFiSecurityType", "Option": "Write" }, { @@ -41915,325 +43906,325 @@ ] }, { - "ClassName": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyIOS", "Parameters": [ { "CIMType": "String", - "Name": "dataType", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "groupId", + "CIMType": "Boolean", + "Name": "ConnectAutomatically", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ConnectWhenNetworkNameIsHidden", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableMacAddressRandomization", "Option": "Write" }, { "CIMType": "String", - "Name": "groupDisplayName", + "Name": "NetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "collectionId", + "Name": "PreSharedKey", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionDataRecoveryCertificate", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Certificate", + "Name": "ProxyAutomaticConfigurationUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "ProxyManualAddress", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "ProxyManualPort", "Option": "Write" }, { "CIMType": "String", - "Name": "ExpirationDateTime", + "Name": "ProxySettings", "Option": "Write" }, { "CIMType": "String", - "Name": "SubjectName", + "Name": "Ssid", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionResourceCollection", - "Parameters": [ + }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "WiFiSecurityType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Resources", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionIPRangeCollection", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIpRange[]", - "Name": "Ranges", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIpRange", - "Parameters": [ + }, { "CIMType": "String", - "Name": "CidrAddress", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "LowerAddress", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpperAddress", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "CertificateThumbprint", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionProxiedDomainCollection", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphProxiedDomain[]", - "Name": "ProxiedDomains", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphProxiedDomain", + "ClassName": "MSFT_IntuneWifiConfigurationPolicyMacOS", "Parameters": [ { "CIMType": "String", - "Name": "IpAddressOrFQDN", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "Proxy", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionApp", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "Denied", + "Name": "ConnectAutomatically", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "NetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "ProductName", + "Name": "PreSharedKey", "Option": "Write" }, { "CIMType": "String", - "Name": "PublisherName", + "Name": "ProxyAutomaticConfigurationUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "BinaryName", + "Name": "ProxyManualAddress", "Option": "Write" }, { - "CIMType": "String", - "Name": "BinaryVersionHigh", + "CIMType": "UInt32", + "Name": "ProxyManualPort", "Option": "Write" }, { "CIMType": "String", - "Name": "BinaryVersionLow", + "Name": "ProxySettings", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "Ssid", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Id", + "Name": "WiFiSecurityType", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AzureRightsManagementServicesAllowed", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionDataRecoveryCertificate", - "Name": "DataRecoveryCertificate", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "EnforcementLevel", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "EnterpriseDomain", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "EnterpriseInternalProxyServers", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionIPRangeCollection[]", - "Name": "EnterpriseIPRanges", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseIPRangesAreAuthoritative", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "EnterpriseNetworkDomainNames", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneWifiConfigurationPolicyWindows10", + "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "EnterpriseProtectedDomainNames", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionProxiedDomainCollection[]", - "Name": "EnterpriseProxiedDomains", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "EnterpriseProxyServers", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseProxyServersAreAuthoritative", + "Name": "ConnectAutomatically", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionApp[]", - "Name": "ExemptApps", + "CIMType": "Boolean", + "Name": "ConnectToPreferredNetwork", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IconsVisible", + "Name": "ConnectWhenNetworkNameIsHidden", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IndexingEncryptedStoresOrItemsBlocked", + "Name": "ForceFIPSCompliance", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "NeutralDomainResources", + "CIMType": "String", + "Name": "MeteredConnectionLimit", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionApp[]", - "Name": "ProtectedApps", + "CIMType": "String", + "Name": "NetworkName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ProtectionUnderLockConfigRequired", + "CIMType": "String", + "Name": "PreSharedKey", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RevokeOnUnenrollDisabled", + "CIMType": "String", + "Name": "ProxyAutomaticConfigurationUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "RightsManagementServicesTemplateId", + "Name": "ProxyManualAddress", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", - "Name": "SmbAutoEncryptedFileExtensions", + "CIMType": "UInt32", + "Name": "ProxyManualPort", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "ProxySetting", "Option": "Write" }, { - "CIMType": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments[]", + "CIMType": "String", + "Name": "Ssid", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WifiSecurityType", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", "Name": "Assignments", "Option": "Write" }, @@ -42280,111 +44271,101 @@ ] }, { - "ClassName": "MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10", + "ClassName": "MSFT_MicrosoftGraphWindowsEnrollmentStatusScreenSettings", "Parameters": [ { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "AllowDeviceUseBeforeProfileAndAppInstallComplete", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApprovalType", + "CIMType": "Boolean", + "Name": "AllowDeviceUseOnInstallFailure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DeploymentDeferralInDays", + "CIMType": "Boolean", + "Name": "AllowLogCollectionOnInstallFailure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "Boolean", + "Name": "BlockDeviceSetupRetryByUser", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "CustomErrorMessage", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "HideInstallationProgress", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "UInt32", + "Name": "InstallProgressTimeoutInMinutes", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphOutOfBoxExperienceSettings", + "Parameters": [ { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DeviceUsageType", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "HideEscapeLink", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "HideEULA", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "HidePrivacySettings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "SkipKeyboardSelectionPage", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "UserType", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsUpdateRolloutSettings", + "ClassName": "MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined", "Parameters": [ { - "CIMType": "String", - "Name": "OfferEndDateTimeInUTC", + "CIMType": "Boolean", + "Name": "HybridAzureADJoinSkipConnectivityCheck", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "OfferIntervalInDays", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "OfferStartDateTimeInUTC", + "Name": "DeviceNameTemplate", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Id", + "Name": "DeviceType", "Option": "Write" }, { @@ -42393,28 +44374,38 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "EnableWhiteGlove", "Option": "Write" }, { - "CIMType": "String", - "Name": "FeatureUpdateVersion", + "CIMType": "MSFT_MicrosoftGraphwindowsEnrollmentStatusScreenSettings", + "Name": "EnrollmentStatusScreenSettings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "InstallFeatureUpdatesOptional", + "Name": "ExtractHardwareHash", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InstallLatestWindows10OnWindows11IneligibleDevice", + "CIMType": "String", + "Name": "Language", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsUpdateRolloutSettings", - "Name": "RolloutSettings", + "CIMType": "String", + "Name": "ManagementServiceAppId", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphoutOfBoxExperienceSettings", + "Name": "OutOfBoxExperienceSettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { @@ -42465,41 +44456,131 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphExpeditedWindowsQualityUpdateSettings", + "ClassName": "MSFT_MicrosoftGraphWindowsEnrollmentStatusScreenSettings1", "Parameters": [ + { + "CIMType": "Boolean", + "Name": "AllowDeviceUseBeforeProfileAndAppInstallComplete", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowDeviceUseOnInstallFailure", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowLogCollectionOnInstallFailure", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BlockDeviceSetupRetryByUser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomErrorMessage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HideInstallationProgress", + "Option": "Write" + }, { "CIMType": "UInt32", - "Name": "DaysUntilForcedReboot", + "Name": "InstallProgressTimeoutInMinutes", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphOutOfBoxExperienceSettings1", + "Parameters": [ + { + "CIMType": "String", + "Name": "DeviceUsageType", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HideEscapeLink", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HideEULA", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HidePrivacySettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SkipKeyboardSelectionPage", "Option": "Write" }, { "CIMType": "String", - "Name": "QualityUpdateRelease", + "Name": "UserType", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10", + "ClassName": "MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined", "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceNameTemplate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceType", + "Option": "Write" + }, { "CIMType": "String", "Name": "DisplayName", "Option": "Key" }, + { + "CIMType": "Boolean", + "Name": "EnableWhiteGlove", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphwindowsEnrollmentStatusScreenSettings1", + "Name": "EnrollmentStatusScreenSettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExtractHardwareHash", + "Option": "Write" + }, { "CIMType": "String", - "Name": "Description", + "Name": "Language", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphexpeditedWindowsQualityUpdateSettings", - "Name": "ExpeditedUpdateSettings", + "CIMType": "String", + "Name": "ManagementServiceAppId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "MSFT_MicrosoftGraphoutOfBoxExperienceSettings1", + "Name": "OutOfBoxExperienceSettings", "Option": "Write" }, { @@ -42555,216 +44636,316 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsUpdateInstallScheduleType", + "ClassName": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments", "Parameters": [ { "CIMType": "String", - "Name": "ActiveHoursEnd", + "Name": "dataType", "Option": "Write" }, { "CIMType": "String", - "Name": "ActiveHoursStart", + "Name": "deviceAndAppManagementAssignmentFilterType", "Option": "Write" }, { "CIMType": "String", - "Name": "ScheduledInstallDay", + "Name": "deviceAndAppManagementAssignmentFilterId", "Option": "Write" }, { "CIMType": "String", - "Name": "ScheduledInstallTime", + "Name": "groupId", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "collectionId", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10", + "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionDataRecoveryCertificate", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "Certificate", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "Description", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWindows11Upgrade", + "CIMType": "String", + "Name": "ExpirationDateTime", "Option": "Write" }, { "CIMType": "String", - "Name": "AutomaticUpdateMode", + "Name": "SubjectName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionResourceCollection", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "Resources", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionIPRangeCollection", + "Parameters": [ { "CIMType": "String", - "Name": "AutoRestartNotificationDismissal", + "Name": "DisplayName", "Option": "Write" }, + { + "CIMType": "MSFT_MicrosoftGraphIpRange[]", + "Name": "Ranges", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIpRange", + "Parameters": [ { "CIMType": "String", - "Name": "BusinessReadyUpdatesOnly", + "Name": "CidrAddress", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DeadlineForFeatureUpdatesInDays", + "CIMType": "String", + "Name": "LowerAddress", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DeadlineForQualityUpdatesInDays", + "CIMType": "String", + "Name": "UpperAddress", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DeadlineGracePeriodInDays", + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionProxiedDomainCollection", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, + { + "CIMType": "MSFT_MicrosoftGraphProxiedDomain[]", + "Name": "ProxiedDomains", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphProxiedDomain", + "Parameters": [ { "CIMType": "String", - "Name": "DeliveryOptimizationMode", + "Name": "IpAddressOrFQDN", "Option": "Write" }, + { + "CIMType": "String", + "Name": "Proxy", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsInformationProtectionApp", + "Parameters": [ { "CIMType": "Boolean", - "Name": "DriversExcluded", + "Name": "Denied", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EngagedRestartDeadlineInDays", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EngagedRestartSnoozeScheduleInDays", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EngagedRestartTransitionScheduleInDays", + "CIMType": "String", + "Name": "ProductName", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "FeatureUpdatesDeferralPeriodInDays", + "CIMType": "String", + "Name": "PublisherName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FeatureUpdatesPaused", + "CIMType": "String", + "Name": "BinaryName", "Option": "Write" }, { "CIMType": "String", - "Name": "FeatureUpdatesPauseExpiryDateTime", + "Name": "BinaryVersionHigh", "Option": "Write" }, { "CIMType": "String", - "Name": "FeatureUpdatesPauseStartDate", + "Name": "BinaryVersionLow", "Option": "Write" }, { "CIMType": "String", - "Name": "FeatureUpdatesRollbackStartDateTime", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled", + "Parameters": [ { - "CIMType": "UInt32", - "Name": "FeatureUpdatesRollbackWindowInDays", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsUpdateInstallScheduleType", - "Name": "InstallationSchedule", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "MicrosoftUpdateServiceAllowed", + "Name": "AzureRightsManagementServicesAllowed", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PostponeRebootUntilAfterDeadline", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionDataRecoveryCertificate", + "Name": "DataRecoveryCertificate", "Option": "Write" }, { "CIMType": "String", - "Name": "PrereleaseFeatures", + "Name": "EnforcementLevel", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "QualityUpdatesDeferralPeriodInDays", + "CIMType": "String", + "Name": "EnterpriseDomain", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "EnterpriseInternalProxyServers", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionIPRangeCollection[]", + "Name": "EnterpriseIPRanges", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "QualityUpdatesPaused", + "Name": "EnterpriseIPRangesAreAuthoritative", "Option": "Write" }, { - "CIMType": "String", - "Name": "QualityUpdatesPauseExpiryDateTime", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "EnterpriseNetworkDomainNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "QualityUpdatesPauseStartDate", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "EnterpriseProtectedDomainNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "QualityUpdatesRollbackStartDateTime", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionProxiedDomainCollection[]", + "Name": "EnterpriseProxiedDomains", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ScheduleImminentRestartWarningInMinutes", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "EnterpriseProxyServers", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ScheduleRestartWarningInHours", + "CIMType": "Boolean", + "Name": "EnterpriseProxyServersAreAuthoritative", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionApp[]", + "Name": "ExemptApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SkipChecksBeforeRestart", + "Name": "IconsVisible", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpdateNotificationLevel", + "CIMType": "Boolean", + "Name": "IndexingEncryptedStoresOrItemsBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpdateWeeks", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "NeutralDomainResources", "Option": "Write" }, { - "CIMType": "String", - "Name": "UserPauseAccess", + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionApp[]", + "Name": "ProtectedApps", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ProtectionUnderLockConfigRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RevokeOnUnenrollDisabled", "Option": "Write" }, { "CIMType": "String", - "Name": "UserWindowsUpdateScanAccess", + "Name": "RightsManagementServicesTemplateId", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection[]", + "Name": "SmbAutoEncryptedFileExtensions", "Option": "Write" }, { @@ -42773,7 +44954,7 @@ "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "CIMType": "MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments[]", "Name": "Assignments", "Option": "Write" }, @@ -42820,21 +45001,46 @@ ] }, { - "ClassName": "MSFT_M365DSCRuleEvaluation", + "ClassName": "MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10", "Parameters": [ { "CIMType": "String", - "Name": "ResourceName", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "RuleDefinition", - "Option": "Required" + "Name": "Description", + "Option": "Write" }, { "CIMType": "String", - "Name": "AfterRuleCountQuery", + "Name": "ApprovalType", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DeploymentDeferralInDays", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -42875,86 +45081,66 @@ ] }, { - "ClassName": "MSFT_O365AdminAuditLogConfig", + "ClassName": "MSFT_MicrosoftGraphWindowsUpdateRolloutSettings", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" - }, - { - "CIMType": "string", - "Name": "Ensure", + "Name": "OfferEndDateTimeInUTC", "Option": "Write" }, { - "CIMType": "string", - "Name": "UnifiedAuditLogIngestionEnabled", - "Option": "Required" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "UInt32", + "Name": "OfferIntervalInDays", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "OfferStartDateTimeInUTC", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "TenantId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "FeatureUpdateVersion", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "InstallFeatureUpdatesOptional", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_O365ExternalConnection", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "InstallLatestWindows10OnWindows11IneligibleDevice", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_MicrosoftGraphwindowsUpdateRolloutSettings", + "Name": "RolloutSettings", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AuthorizedAppIds", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -42977,6 +45163,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -42995,31 +45186,51 @@ ] }, { - "ClassName": "MSFT_O365Group", + "ClassName": "MSFT_MicrosoftGraphExpeditedWindowsQualityUpdateSettings", "Parameters": [ { - "CIMType": "string", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "string", - "Name": "MailNickName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "DaysUntilForcedReboot", + "Option": "Write" }, { - "CIMType": "string[]", - "Name": "ManagedBy", + "CIMType": "String", + "Name": "QualityUpdateRelease", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "string", + "CIMType": "String", "Name": "Description", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "Members", + "CIMType": "MSFT_MicrosoftGraphexpeditedWindowsQualityUpdateSettings", + "Name": "ExpeditedUpdateSettings", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -43065,196 +45276,231 @@ ] }, { - "ClassName": "MSFT_O365OrgCustomizationSetting", + "ClassName": "MSFT_MicrosoftGraphWindowsUpdateInstallScheduleType", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "Name": "ActiveHoursEnd", + "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "ActiveHoursStart", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "ScheduledInstallDay", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "ScheduledInstallTime", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AllowWindows11Upgrade", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "AutomaticUpdateMode", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "AutoRestartNotificationDismissal", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "BusinessReadyUpdatesOnly", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_O365OrgSettings", - "Parameters": [ + }, + { + "CIMType": "UInt32", + "Name": "DeadlineForFeatureUpdatesInDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DeadlineForQualityUpdatesInDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DeadlineGracePeriodInDays", + "Option": "Write" + }, { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "Name": "DeliveryOptimizationMode", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsAndServicesIsAppAndServicesTrialEnabled", + "Name": "DriversExcluded", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppsAndServicesIsOfficeStoreEnabled", + "CIMType": "UInt32", + "Name": "EngagedRestartDeadlineInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CortanaEnabled", + "CIMType": "UInt32", + "Name": "EngagedRestartSnoozeScheduleInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DynamicsCustomerVoiceIsInOrgFormsPhishingScanEnabled", + "CIMType": "UInt32", + "Name": "EngagedRestartTransitionScheduleInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DynamicsCustomerVoiceIsRecordIdentityByDefaultEnabled", + "CIMType": "UInt32", + "Name": "FeatureUpdatesDeferralPeriodInDays", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DynamicsCustomerVoiceIsRestrictedSurveyAccessEnabled", + "Name": "FeatureUpdatesPaused", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FormsIsBingImageSearchEnabled", + "CIMType": "String", + "Name": "FeatureUpdatesPauseExpiryDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FormsIsExternalSendFormEnabled", + "CIMType": "String", + "Name": "FeatureUpdatesPauseStartDate", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FormsIsExternalShareCollaborationEnabled", + "CIMType": "String", + "Name": "FeatureUpdatesRollbackStartDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FormsIsExternalShareResultEnabled", + "CIMType": "UInt32", + "Name": "FeatureUpdatesRollbackWindowInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FormsIsExternalShareTemplateEnabled", + "CIMType": "MSFT_MicrosoftGraphwindowsUpdateInstallScheduleType", + "Name": "InstallationSchedule", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FormsIsInOrgFormsPhishingScanEnabled", + "Name": "MicrosoftUpdateServiceAllowed", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FormsIsRecordIdentityByDefaultEnabled", + "Name": "PostponeRebootUntilAfterDeadline", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "M365WebEnableUsersToOpenFilesFrom3PStorage", + "CIMType": "String", + "Name": "PrereleaseFeatures", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MicrosoftVivaBriefingEmail", + "CIMType": "UInt32", + "Name": "QualityUpdatesDeferralPeriodInDays", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VivaInsightsWebExperience", + "Name": "QualityUpdatesPaused", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "VivaInsightsDigestEmail", + "CIMType": "String", + "Name": "QualityUpdatesPauseExpiryDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "VivaInsightsOutlookAddInAndInlineSuggestions", + "CIMType": "String", + "Name": "QualityUpdatesPauseStartDate", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "VivaInsightsScheduleSendSuggestions", + "CIMType": "String", + "Name": "QualityUpdatesRollbackStartDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PlannerAllowCalendarSharing", + "CIMType": "UInt32", + "Name": "ScheduleImminentRestartWarningInMinutes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ToDoIsExternalJoinEnabled", + "CIMType": "UInt32", + "Name": "ScheduleRestartWarningInHours", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ToDoIsExternalShareEnabled", + "Name": "SkipChecksBeforeRestart", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ToDoIsPushNotificationEnabled", + "CIMType": "String", + "Name": "UpdateNotificationLevel", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AdminCenterReportDisplayConcealedNames", + "CIMType": "String", + "Name": "UpdateWeeks", "Option": "Write" }, { "CIMType": "String", - "Name": "InstallationOptionsUpdateChannel", + "Name": "UserPauseAccess", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "InstallationOptionsAppsForWindows", + "CIMType": "String", + "Name": "UserWindowsUpdateScanAccess", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "InstallationOptionsAppsForMac", + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -43295,36 +45541,51 @@ ] }, { - "ClassName": "MSFT_O365SearchAndIntelligenceConfigurations", + "ClassName": "MSFT_M365DSCRuleEvaluation", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "ResourceName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "ItemInsightsIsEnabledInOrganization", - "Option": "Write" + "CIMType": "String", + "Name": "RuleDefinition", + "Option": "Required" }, { "CIMType": "String", - "Name": "ItemInsightsDisabledForGroup", + "Name": "AfterRuleCountQuery", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PersonInsightsIsEnabledInOrganization", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "PersonInsightsDisabledForGroup", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "MSFT_Credential", - "Name": "Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { @@ -43335,80 +45596,90 @@ ] }, { - "ClassName": "MSFT_ODSettings", + "ClassName": "MSFT_O365AdminAuditLogConfig", "Parameters": [ { - "CIMType": "string", + "CIMType": "String", "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "uint32", - "Name": "OneDriveStorageQuota", - "Option": "Write" - }, - { - "CIMType": "uint32", - "Name": "OrphanedPersonalSitesRetentionPeriod", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OneDriveForGuestsEnabled", - "Option": "Write" + "CIMType": "string", + "Name": "UnifiedAuditLogIngestionEnabled", + "Option": "Required" }, { - "CIMType": "Boolean", - "Name": "NotifyOwnersWhenInvitationsAccepted", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NotificationsInOneDriveForBusinessEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ODBMembersCanShare", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "ODBAccessRequests", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BlockMacSync", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableReportProblemDialog", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TenantRestrictionEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "DomainGuids", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_O365ExternalConnection", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { - "CIMType": "String[]", - "Name": "ExcludedFileExtensions", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "GrooveBlockOption", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "String[]", + "Name": "AuthorizedAppIds", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -43427,16 +45698,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -43455,25 +45716,35 @@ ] }, { - "ClassName": "MSFT_PlannerBucket", + "ClassName": "MSFT_O365Group", "Parameters": [ { "CIMType": "string", - "Name": "Name", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "string", - "Name": "PlanId", + "Name": "MailNickName", "Option": "Key" }, + { + "CIMType": "string[]", + "Name": "ManagedBy", + "Option": "Write" + }, { "CIMType": "string", - "Name": "BucketId", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -43506,20 +45777,20 @@ "CIMType": "Boolean", "Name": "ManagedIdentity", "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" } ] }, { - "ClassName": "MSFT_PlannerPlan", + "ClassName": "MSFT_O365OrgCustomizationSetting", "Parameters": [ { - "CIMType": "string", - "Name": "Title", - "Option": "Key" - }, - { - "CIMType": "string", - "Name": "OwnerGroup", + "CIMType": "String", + "Name": "IsSingleInstance", "Option": "Key" }, { @@ -43542,194 +45813,169 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, { "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_PlannerTaskAttachment", + "ClassName": "MSFT_O365OrgSettings", "Parameters": [ { "CIMType": "String", - "Name": "Alias", - "Option": "Write" + "Name": "IsSingleInstance", + "Option": "Key" }, { - "CIMType": "String", - "Name": "Uri", + "CIMType": "Boolean", + "Name": "AppsAndServicesIsAppAndServicesTrialEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Type", + "CIMType": "Boolean", + "Name": "AppsAndServicesIsOfficeStoreEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_PlannerTaskChecklistItem", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Title", + "CIMType": "Boolean", + "Name": "CortanaEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Completed", + "CIMType": "Boolean", + "Name": "DynamicsCustomerVoiceIsInOrgFormsPhishingScanEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_PlannerTask", - "Parameters": [ - { - "CIMType": "string", - "Name": "PlanId", - "Option": "Key" }, { - "CIMType": "string", - "Name": "Title", - "Option": "Key" + "CIMType": "Boolean", + "Name": "DynamicsCustomerVoiceIsRecordIdentityByDefaultEnabled", + "Option": "Write" }, { - "CIMType": "string[]", - "Name": "Categories", + "CIMType": "Boolean", + "Name": "DynamicsCustomerVoiceIsRestrictedSurveyAccessEnabled", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "AssignedUsers", + "CIMType": "Boolean", + "Name": "FormsIsBingImageSearchEnabled", "Option": "Write" }, { - "CIMType": "MSFT_PlannerTaskAttachment[]", - "Name": "Attachments", + "CIMType": "Boolean", + "Name": "FormsIsExternalSendFormEnabled", "Option": "Write" }, { - "CIMType": "MSFT_PlannerTaskChecklistItem[]", - "Name": "Checklist", + "CIMType": "Boolean", + "Name": "FormsIsExternalShareCollaborationEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "Notes", + "CIMType": "Boolean", + "Name": "FormsIsExternalShareResultEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "Bucket", + "CIMType": "Boolean", + "Name": "FormsIsExternalShareTemplateEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "TaskId", + "CIMType": "Boolean", + "Name": "FormsIsInOrgFormsPhishingScanEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "StartDateTime", + "CIMType": "Boolean", + "Name": "FormsIsRecordIdentityByDefaultEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "DueDateTime", + "CIMType": "Boolean", + "Name": "M365WebEnableUsersToOpenFilesFrom3PStorage", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PercentComplete", + "CIMType": "Boolean", + "Name": "MicrosoftVivaBriefingEmail", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "Boolean", + "Name": "VivaInsightsWebExperience", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConversationThreadId", + "CIMType": "Boolean", + "Name": "VivaInsightsDigestEmail", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "VivaInsightsOutlookAddInAndInlineSuggestions", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "VivaInsightsScheduleSendSuggestions", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "PlannerAllowCalendarSharing", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "ToDoIsExternalJoinEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "ToDoIsExternalShareEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "ToDoIsPushNotificationEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "AdminCenterReportDisplayConcealedNames", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_PPAdminDLPPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" }, { "CIMType": "String", - "Name": "PolicyName", + "Name": "InstallationOptionsUpdateChannel", "Option": "Write" }, { "CIMType": "String[]", - "Name": "Environments", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "FilterType", + "Name": "InstallationOptionsAppsForWindows", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "InstallationOptionsAppsForMac", "Option": "Write" }, { @@ -43748,9 +45994,484 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_O365SearchAndIntelligenceConfigurations", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "ItemInsightsIsEnabledInOrganization", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ItemInsightsDisabledForGroup", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PersonInsightsIsEnabledInOrganization", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PersonInsightsDisabledForGroup", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ODSettings", + "Parameters": [ + { + "CIMType": "string", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "uint32", + "Name": "OneDriveStorageQuota", + "Option": "Write" + }, + { + "CIMType": "uint32", + "Name": "OrphanedPersonalSitesRetentionPeriod", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OneDriveForGuestsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NotifyOwnersWhenInvitationsAccepted", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NotificationsInOneDriveForBusinessEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ODBMembersCanShare", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ODBAccessRequests", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BlockMacSync", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableReportProblemDialog", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TenantRestrictionEnabled", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DomainGuids", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludedFileExtensions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "GrooveBlockOption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PlannerBucket", + "Parameters": [ + { + "CIMType": "string", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "PlanId", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "BucketId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PlannerPlan", + "Parameters": [ + { + "CIMType": "string", + "Name": "Title", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "OwnerGroup", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PlannerTaskAttachment", + "Parameters": [ + { + "CIMType": "String", + "Name": "Alias", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Uri", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PlannerTaskChecklistItem", + "Parameters": [ + { + "CIMType": "String", + "Name": "Title", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Completed", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PlannerTask", + "Parameters": [ + { + "CIMType": "string", + "Name": "PlanId", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Title", + "Option": "Key" + }, + { + "CIMType": "string[]", + "Name": "Categories", + "Option": "Write" + }, + { + "CIMType": "string[]", + "Name": "AssignedUsers", + "Option": "Write" + }, + { + "CIMType": "MSFT_PlannerTaskAttachment[]", + "Name": "Attachments", + "Option": "Write" + }, + { + "CIMType": "MSFT_PlannerTaskChecklistItem[]", + "Name": "Checklist", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Notes", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Bucket", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "TaskId", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "StartDateTime", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "DueDateTime", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PercentComplete", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConversationThreadId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPAdminDLPPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Environments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FilterType", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" }, { "CIMType": "Boolean", @@ -47904,156 +50625,706 @@ } ] }, - { - "ClassName": "MSFT_SCLabelSetting", - "Parameters": [ - { - "CIMType": "String", - "Name": "Key", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "Value", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_SCLabelPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Ensure", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Comment", - "Option": "Write" - }, - { - "CIMType": "MSFT_SCLabelSetting[]", - "Name": "AdvancedSettings", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ExchangeLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ExchangeLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ModernGroupLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ModernGroupLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "Labels", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AddExchangeLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AddExchangeLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AddModernGroupLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AddModernGroupLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AddLabels", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RemoveExchangeLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RemoveExchangeLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RemoveModernGroupLocation", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RemoveModernGroupLocationException", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RemoveLabels", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, + { + "ClassName": "MSFT_SCLabelSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "Key", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCLabelPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comment", + "Option": "Write" + }, + { + "CIMType": "MSFT_SCLabelSetting[]", + "Name": "AdvancedSettings", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExchangeLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExchangeLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ModernGroupLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ModernGroupLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Labels", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddExchangeLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddExchangeLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddModernGroupLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddModernGroupLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddLabels", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RemoveExchangeLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RemoveExchangeLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RemoveModernGroupLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RemoveModernGroupLocationException", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RemoveLabels", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Executable", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigStorageAccount", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlobUri", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigSiteGroupAddress", + "Parameters": [ + { + "CIMType": "String", + "Name": "MatchType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Url", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AddressLower", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AddressUpper", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPSiteGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigSiteGroupAddress[]", + "Name": "addresses", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigRemovableMedia", + "Parameters": [ + { + "CIMType": "String", + "Name": "deviceId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "removableMediaVID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alias", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "removableMediaPID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "instancePathId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "serialNumberId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "hardwareId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPRemovableMediaGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigRemovableMedia[]", + "Name": "removableMedia", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigIPRange", + "Parameters": [ + { + "CIMType": "String", + "Name": "fromAddress", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "toAddress", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigPrinter", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "universalPrinter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "usbPrinter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "usbPrinterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alias", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "usbPrinterVID", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigIPRange", + "Name": "ipRange", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "corporatePrinter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "printToLocal", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "printToFile", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPNetworkShareGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "networkPaths", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "ExecutableName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Quarantine", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPAppGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPApp[]", + "Name": "Apps", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigEvidenceStoreSettings", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "FileEvidenceIsEnabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "NumberOfDaysToRetain", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigStorageAccount[]", + "Name": "StorageAccounts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Store", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigBusinessJustificationList", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "justificationText", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enable", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPPrinterGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigPrinter[]", + "Name": "printers", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigQuarantineParameters", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "EnableQuarantineForCloudSyncApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QuarantinePath", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MacQuarantinePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ShouldReplaceFile", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FileReplacementText", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCPolicyConfig", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AdvancedClassificationEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AuditFileActivity", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BandwidthLimitEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigBusinessJustificationList[]", + "Name": "BusinessJustificationList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CloudAppMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "CloudAppRestrictionList", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "CustomBusinessJustificationNotification", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DailyBandwidthLimitInMB", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPAppGroups[]", + "Name": "DLPAppGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPNetworkShareGroups[]", + "Name": "DLPNetworkShareGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPPrinterGroups[]", + "Name": "DLPPrinterGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPRemovableMediaGroups[]", + "Name": "DLPRemovableMediaGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IncludePredefinedUnallowedBluetoothApps", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MacDefaultPathExclusionsEnabled", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MacPathExclusion", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NetworkPathEnforcementEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NetworkPathExclusion", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "PathExclusion", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "serverDlpEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigEvidenceStoreSettings", + "Name": "EvidenceStoreSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPSiteGroups[]", + "Name": "SiteGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedCloudSyncApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedBluetoothApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedBrowser", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigQuarantineParameters", + "Name": "QuarantineParameters", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "VPNSettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableLabelCoauth", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableSpoAipMigration", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SCProtectionAlert", "Parameters": [ @@ -54654,102 +57925,107 @@ }, { "CIMType": "Boolean", - "Name": "AllowChannelMeetingScheduling", + "Name": "AllowAnnotations", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowMeetNow", + "Name": "AllowAnonymousUsersToDialOut", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPrivateMeetNow", + "Name": "AllowAnonymousUsersToJoinMeeting", "Option": "Write" }, { - "CIMType": "String", - "Name": "MeetingChatEnabledType", + "CIMType": "Boolean", + "Name": "AllowAnonymousUsersToStartMeeting", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveCaptionsEnabledType", + "Name": "AllowCartCaptionsScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowIPAudio", + "Name": "AllowChannelMeetingScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowIPVideo", + "Name": "AllowCloudRecording", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowEngagementReport", + "Name": "AllowDocumentCollaboration", "Option": "Write" }, { "CIMType": "String", - "Name": "IPAudioMode", + "Name": "AllowedStreamingMediaInput", "Option": "Write" }, { "CIMType": "String", - "Name": "IPVideoMode", + "Name": "AllowEngagementReport", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToDialOut", + "Name": "AllowExternalParticipantGiveRequestControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToStartMeeting", + "Name": "AllowIPAudio", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPrivateMeetingScheduling", + "Name": "AllowIPVideo", "Option": "Write" }, { - "CIMType": "String", - "Name": "AutoAdmittedUsers", + "CIMType": "Boolean", + "Name": "AllowMeetingCoach", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPSTNUsersToBypassLobby", + "Name": "AllowMeetingReactions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowCloudRecording", + "Name": "AllowMeetingRegistration", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowRecordingStorageOutsideRegion", + "Name": "AllowMeetNow", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesignatedPresenterRoleMode", + "CIMType": "Boolean", + "Name": "AllowNDIStreaming", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowOutlookAddIn", + "Name": "AllowNetworkConfigurationSettingsLookup", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPowerPointSharing", + "Name": "AllowOrganizersToOverrideLobbySettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowOutlookAddIn", "Option": "Write" }, { @@ -54759,182 +58035,192 @@ }, { "CIMType": "Boolean", - "Name": "AllowExternalParticipantGiveRequestControl", + "Name": "AllowPowerPointSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowSharedNotes", + "Name": "AllowPrivateMeetingScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowWhiteboard", + "Name": "AllowPrivateMeetNow", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowTranscription", + "Name": "AllowPSTNUsersToBypassLobby", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MediaBitRateKb", + "CIMType": "Boolean", + "Name": "AllowRecordingStorageOutsideRegion", "Option": "Write" }, { - "CIMType": "String", - "Name": "ScreenSharingMode", + "CIMType": "Boolean", + "Name": "AllowSharedNotes", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTranscription", "Option": "Write" }, { "CIMType": "String", - "Name": "VideoFiltersMode", + "Name": "AllowUserToJoinExternalMeeting", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowOrganizersToOverrideLobbySettings", + "Name": "AllowWatermarkForCameraVideo", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreferredMeetingProviderForIslandsMode", + "CIMType": "Boolean", + "Name": "AllowWatermarkForScreenSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowNDIStreaming", + "Name": "AllowWhiteboard", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowUserToJoinExternalMeeting", + "Name": "AttendeeIdentityMasking", "Option": "Write" }, { "CIMType": "String", - "Name": "EnrollUserOverride", + "Name": "AutoAdmittedUsers", "Option": "Write" }, { "CIMType": "String", - "Name": "RoomAttributeUserOverride", + "Name": "AutomaticallyStartCopilot", "Option": "Write" }, { "CIMType": "String", - "Name": "StreamingAttendeeMode", + "Name": "AutoRecording", "Option": "Write" }, { "CIMType": "String", - "Name": "TeamsCameraFarEndPTZMode", + "Name": "BlockedAnonymousJoinClientTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMeetingReactions", + "CIMType": "String", + "Name": "ChannelRecordingDownload", "Option": "Write" }, { "CIMType": "String", - "Name": "WhoCanRegister", + "Name": "ConnectToMeetingControls", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnnotations", + "CIMType": "String", + "Name": "ContentSharingInExternalMeetings", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToJoinMeeting", + "CIMType": "String", + "Name": "Copilot", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowMeetingCoach", + "Name": "CopyRestriction", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMeetingRegistration", + "CIMType": "String", + "Name": "DesignatedPresenterRoleMode", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowNetworkConfigurationSettingsLookup", + "Name": "DetectSensitiveContentDuringScreenSharing", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWatermarkForCameraVideo", + "CIMType": "String", + "Name": "EnrollUserOverride", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWatermarkForScreenSharing", + "CIMType": "String", + "Name": "ExplicitRecordingConsent", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "NewMeetingRecordingExpirationDays", + "CIMType": "String", + "Name": "ExternalMeetingJoin", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowCartCaptionsScheduling", + "Name": "InfoShownInReportMode", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowDocumentCollaboration", + "Name": "IPAudioMode", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedStreamingMediaInput", + "Name": "IPVideoMode", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockedAnonymousJoinClientTypes", + "Name": "LiveCaptionsEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "ChannelRecordingDownload", + "Name": "LiveInterpretationEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "ExplicitRecordingConsent", + "Name": "LiveStreamingMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "ForceStreamingAttendeeMode", + "CIMType": "UInt32", + "Name": "MediaBitRateKb", "Option": "Write" }, { "CIMType": "String", - "Name": "InfoShownInReportMode", + "Name": "MeetingChatEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveInterpretationEnabledType", + "Name": "MeetingInviteLanguages", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "NewMeetingRecordingExpirationDays", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveStreamingMode", + "Name": "ParticipantNameChange", "Option": "Write" }, { "CIMType": "String", - "Name": "MeetingInviteLanguages", + "Name": "PreferredMeetingProviderForIslandsMode", "Option": "Write" }, { @@ -54942,16 +58228,56 @@ "Name": "QnAEngagementMode", "Option": "Write" }, + { + "CIMType": "String", + "Name": "RoomAttributeUserOverride", + "Option": "Write" + }, { "CIMType": "String", "Name": "RoomPeopleNameUserOverride", "Option": "Write" }, + { + "CIMType": "String", + "Name": "ScreenSharingMode", + "Option": "Write" + }, { "CIMType": "String", "Name": "SpeakerAttributionMode", "Option": "Write" }, + { + "CIMType": "String", + "Name": "StreamingAttendeeMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TeamsCameraFarEndPTZMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VideoFiltersMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VoiceIsolation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WhoCanRegister", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ForceStreamingAttendeeMode", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 5d87e99d81..365ccf92f6 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -487,6 +487,71 @@ IsAppliedToOrganization = $False; IsEnabled = $True; } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-Web' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { DisplayName = "DSCGroup" @@ -504,6 +569,24 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' { DisplayName = "NewTestConnector"; @@ -610,6 +693,29 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' { ApplicationId = $ApplicationId @@ -737,6 +843,104 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 77b24db586..fe7ebfc0f8 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -274,6 +274,71 @@ DisplayName = "CertificateBasedAuthentication rollout policy"; Ensure = "Absent"; } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-Web' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { MailNickname = "M365DSC" @@ -312,6 +377,24 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' { DisplayName = "NewTestConnector"; @@ -372,6 +455,29 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' { ApplicationId = $ApplicationId @@ -463,6 +569,102 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index a7082349e2..748f915f4e 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -125,6 +125,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADAccessReviewPolicy 'AADAccessReviewPolicy' + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADAdminConsentRequestPolicy 'AADAdminConsentRequestPolicy' { ApplicationId = $ApplicationId; @@ -832,6 +840,16 @@ PasswordValidityPeriodInDays = 2147483647; TenantId = $TenantId; } + AADEnrichedAuditLogs 'AADEnrichedAuditLogs' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } AADEntitlementManagementAccessPackage 'myAccessPackage' { AccessPackagesIncompatibleWith = @(); @@ -947,6 +965,56 @@ IsAppliedToOrganization = $False; IsEnabled = $False; } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { DisplayName = "DSCGroup" @@ -1005,6 +1073,24 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' { DisplayName = "NewTestConnector"; @@ -1114,6 +1200,29 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' { ApplicationId = $ApplicationId @@ -1123,6 +1232,14 @@ DisplayName = "Example"; Ensure = "Present"; } + AADIdentityProtectionPolicySettings 'AADIdentityProtectionPolicySettings' + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADLifecycleWorkflowSettings 'AADLifecycleWorkflowSettings' { ApplicationId = $ApplicationId; @@ -1144,6 +1261,57 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADNetworkAccessForwardingPolicy 'AADNetworkAccessForwardingPolicy-Custom Bypass' + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADNetworkAccessSettingConditionalAccess 'AADNetworkAccessSettingConditionalAccess' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + AADNetworkAccessSettingCrossTenantAccess 'AADNetworkAccessSettingCrossTenantAccess' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } AADRoleDefinition 'AADRoleDefinition1' { DisplayName = "DSCRole1" @@ -1295,6 +1463,104 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index ab1e4fab0a..5efadaea11 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -965,6 +965,17 @@ Identity = "_Exe:SecOpsOverrid:ca3c51ac-925c-49f4-af42-43e26b874245"; Policy = "40528418-717d-4368-a1ae-7912918f8a1f"; } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index 9e231050c0..50193ab809 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -575,6 +575,17 @@ Ensure = "Absent"; Identity = "_Exe:SecOpsOverrid:ca3c51ac-925c-49f4-af42-43e26b874245"; } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index d5ef0c950b..2c72368390 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -1401,6 +1401,17 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 368146fdd0..952daf1b58 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -196,6 +196,17 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAppleMDMPushNotificationCertificate 'IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5' + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneApplicationControlPolicyWindows10 'ConfigureApplicationControlPolicyWindows10' { DisplayName = 'Windows 10 Desktops' @@ -2237,6 +2248,27 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile 'IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile' + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( @@ -2598,6 +2630,30 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + IntuneMobileThreatDefenseConnector 'IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint' + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntunePolicySets 'Example' { Assignments = @( @@ -2659,6 +2715,25 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' { DisplayName = 'test' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 new file mode 100644 index 0000000000..76d5306bcf --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 @@ -0,0 +1,118 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -Command Get-MgBetaPolicyAccessReviewPolicy -MockWith { + } + + Mock -Command Update-MgBetaPolicyAccessReviewPolicy -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $True; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $True; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $True; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $False; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyAccessReviewPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $True; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 new file mode 100644 index 0000000000..403ed9873f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 @@ -0,0 +1,116 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessSettingEnrichedAuditLog -MockWith { + return @{ + exchange = @{ + status = 'disabled' + } + sharepoint = @{ + status = 'enabled' + } + teams = @{ + status = 'disabled' + } + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "disabled"; #drift + Teams = "disabled"; + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 new file mode 100644 index 0000000000..abf53bb182 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 @@ -0,0 +1,192 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaNetworkAccessFilteringPolicy -MockWith {} + Mock -CommandName Update-MgBetaNetworkAccessFilteringPolicy -MockWith {} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringPolicy -MockWith {} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "allow"; #Drift + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 new file mode 100644 index 0000000000..c73f7a4135 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 @@ -0,0 +1,242 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -CommandName New-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -COmmandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith{ + return @{ + Id = '12345-12345-12345-12345-12345' + Name = 'MyPolicy' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'contoso.com' #Drift + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 new file mode 100644 index 0000000000..f680555b49 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 @@ -0,0 +1,296 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaNetworkAccessFilteringProfile -MockWith{} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringProfile -MockWith{} + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith{ + return @( + @{ + id = '12345-12345-12345-12345-12346' + name = 'MyTopPolicy' + } + ) + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + id = '12345-12345-12345-12345-12345' + name = 'MyTopPolicy' + } + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + State = 'enabled' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 122; # Drift + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringProfile -Exactly 1 + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 new file mode 100644 index 0000000000..1f82f559fd --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 @@ -0,0 +1,242 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADHomeRealmDiscoveryPolicy" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName New-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADHomeRealmDiscoveryPolicy should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + + Context -Name "The AADHomeRealmDiscoveryPolicy exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + Context -Name "The AADHomeRealmDiscoveryPolicy Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + isOrganizationDefault = $True + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADHomeRealmDiscoveryPolicy exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue New" + isOrganizationDefault = $False + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 new file mode 100644 index 0000000000..cf2811f30c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 @@ -0,0 +1,373 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName Get-MgApplication -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + DisplayName = 'M365DSC' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Absent"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 2 #drift + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 new file mode 100644 index 0000000000..0b1586f83f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 @@ -0,0 +1,116 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $False; + Credential = $Credential; + } + } + + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 -ParameterFilter { $Method -eq 'PATCH' } + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $False; + Credential = $Credential; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 index ba63fc5762..dbd6467749 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 @@ -193,6 +193,52 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } + Context -Name 'Policies with duplicate names exist' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Company Network' + Ensure = 'Present' + IpRanges = @('2.1.1.1/32', '1.2.2.2/32') + IsTrusted = $True + OdataType = '#microsoft.graph.ipNamedLocation' + Credential = $Credscredential + } + + Mock -CommandName Get-MgBetaIdentityConditionalAccessNamedLocation -MockWith { + return @( + @{ + DisplayName = 'Company Network' + Id = '046956df-2367-4dd4-b7fd-c6175ec11cd5' + AdditionalProperties = @{ + ipRanges = @(@{cidrAddress = '2.1.1.1/32' }, @{cidrAddress = '1.2.2.2/32' }) + isTrusted = $False + '@odata.type' = '#microsoft.graph.ipNamedLocation' + } + } + @{ + DisplayName = 'Company Network' + Id = '046956df-2367-4dd4-b7fd-c6175ec11cd6' + AdditionalProperties = @{ + ipRanges = @(@{cidrAddress = '2.1.1.1/32' }, @{cidrAddress = '1.2.2.2/32' }) + isTrusted = $False + '@odata.type' = '#microsoft.graph.ipNamedLocation' + } + } + ) + } + } + + It 'Should return values from the get method' { + $result = Get-TargetResource @testParams + $result.Ensure | Should -Be 'Absent' + Should -Invoke -CommandName 'Get-MgBetaIdentityConditionalAccessNamedLocation' -Exactly 1 + } + + It 'Should call the set method' { + { Set-TargetResource @testParams } | Should -Throw "More than one instance of a Named Location Policy with name {Company Network} was found. Please provide the ID parameter." + } + } + Context -Name 'ReverseDSC Tests' -Fixture { BeforeAll { $Global:CurrentModeIsExport = $true diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 new file mode 100644 index 0000000000..45562b9072 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 @@ -0,0 +1,253 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + } + + Mock -CommandName New-MgBetaNetworkAccessForwardingPolicyrule -MockWith { + } + + Mock -CommandName Remove-MgBetaNetworkAccessForwardingPolicyRule -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Name = "Custom Bypass"; + PolicyRules = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.google.com') + } -ClientOnly + + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } -ClientOnly + ) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/24" + } + ) + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Name = "Custom Bypass"; + PolicyRules = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.google.com') + } -ClientOnly + + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } -ClientOnly + ) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/28" # created drift here + } + ) + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Name | Should -Be "Custom Bypass" + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessForwardingPolicyRule + Should -Invoke -CommandName New-MgBetaNetworkAccessForwardingPolicyRule + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + ##TODO - Mock the Get-MgBetaNetworkAccessForwardingPolicy to return an instance + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/28" # created drift here + } + ) + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 new file mode 100644 index 0000000000..45026a3cb0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 @@ -0,0 +1,222 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'AADNetworkAccessForwardingProfile' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaNetworkAccessForwardingProfile -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + } + + Mock -CommandName Update-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances = $null + $Script:ExportMode = $false + } + # Test contexts + Context -Name 'The AADNetworkAccessForwardingProfile Exists and Values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + Policies = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Custom Bypass' + PolicyLinkId = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } -ClientOnly + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Default Bypass' + PolicyLinkId = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } -ClientOnly + ) + Credential = $Credential + + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The AADNetworkAccessForwardingProfile exists and values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + Policies = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Custom Bypass' + PolicyLinkId = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } -ClientOnly + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Default Bypass' + PolicyLinkId = '12345678-1234-1234-1234-123456789012' + State = 'disabled' + } -ClientOnly + ) + Credential = $Credential + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set Update-MgBetaNetworkAccessForwardingProfile method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessForwardingProfile -Exactly 1 + } + + It 'Should call the Set Update-MgBetaNetworkAccessForwardingProfilePolicy method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessForwardingProfilePolicy -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 new file mode 100644 index 0000000000..364aac36fe --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 @@ -0,0 +1,102 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessSettingConditionalAccess -MockWith { + } + Mock -CommandName Get-MgBetaNetworkAccessSettingConditionalAccess -MockWith { + return @{ + SignalingStatus = 'enabled' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SignalingStatus = "enabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; #Drift + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessSettingConditionalAccess -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 new file mode 100644 index 0000000000..edf6656b00 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 @@ -0,0 +1,102 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessSettingCrossTenantAccess -MockWith { + } + Mock -CommandName Get-MgBetaNetworkAccessSettingCrossTenantAccess -MockWith { + return @{ + NetworkPacketTaggingStatus = 'enabled' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "disabled"; #Drift + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessSettingCrossTenantAccess -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 index e10fba3f5d..4d5b52da62 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 @@ -68,6 +68,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Present' Credential = $Credscredential } @@ -107,6 +126,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Absent' Credential = $Credscredential } @@ -132,6 +170,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -167,6 +220,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Present' Credential = $Credscredential } @@ -192,6 +264,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -223,6 +310,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @() + KeyCredentials = @() Ensure = 'Present' Credential = $Credscredential } @@ -247,6 +336,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -295,6 +399,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 new file mode 100644 index 0000000000..d7340ffcb1 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 @@ -0,0 +1,231 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'AADUserFlowAttribute' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + $Global:PartialExportFileName = 'c:\TestPath' + + Mock -CommandName Save-M365DSCPartialExport -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName New-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name 'The user flow attribute should exist but it does not' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + return $null + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 2 + } + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should create the role definition from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + + Context -Name 'The user flow attribute exists but it should not' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the app from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + Context -Name 'The user flow attribute exists and values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return Values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return true from the test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'Values are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description changed' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description changed' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should reverse engineer resource from the export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 new file mode 100644 index 0000000000..95be94a0da --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 @@ -0,0 +1,250 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADVerifiedIdAuthority" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-WebRequest -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADVerifiedIdAuthority should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @() + } + + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams -Verbose).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the id from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + + Context -Name "The AADVerifiedIdAuthority exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Absent' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + } + ) + } + } + + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + Context -Name "The AADVerifiedIdAuthority Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + } + ) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADVerifiedIdAuthority exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue2" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 new file mode 100644 index 0000000000..4fc725b180 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 @@ -0,0 +1,934 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADVerifiedIdAuthorityContract" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-WebRequest -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADVerifiedIdAuthorityContract should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @() + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("FakeStringValue") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + required = $True + } -ClientOnly) + + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @() + } + } + } + } + + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the id from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 4 + } + } + + Context -Name "The AADVerifiedIdAuthorityContract exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Absent' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + Context -Name "The AADVerifiedIdAuthorityContract Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADVerifiedIdAuthorityContract exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you want to accept the verified employee credential from Contoso." #drift + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 3 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 new file mode 100644 index 0000000000..22fc20623c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 @@ -0,0 +1,240 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + } + + Mock -CommandName Remove-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + + } + + Mock -CommandName Get-M365DSCAzureBillingAccount -MockWith { + return @{ + value = @( + @{ + name = "12345-12345-12345-12345-12345" + properties = @{ + displayName = 'MyBillingAccount' + } + } + ) + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Not Allowed"; #Drift + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 new file mode 100644 index 0000000000..c0bfb0630a --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 @@ -0,0 +1,261 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + } + + Mock -CommandName Remove-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleDefinition -MockWith { + return @{ + properties = @{ + roleName = 'Billing account owner' + } + } + } + + Mock -CommandName Get-M365DSCAzureBillingAccount -MockWith { + return @{ + value = @( + @{ + name = "12345-12345-12345-12345-12345" + properties = @{ + displayName = 'MyBillingAccount' + } + } + ) + } + } + + Mock -CommandName Get-MgUser -MockWith { + return @( + @{ + id = '12345-12345-12345-12345-12345' + UserPrincipalName = 'John.Smith@Contoso.com' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; #drift + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 new file mode 100644 index 0000000000..cde4d69eaf --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 @@ -0,0 +1,145 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResourceGroup -MockWith { + return @( + @{ + id = '12345-12345-12345-12345-12345' + resourceId = '/subscriptions/2dbaf4c4-78f8-4ac9-8188-536d921cf690/providers' + ResourceGroupName = 'testrg' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + FaceCheckEnabled = $True; + ResourceGroupName = "testrg"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + Ensure = 'Present' + Credential = $Credential; + } + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + FaceCheckEnabled = $False; + ResourceGroupName = "testrg"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + Ensure = 'Present' + Credential = $Credential; + } + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + + Mock -CommandName Invoke-WebRequest -MockWith { + return @{ + content = ConvertTo-Json (@{ + value = @( + @{ + id = '12345-12345-12345-12345-12345' + name = 'MyAuthority' + } + )}) -Depth 10 -Compress + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 new file mode 100644 index 0000000000..fbca14f676 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 @@ -0,0 +1,255 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Remove-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Set-ServicePrincipal -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Get-MgServicePrincipal -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ServicePrincipal -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "Portfolios"; + DisplayName = "Portfolios"; + Id = "003e4f9a-3bd6-46a2-ac8f-2fc6b87c56c7" + AppId = "f53895d3-095d-408f-8e93-8f94b391404e" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ServicePrincipal -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "ISV Portal"; + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Aditya"; #Drift + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ServicePrincipal -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "ISV Portal"; + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 new file mode 100644 index 0000000000..ed85027560 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 @@ -0,0 +1,237 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + #Test contexts + + Context -Name '1. The instance should exist but it DOES NOT' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present'; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return $null + } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '2. The instance exists but it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Patched cert"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '2.1 Should return values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '3. The instance exists and values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name '4. The instance exists and values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; #drift + Certificate = "Patched cert base64 string"; #drift + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It '4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 new file mode 100644 index 0000000000..3b34d8d51e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 @@ -0,0 +1,206 @@ +[CmdletBinding()] +param() +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Unit' -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder -ChildPath '\Stubs\Microsoft365.psm1' -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder -ChildPath '\Stubs\Generic.psm1' -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder -ChildPath '\UnitTestHelper.psm1' -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith {} + Mock -CommandName New-M365DSCConnection -MockWith { return "Credentials" } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith {} + Mock -CommandName Invoke-MgGraphRequest -MockWith {} + Mock -CommandName Remove-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith {} + Mock -CommandName Invoke-MgGraphRequest -MockWith { + @{ status = "Success" } + } + # Hide Write-Host output during the tests + Mock -CommandName Write-Host -MockWith {} + + $Script:exportedInstances = $null + $Script:ExportMode = $false + } + + # Context 1: Instance should exist but does not + Context -Name "1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "notBound" + # OwnerUserPrincipalName = "testuser@domain.com" + # OwnerOrganizationName = "Test Organization" + # EnrollmentTarget = "targetedAsEnrollmentRestrictions" + # DeviceOwnerManagementEnabled = $False + # AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $False + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { return $null } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + # Context 2: Instance exists but should not + Context -Name "2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = 'Absent' + Credential = $Credential + } + + # Mock to simulate a "boundAndValidated" state as a prerequisite for unbinding + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + @( + @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "boundAndValidated" # Required for unbinding + LastAppSyncDateTime = "2024-10-28T01:24:41.5529479Z" + LastAppSyncStatus = "success" + OwnerUserPrincipalName = "admin@m365x22684512.onmicrosoft.com" + OwnerOrganizationName = "Contoso" + LastModifiedDateTime = "2024-10-28T01:24:39.1855089Z" + EnrollmentTarget = "targetedAsEnrollmentRestrictions" + DeviceOwnerManagementEnabled = $true + AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $false + Ensure = 'Present' + } + ) + } + + # Retrieve current instance to verify bindStatus and ensure values + $currentInstance = Get-TargetResource @testParams + + # Mock to simulate the unbind action with Invoke-MgGraphRequest + Mock -CommandName Invoke-MgGraphRequest -MockWith { + @{ status = "Success" } + } + } + + It '2.1 Should confirm testParams Ensure is Absent' { + # Verify that Ensure is set to 'Absent' in the test parameters + $testParams.Ensure | Should -Be 'Absent' + } + + It '2.2 Should confirm CurrentInstance Ensure is Present' { + # Verify that Ensure is set to 'Present' in the current instance + $currentInstance.Ensure | Should -Be 'Present' + } + + It '2.3 Should confirm CurrentInstance BindStatus is boundAndValidated' { + # Verify that bindStatus is 'boundAndValidated' in the current instance + $currentInstance.BindStatus | Should -Be 'boundAndValidated' + } + + It '2.4 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It '2.5 Should call Invoke-MgGraphRequest to remove the instance from Set method' { + Set-TargetResource @testParams + + # Verify if unbind was called + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + # Context 3: Instance exists and values are already in the desired state + Context -Name "3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + # OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + # OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + } + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + # Context 4: Instance exists, but values are not in the desired state + Context -Name "4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "notBound" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + } + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + # Context 5: ReverseDSC Tests + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + OwnerUserPrincipalName = "existingUser@domain.com" + } + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 new file mode 100644 index 0000000000..d8ff6fcab9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 @@ -0,0 +1,259 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $userName = "Whatever" + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" # Drift + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 new file mode 100644 index 0000000000..a86d42c03d --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 @@ -0,0 +1,293 @@ +[CmdletBinding()] +param( +) + +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + + Context -Name " 1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return $null + } + } + + It ' 1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It ' 1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It ' 2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name " 4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; #drift + PartnerUnresponsivenessThresholdInDays = 1; #drift + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It ' 4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It ' 4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name ' 5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + } + } + } + It ' 5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 new file mode 100644 index 0000000000..427f132d12 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 @@ -0,0 +1,428 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineDefenderForEndpoint" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '49b8320f-e179-472e-8e2c-2fde00289ca2_1' + } + } + } + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + Name = 'BlockExecutionOfPotentiallyObfuscatedScripts' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='off' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + } + ) + itemId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_off' + } + ) + + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + Name = 'BlockWin32APICallsFromOfficeMacros' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Warn' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + } + ) + itemId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_warn' + } + ) + } + } + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + Name = 'AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 1 + minimumCount = 0 + childIds = @( + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts', + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'c1d89476-ce60-45a3-bdd7-eb378e54f826' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_off" + } + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + } + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_warn" + } + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + } + ) + } + ) + } + } + + }, + + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring' + Name = 'AllowRealtimeMonitoring' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Allowed. Turns on and runs the real-time monitoring service.' + itemId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1' + } + ) + + } + } + ) + SettingInstance = @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1" + } + } + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '775f8729-9ce5-4b6f-8afd-1ab61891d195' + } + } + }, + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles' + Name = 'DisableSafetyFilterOverrideForAppRepUnknown' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Enabled' + itemId = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles_1' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'f935a3e0-81d6-4546-98b7-c1f653531d9c' + } + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles_1" + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '0' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 new file mode 100644 index 0000000000..203c4883f0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 @@ -0,0 +1,426 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-PolicyConfig -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AdvancedClassificationEnabled = $True; + AuditFileActivity = $True; + BandwidthLimitEnabled = $False; + BusinessJustificationList = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } -ClientOnly) + ); + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPAppGroups -Property @{ + Name = 'Maracas' + Description = 'Lacucaracha' + Apps = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigDLPApp -Property @{ + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPNetworkShareGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPNetworkShareGroups -Property @{ + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } -ClientOnly) + ); + DLPPrinterGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPPrinterGroups -Property @{ + groupName = 'MyGroup' + printers = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigPrinter -Property @{ + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = (New-CiMInstance -ClassName MSFT_PolicyConfigIPRange -Property @{ + fromAddress = '' + toAddress = '' + } -ClientOnly) + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPRemovableMediaGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPRemovableMediaGroups -Property @{ + groupName = 'My Removable USB device group' + removableMedia = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigRemovableMedia -Property @{ + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } -ClientOnly) + } -ClientOnly) + ); + EvidenceStoreSettings = (New-CiMInstance -ClassName MSFT_PolicyConfigEvidenceStoreSettings -Property @{ + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigStorageAccount -Property @{ + Name = 'My storage' + BlobUri = 'https://contoso.com' + } -ClientOnly) + ) + Store = 'CustomerManaged' + } -ClientOnly); + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = (New-CiMInstance -ClassName MSFT_PolicyConfigQuarantineParameters -Property @{ + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } -ClientOnly) + serverDlpEnabled = $True; + SiteGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPSiteGroups -Property @{ + Name = 'Whatever' + Addresses = (New-CiMInstance -ClassName MSFT_PolicyConfigSiteGroupAddress -Property @{ + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } -ClientOnly) + } -ClientOnly) + ); + TenantId = $OrganizationName; + UnallowedApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'Caramel' + Executable = 'cara.exe' + } -ClientOnly) + ); + UnallowedBluetoothApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'bluetooth' + Executable = 'micase.exe' + } -ClientOnly) + ); + UnallowedBrowser = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } -ClientOnly) + ); + UnallowedCloudSyncApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'ikochou' + Executable = 'gillex.msi' + } -ClientOnly) + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"contoso.net","Setting":"CloudAppRestrictionList"},{"Value":"contoso.com","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\"]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AdvancedClassificationEnabled = $True; + AuditFileActivity = $True; #Drift + BandwidthLimitEnabled = $False; + BusinessJustificationList = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } -ClientOnly) + ); + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPAppGroups -Property @{ + Name = 'Maracas' + Description = 'Lacucaracha' + Apps = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigDLPApp -Property @{ + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPNetworkShareGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPNetworkShareGroups -Property @{ + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } -ClientOnly) + ); + DLPPrinterGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPPrinterGroups -Property @{ + groupName = 'MyGroup' + printers = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigPrinter -Property @{ + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = (New-CiMInstance -ClassName MSFT_PolicyConfigIPRange -Property @{ + fromAddress = '' + toAddress = '' + } -ClientOnly) + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPRemovableMediaGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPRemovableMediaGroups -Property @{ + groupName = 'My Removable USB device group' + removableMedia = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigRemovableMedia -Property @{ + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } -ClientOnly) + } -ClientOnly) + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = (New-CiMInstance -ClassName MSFT_PolicyConfigEvidenceStoreSettings -Property @{ + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigStorageAccount -Property @{ + Name = 'My storage' + BlobUri = 'https://contoso.com' + } -ClientOnly) + ) + Store = 'CustomerManaged' + } -ClientOnly); + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = (New-CiMInstance -ClassName MSFT_PolicyConfigQuarantineParameters -Property @{ + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } -ClientOnly) + serverDlpEnabled = $True; + SiteGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPSiteGroups -Property @{ + Name = 'Whatever' + Addresses = (New-CiMInstance -ClassName MSFT_PolicyConfigSiteGroupAddress -Property @{ + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } -ClientOnly) + } -ClientOnly) + ); + TenantId = $OrganizationName; + UnallowedApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'Caramel' + Executable = 'cara.exe' + } -ClientOnly) + ); + UnallowedBluetoothApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'bluetooth' + Executable = 'micase.exe' + } -ClientOnly) + ); + UnallowedBrowser = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } -ClientOnly) + ); + UnallowedCloudSyncApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'ikochou' + Executable = 'gillex.msi' + } -ClientOnly) + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"fidouda","Executable":"nik.exe","Setting":"UnallowedApp"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"Fudge","Executable":"chocolate.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"PatateWeb","Executable":"patate.exe","Setting":"UnallowedBrowser"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"CapitainOS","Executable":"captn.exe","Setting":"UnallowedBrowser"},{"Value":"contosodigritti.net","Setting":"CloudAppRestrictionList"},{"Value":"contosodidlidou.com","Setting":"CloudAppRestrictionList"},{"Value":"samibou.org","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\",\u000d\u000a \"DevineQui\"\u000d\u000a ]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-PolicyConfig -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"fidouda","Executable":"nik.exe","Setting":"UnallowedApp"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"Fudge","Executable":"chocolate.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"PatateWeb","Executable":"patate.exe","Setting":"UnallowedBrowser"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"CapitainOS","Executable":"captn.exe","Setting":"UnallowedBrowser"},{"Value":"contosodigritti.net","Setting":"CloudAppRestrictionList"},{"Value":"contosodidlidou.com","Setting":"CloudAppRestrictionList"},{"Value":"samibou.org","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\",\u000d\u000a \"DevineQui\"\u000d\u000a ]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 index 613623021b..2f1cf7b21f 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 @@ -104,6 +104,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -114,10 +115,22 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowSharedNotes = $True AllowTranscription = $False AllowWhiteboard = $True + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True Description = $null + ExternalMeetingJoin = 'EnabledForAnyone' MediaBitRateKb = 50000 + ParticipantNameChange = 'Disabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Enabled' WhoCanRegister = 'EveryoneInCompany' Ensure = 'Present' Credential = $Credential @@ -129,6 +142,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -138,12 +152,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' - WhoCanRegister = 'EveryoneInCompany' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' + WhoCanRegister = 'EveryoneInCompany' } } } @@ -195,6 +221,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -205,10 +232,22 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowSharedNotes = $True AllowTranscription = $False AllowWhiteboard = $True + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } @@ -255,6 +294,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -264,11 +304,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } @@ -302,6 +354,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -311,11 +364,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } diff --git a/Tests/Unit/Stubs/Generic.psm1 b/Tests/Unit/Stubs/Generic.psm1 index 6ebc93dda5..6ad5a76fa7 100644 --- a/Tests/Unit/Stubs/Generic.psm1 +++ b/Tests/Unit/Stubs/Generic.psm1 @@ -115,7 +115,15 @@ function Update-MgServicePrincipal [Parameter()] [System.String[]] - $Tags + $Tags, + + [Parameter()] + [PSObject] + $PasswordCredentials, + + [Parameter()] + [PSObject] + $KeyCredentials ) } @@ -187,7 +195,15 @@ function New-MGServicePrincipal [Parameter()] [System.String[]] - $Tags + $Tags, + + [Parameter()] + [PSObject] + $PasswordCredentials, + + [Parameter()] + [PSObject] + $KeyCredentials ) } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index f2481bb673..ca9735f0a7 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1148,6 +1148,31 @@ function Get-SweepRule $ResultSize ) } +function New-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $ObjectId, + + [Parameter()] + [System.String] + $ServiceId, + + [Parameter()] + [System.String] + $AppId + ) +} function New-SweepRule { [CmdletBinding()] @@ -1197,6 +1222,19 @@ function New-SweepRule $Enabled ) } +function Remove-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity + ) +} function Remove-SweepRule { [CmdletBinding()] @@ -1214,6 +1252,23 @@ function Remove-SweepRule $Identity ) } +function Set-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity + ) +} function Set-SweepRule { [CmdletBinding()] @@ -4243,6 +4298,19 @@ function Get-ServicePrincipal $Organization ) } +function Get-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Organization + ) +} function Get-SharingPolicy { [CmdletBinding()] @@ -18655,6 +18723,45 @@ function Get-MgBetaDeviceManagement $Break ) } + +function Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $AndroidManagedStoreAccountEnterpriseSettingsId, + + [Parameter()] + [System.String] + $BindStatus, + + [Parameter()] + [System.String] + $OwnerUserPrincipalName, + + [Parameter()] + [System.String] + $OwnerOrganizationName, + + [Parameter()] + [System.String] + $EnrollmentTarget, + + [Parameter()] + [System.Boolean] + $DeviceOwnerManagementEnabled, + + [Parameter()] + [System.Boolean] + $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) +} + function Get-MgBetaDeviceManagementAssignmentFilter { [CmdletBinding()] @@ -19129,84 +19236,19 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCategory -{ +function Get-MgBetaDeviceManagementDataSharingConsent { [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [System.String] - $DeviceCategoryId, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - + param ( [Parameter()] [System.String] - $Search, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, + $DataSharingConsentId, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.Boolean] + $Granted ) } -function Get-MgBetaDeviceManagementDeviceCompliancePolicy +function Get-MgBetaDeviceManagementDeviceCategory { [CmdletBinding()] param( @@ -19214,82 +19256,9 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicy [System.String[]] $Property, - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.String] - $Search, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend, - [Parameter()] [System.String] - $DeviceCompliancePolicyId - ) -} -function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, + $DeviceCategoryId, [Parameter()] [PSObject] @@ -19320,17 +19289,13 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment $CountVariable, [Parameter()] - [System.String] - $DeviceCompliancePolicyAssignmentId, + [System.Uri] + $Proxy, [Parameter()] [System.String[]] $Sort, - [Parameter()] - [System.Uri] - $Proxy, - [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -19357,14 +19322,168 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment [Parameter()] [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyId + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceConfiguration +function Get-MgBetaDeviceManagementDeviceCompliancePolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId + ) +} +function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyAssignmentId, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId + ) +} +function Get-MgBetaDeviceManagementDeviceConfiguration { [CmdletBinding()] param( @@ -19736,6 +19855,19 @@ function Get-MgBetaDeviceManagementDerivedCredential { ) } +function Remove-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [System.String] + $AndroidManagedStoreAccountEnterpriseSettingsId, + + [Parameter()] + [System.Boolean] + $Confirm = $true + ) +} + function Remove-MgBetaDeviceManagementDerivedCredential { [CmdletBinding()] @@ -27610,133 +27742,371 @@ function Update-MgBetaRoleManagement $DeviceManagement ) } -#endregion -#region Microsoft.Graph.Beta.Identity.DirectoryManagement -function Get-MgBetaDevice + +function Get-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $MobileThreatDefenseConnectorId, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $DisplayName, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, [Parameter()] [System.String] - $DeviceId, + $PartnerState, [Parameter()] [System.Int32] - $PageSize, + $PartnerUnresponsivenessThresholdInDays, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, [Parameter()] - [System.Int32] - $Skip, + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.Int32] - $Top, + [System.Boolean] + $WindowsEnabled + ) +} +function New-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $CountVariable, + $MobileThreatDefenseConnectorId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DisplayName, [Parameter()] - [System.String[]] - $Sort, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, [Parameter()] - [System.String] - $ConsistencyLevel, + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.String] - $Filter, + [System.Boolean] + $AndroidEnabled, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, [Parameter()] [System.String] - $Search, + $PartnerState, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled ) } -function Get-MgBetaDirectory + +function Update-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $MobileThreatDefenseConnectorId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DisplayName, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.String[]] - $Property, + [System.Boolean] + $AndroidEnabled, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled ) } -function Get-MgBetaDirectoryAdministrativeUnit + +function Remove-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] [System.String] - $AdministrativeUnitId, + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region Microsoft.Graph.Beta.Identity.DirectoryManagement +function Get-MgBetaDevice +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String] + $DeviceId, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $ConsistencyLevel, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaDirectory +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDirectoryAdministrativeUnit +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $AdministrativeUnitId, [Parameter()] [System.String[]] @@ -35030,198 +35400,118 @@ function Update-MgBetaRoleManagementDirectoryRoleDefinition } #endregion #region Microsoft.Graph.Beta.Identity.SignIns -function Get-MgBetaIdentityConditionalAccess + +#region Microsoft.Graph.Authentication +function Get-MgBetaIdentityUserFlowAttribute { [CmdletBinding()] param( [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, + [System.String] + $IdentityUserFlowAttributeId, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $Filter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [System.String] + $Sort ) } -function Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference +function New-MgBetaIdentityUserFlowAttribute { [CmdletBinding()] param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - [Parameter()] [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + $DataType, [Parameter()] [System.String] - $Filter, + $Description, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - + [System.String] + $DisplayName + ) +} +function Update-MgBetaIdentityUserFlowAttribute +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $Search, + $DataType, [Parameter()] [System.String] - $AuthenticationContextClassReferenceId, + $Description, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $DisplayName, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.String] + $IdentityUserFlowAttributeId, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.String] + $Id ) } -function Get-MgBetaIdentityConditionalAccessNamedLocation +function Remove-MgBetaIdentityUserFlowAttribute { [CmdletBinding()] param( - [Parameter()] - [System.String] - $NamedLocationId, - - [Parameter()] - [System.String[]] - $Property, [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $IdentityUserFlowAttributeId + ) +} +#endregion - [Parameter()] - [System.Int32] - $PageSize, +function Get-MgBetaIdentityConditionalAccess +{ + [CmdletBinding()] + param( [Parameter()] [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - [Parameter()] [System.Uri] $Proxy, - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.String] - $Search, - [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $ProxyUseDefaultCredentials, [Parameter()] [System.String[]] $ExpandProperty, + [Parameter()] + [System.String[]] + $Property, + [Parameter()] [PSObject] - $HttpPipelineAppend + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break ) } -function Get-MgBetaIdentityConditionalAccessPolicy +function Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference { [CmdletBinding()] param( @@ -35249,10 +35539,6 @@ function Get-MgBetaIdentityConditionalAccessPolicy [System.Int32] $Skip, - [Parameter()] - [System.String] - $ConditionalAccessPolicyId, - [Parameter()] [System.Int32] $Top, @@ -35285,6 +35571,10 @@ function Get-MgBetaIdentityConditionalAccessPolicy [System.String] $Search, + [Parameter()] + [System.String] + $AuthenticationContextClassReferenceId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -35298,13 +35588,13 @@ function Get-MgBetaIdentityConditionalAccessPolicy $HttpPipelineAppend ) } -function Get-MgBetaIdentityProvider +function Get-MgBetaIdentityConditionalAccessNamedLocation { [CmdletBinding()] param( [Parameter()] [System.String] - $IdentityProviderBaseId, + $NamedLocationId, [Parameter()] [System.String[]] @@ -35375,7 +35665,7 @@ function Get-MgBetaIdentityProvider $HttpPipelineAppend ) } -function Get-MgBetaOauth2PermissionGrant +function Get-MgBetaIdentityConditionalAccessPolicy { [CmdletBinding()] param( @@ -35383,10 +35673,6 @@ function Get-MgBetaOauth2PermissionGrant [System.String[]] $Property, - [Parameter()] - [System.String] - $OAuth2PermissionGrantId, - [Parameter()] [PSObject] $InputObject, @@ -35407,6 +35693,10 @@ function Get-MgBetaOauth2PermissionGrant [System.Int32] $Skip, + [Parameter()] + [System.String] + $ConditionalAccessPolicyId, + [Parameter()] [System.Int32] $Top, @@ -35452,7 +35742,7 @@ function Get-MgBetaOauth2PermissionGrant $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthenticationMethodPolicy +function Get-MgBetaPolicyAccessReviewPolicy { [CmdletBinding()] param( @@ -35468,108 +35758,43 @@ function Get-MgBetaPolicyAuthenticationMethodPolicy [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - [Parameter()] [System.String[]] $ExpandProperty, [Parameter()] - [System.String[]] - $Property, + [System.String] + $ResponseHeadersVariable, [Parameter()] [PSObject] $HttpPipelineAppend, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, + [System.Collections.IDictionary] + $Headers, [Parameter()] [System.String[]] - $Sort, - - [Parameter()] - [System.String] - $AuthenticationMethodConfigurationId, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.String] - $Search, + $Property, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend + $Break ) } -function Get-MgBetaPolicyAuthenticationStrengthPolicy +function Get-MgBetaIdentityProvider { [CmdletBinding()] param( + [Parameter()] + [System.String] + $IdentityProviderBaseId, + [Parameter()] [System.String[]] $Property, @@ -35590,10 +35815,6 @@ function Get-MgBetaPolicyAuthenticationStrengthPolicy [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $AuthenticationStrengthPolicyId, - [Parameter()] [System.Int32] $Skip, @@ -35643,7 +35864,7 @@ function Get-MgBetaPolicyAuthenticationStrengthPolicy $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthorizationPolicy +function Get-MgBetaOauth2PermissionGrant { [CmdletBinding()] param( @@ -35652,12 +35873,12 @@ function Get-MgBetaPolicyAuthorizationPolicy $Property, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $OAuth2PermissionGrantId, [Parameter()] - [System.String] - $AuthorizationPolicyId, + [PSObject] + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -35720,44 +35941,7 @@ function Get-MgBetaPolicyAuthorizationPolicy $HttpPipelineAppend ) } -function Get-MgBetaPolicyCrossTenantAccessPolicy -{ - [CmdletBinding()] - param( - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaPolicyCrossTenantAccessPolicyDefault +function Get-MgBetaPolicyAuthenticationMethodPolicy { [CmdletBinding()] param( @@ -35794,7 +35978,7 @@ function Get-MgBetaPolicyCrossTenantAccessPolicyDefault $Break ) } -function Get-MgBetaPolicyCrossTenantAccessPolicyPartner +function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration { [CmdletBinding()] param( @@ -35822,10 +36006,6 @@ function Get-MgBetaPolicyCrossTenantAccessPolicyPartner [System.Int32] $Skip, - [Parameter()] - [System.String] - $CrossTenantAccessPolicyConfigurationPartnerTenantId, - [Parameter()] [System.Int32] $Top, @@ -35842,6 +36022,10 @@ function Get-MgBetaPolicyCrossTenantAccessPolicyPartner [System.String[]] $Sort, + [Parameter()] + [System.String] + $AuthenticationMethodConfigurationId, + [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -35871,81 +36055,7 @@ function Get-MgBetaPolicyCrossTenantAccessPolicyPartner $HttpPipelineAppend ) } -function Get-MgBetaPolicyExternalIdentityPolicy -{ - [CmdletBinding()] - param( - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaPolicyIdentitySecurityDefaultEnforcementPolicy -{ - [CmdletBinding()] - param( - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaPolicyRoleManagementPolicy +function Get-MgBetaPolicyAuthenticationStrengthPolicy { [CmdletBinding()] param( @@ -35970,12 +36080,391 @@ function Get-MgBetaPolicyRoleManagementPolicy $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, + [System.String] + $AuthenticationStrengthPolicyId, [Parameter()] - [System.String] - $UnifiedRoleManagementPolicyId, + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyAuthorizationPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AuthorizationPolicyId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyCrossTenantAccessPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyCrossTenantAccessPolicyDefault +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyCrossTenantAccessPolicyPartner +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $CrossTenantAccessPolicyConfigurationPartnerTenantId, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyExternalIdentityPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyIdentitySecurityDefaultEnforcementPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyRoleManagementPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $UnifiedRoleManagementPolicyId, [Parameter()] [System.Int32] @@ -37799,6 +38288,71 @@ function Update-MgBetaPolicyAuthenticationStrengthPolicyAllowedCombination $Break ) } +function Update-MgBetaPolicyAccessReviewPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} function Update-MgBetaPolicyAuthorizationPolicy { [CmdletBinding()] @@ -97979,16 +98533,15 @@ function Invoke-PnPSPRestMethod $Content ) } - -#region MgBetaIdentityB2XUserFlow -function Get-MgBetaIdentityB2XUserFlow +#region MgBetaNetworkAccessForwardingProfile +function Get-MgBetaNetworkAccessForwardingProfile { [CmdletBinding()] param ( [Parameter()] [System.String] - $B2XIdentityUserFlowId, + $ForwardingProfileId, [Parameter()] [PSObject] @@ -98068,11 +98621,19 @@ function Get-MgBetaIdentityB2XUserFlow ) } -function New-MgBetaIdentityB2XUserFlow +function Update-MgBetaNetworkAccessForwardingProfile { [CmdletBinding()] param ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + [Parameter()] [PSObject] $BodyParameter, @@ -98086,36 +98647,48 @@ function New-MgBetaIdentityB2XUserFlow $AdditionalProperties, [Parameter()] - [PSObject] - $ApiConnectorConfiguration, + [PSObject[]] + $Associations, + + [Parameter()] + [System.String] + $Description, [Parameter()] [System.String] $Id, [Parameter()] - [PSObject[]] - $IdentityProviders, + [System.DateTime] + $LastModifiedDateTime, [Parameter()] - [PSObject[]] - $Languages, + [System.String] + $Name, [Parameter()] [PSObject[]] - $UserAttributeAssignments, + $Policies, [Parameter()] - [PSObject[]] - $UserFlowIdentityProviders, + [System.Int32] + $Priority, + + [Parameter()] + [PSObject] + $ServicePrincipal, [Parameter()] [System.String] - $UserFlowType, + $State, [Parameter()] - [System.Single] - $UserFlowTypeVersion, + [System.String] + $TrafficForwardingType, + + [Parameter()] + [System.String] + $Version, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -98151,19 +98724,73 @@ function New-MgBetaIdentityB2XUserFlow ) } -function Remove-MgBetaIdentityB2XUserFlow +#endregion + +#region MgBetaNetworkAccessForwardingPolicy +function Get-MgBetaNetworkAccessForwardingPolicy { [CmdletBinding()] - param - ( + param( [Parameter()] [System.String] - $B2XIdentityUserFlowId, + $ForwardingPolicyId, + + [Parameter()] + [System.String[]] + $Property, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + [Parameter()] [System.String] $ResponseHeadersVariable, @@ -98172,96 +98799,594 @@ function Remove-MgBetaIdentityB2XUserFlow [System.Management.Automation.SwitchParameter] $Break, + [Parameter()] + [System.String[]] + $ExpandProperty, + [Parameter()] [System.Collections.IDictionary] $Headers, [Parameter()] - [PSObject[]] - $HttpPipelineAppend, + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessForwardingPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ForwardingPolicyId, [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $PassThru, + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $InputObject, [Parameter()] [System.Uri] $Proxy, + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } - -function Update-MgBetaIdentityB2XUserFlow +function Remove-MgBetaNetworkAccessForwardingPolicyRule { [CmdletBinding()] - param - ( - [Parameter()] - [System.String] - $B2XIdentityUserFlowId, - + param( [Parameter()] [PSObject] $InputObject, [Parameter()] [PSObject] - $BodyParameter, + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $ForwardingPolicyId, + + [Parameter()] + [System.String] + $IfMatch, [Parameter()] [System.String] $ResponseHeadersVariable, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [PSObject] - $ApiConnectorConfiguration, + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, [Parameter()] [System.String] - $Id, + $PolicyRuleId, [Parameter()] - [PSObject[]] - $IdentityProviders, + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region MgBetaNetworkAccessForwardingProfilePolicy +function Get-MgBetaNetworkAccessForwardingProfilePolicy +{ + [CmdletBinding()] + param + ( [Parameter()] - [PSObject[]] - $Languages, + [System.String] + $ForwardingProfileId, [Parameter()] - [PSObject[]] - $UserAttributeAssignments, + [PSObject] + $InputObject, [Parameter()] - [PSObject[]] - $UserFlowIdentityProviders, + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, [Parameter()] [System.String] - $UserFlowType, + $Filter, [Parameter()] - [System.Single] - $UserFlowTypeVersion, + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function Update-MgBetaNetworkAccessForwardingProfilePolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [System.String] + $PolicyLinkId , + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaIdentityB2XUserFlow +function Get-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -99028,3 +100153,2491 @@ function Invoke-MgBetaUploadIdentityApiConnectorClientCertificate } #endregion +#region MgBetaPolicyHomeRealmDiscoveryPolicy +function Get-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region Microsoft.Graph.Authentication +function Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $WifiSecurityType, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ConfigureWifi, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.DateTime] + $TokenCreationDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $WifiHidden, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $WifiPassword, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $EnrollmentMode, + + [Parameter()] + [PSObject] + $QrCodeImage, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.DateTime] + $TokenExpirationDateTime, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [PSObject] + $EnrollmentTokenType, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +function Get-AzResourceGroup +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id + ) +} + +#region Microsoft.Graph.Authentication +function Set-PolicyConfig +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object[]] + $DlpAppGroups, + + [Parameter()] + [System.Object] + $OnPremisesWorkload, + + [Parameter()] + [System.Boolean] + $EnableAdvancedRuleBuilder, + + [Parameter()] + [System.Object[]] + $DlpAppGroupsPsws, + + [Parameter()] + [System.Boolean] + $ReservedForFutureUse, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $ComplianceUrl, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $MigrateLabelScheme, + + [Parameter()] + [System.Boolean] + $IsDlpSimulationOptedIn, + + [Parameter()] + [System.Object] + $InformationBarrierPeopleSearchRestriction, + + [Parameter()] + [System.String] + $TextExtractionConfig, + + [Parameter()] + [System.Object] + $DocumentIsUnsupportedSeverity, + + [Parameter()] + [System.Object[]] + $EndpointDlpGlobalSettingsPsws, + + [Parameter()] + [System.Object] + $ProcessingLimitExceededSeverity, + + [Parameter()] + [System.Boolean] + $ExtendTeamsDlpPoliciesToSharePointOneDrive, + + [Parameter()] + [System.Object[]] + $EndpointDlpGlobalSettings, + + [Parameter()] + [System.Boolean] + $IsEventFoldingOnDlpAlertsOptedOut, + + [Parameter()] + [System.Object] + $DlpRemovableMediaGroups, + + [Parameter()] + [System.Boolean] + $RetentionForwardCrawl, + + [Parameter()] + [System.String] + $JitEnforcementSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Object] + $SenderAddressLocation, + + [Parameter()] + [System.Object[]] + $SiteGroupsPsws, + + [Parameter()] + [System.Object] + $RuleErrorAction, + + [Parameter()] + [System.Boolean] + $IsDefaultMlDlpPoliciesOptedOut, + + [Parameter()] + [System.Object] + $DlpNetworkShareGroups, + + [Parameter()] + [System.Object] + $DlpExtensionGroups, + + [Parameter()] + [System.Boolean] + $PurviewLabelConsent, + + [Parameter()] + [System.Object] + $DlpPrinterGroups, + + [Parameter()] + [System.Object] + $InformationBarrierMode, + + [Parameter()] + [System.Object[]] + $SiteGroups, + + [Parameter()] + [System.Object] + $ClassificationScheme, + + [Parameter()] + [System.Boolean] + $EnableSensitivityLabelingForPdf, + + [Parameter()] + [System.String[]] + $MessageHeadersToRetainInOutlook + ) +} +function Get-PolicyConfig +{ + [CmdletBinding()] + param( + + ) +} +#endregion + +#region Microsoft.Graph.Authentication +function Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $CallbackConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [PSObject] + $LastModifiedBy, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $CallbackConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [PSObject] + $LastModifiedBy, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessSettingEnrichedAuditLog +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessSettingCrossTenantAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Update-MgBetaNetworkAccessSettingCrossTenantAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaDeviceManagementApplePushNotificationCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDeviceManagementDataSharingConsent +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $DataSharingConsentId, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Update-MgBetaDeviceManagementApplePushNotificationCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $CertificateUploadFailureReason, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.String] + $TopicIdentifier, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.DateTime] + $ExpirationDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $CertificateUploadStatus, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $PolicyRules, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $PolicyRules, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function New-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $Policies, + + [Parameter()] + [System.Int64] + $Priority, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $ConditionalAccessPolicies, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessFilteringProfilePolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyLinkId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessSettingConditionalAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties + ) +} +function Get-MgBetaNetworkAccessSettingConditionalAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion diff --git a/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md b/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md new file mode 100644 index 0000000000..4e177d7a41 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md @@ -0,0 +1,85 @@ +# AADAccessReviewPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsGroupOwnerManagementEnabled** | Write | Boolean | If true, group owners can create and manage access reviews on groups they own. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to monitor the access review policy object. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AccessReview + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewPolicy "AADAccessReviewPolicy" + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 760138f056..6de9066a6a 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -24,6 +24,10 @@ | **ExcludeGuestOrExternalUserTypes** | Write | StringArray[] | Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue. | `none`, `internalGuest`, `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue` | | **ExcludeExternalTenantsMembershipKind** | Write | String | Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type. | ``, `all`, `enumerated`, `unknownFutureValue` | | **ExcludeExternalTenantsMembers** | Write | StringArray[] | Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting. | | +| **IncludeServicePrincipals** | Write | StringArray[] | Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed. | | +| **ExcludeServicePrincipals** | Write | StringArray[] | Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed. | | +| **ServicePrincipalFilterMode** | Write | String | Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed. | `include`, `exclude` | +| **ServicePrincipalFilterRule** | Write | String | Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed. | | | **IncludePlatforms** | Write | StringArray[] | Client Device Platforms in scope of the Policy. | | | **ExcludePlatforms** | Write | StringArray[] | Client Device Platforms out of scope of the Policy. | | | **IncludeLocations** | Write | StringArray[] | AAD Named Locations in scope of the Policy. | | @@ -72,21 +76,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - Agreement.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All - **Update** - - Agreement.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All #### Application permissions - **Read** - - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All - **Update** - - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All ## Examples diff --git a/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md b/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md new file mode 100644 index 0000000000..2784ea7750 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md @@ -0,0 +1,88 @@ +# AADEnrichedAuditLogs + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **Exchange** | Write | String | Accepted values are enabled or disabled. | | +| **SharePoint** | Write | String | Accepted values are enabled or disabled. | | +| **Teams** | Write | String | Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures advanced audit logs for Global Secure Access in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADEnrichedAuditLogs "AADEnrichedAuditLogs" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringPolicy.md b/docs/docs/resources/azure-ad/AADFilteringPolicy.md new file mode 100644 index 0000000000..af159f9142 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringPolicy.md @@ -0,0 +1,165 @@ +# AADFilteringPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the policy. | | +| **Id** | Write | String | Unique identifier of the policy. | | +| **Description** | Write | String | Description for the policy. | | +| **Action** | Write | String | Action associated with the policy. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures filtering policies in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md b/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md new file mode 100644 index 0000000000..a6016b8f4d --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md @@ -0,0 +1,220 @@ +# AADFilteringPolicyRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the rule. | | +| **Policy** | Key | String | Name of the associated policy. | | +| **Id** | Write | String | Unique Id for the rule. | | +| **RuleType** | Write | String | Type of rule. | | +| **Destinations** | Write | MSFT_AADFilteringPolicyRuleDestination[] | List of associated destinations with the rule. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADFilteringPolicyRuleDestination + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **name** | Write | String | Name of the destination. | | +| **value** | Write | String | FQDN value for the destination. | | + + +## Description + +Configures filtering rules in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringProfile.md b/docs/docs/resources/azure-ad/AADFilteringProfile.md new file mode 100644 index 0000000000..a01e747043 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringProfile.md @@ -0,0 +1,223 @@ +# AADFilteringProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Profile name. | | +| **Id** | Write | String | Unique identifier for the profile. | | +| **Description** | Write | String | Description of the profile. | | +| **State** | Write | String | State of the profile. | | +| **Priority** | Write | UInt32 | Priority level for the profile. | | +| **Policies** | Write | MSFT_AADFilteringProfilePolicyLink[] | List of filtering policy names associated with the profile. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADFilteringProfilePolicyLink + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **LoggingState** | Write | String | Logging state for the associated policy. | | +| **Priority** | Write | UInt32 | Priority of the associated policy. | | +| **State** | Write | String | State of the associated policy. | | +| **PolicyName** | Write | String | Name of the associated policy. | | + + +## Description + +Configures filtering profiles in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md b/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md new file mode 100644 index 0000000000..908e738d8a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md @@ -0,0 +1,209 @@ +# AADHomeRealmDiscoveryPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name for this policy. Required. | | +| **Definition** | Write | MSFT_AADHomeRealDiscoveryPolicyDefinition[] | A string collection containing a complex object array that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required. | | +| **IsOrganizationDefault** | Write | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. | | +| **Description** | Write | String | Description for this policy. Required. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADHomeRealDiscoveryPolicyDefinition + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AccelerateToFederatedDomain** | Write | Boolean | Accelerate to Federated Domain. | | +| **AllowCloudPasswordValidation** | Write | Boolean | Allow cloud password validation. | | +| **AlternateIdLogin** | Write | MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin | AlternateIdLogin complex object. | | +| **PreferredDomain** | Write | String | Preffered Domain value. | | + +### MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Enabled** | Write | Boolean | Boolean for whether AlternateIdLogin is enabled. | | + + +## Description + +Azure AD Home Realm Discovery Policy + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md new file mode 100644 index 0000000000..4abd15e6eb --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md @@ -0,0 +1,235 @@ +# AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name of the custom extension. | | +| **Id** | Write | String | Unique Id of the extension. | | +| **Description** | Write | String | Description of the extension. | | +| **ClientConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration | Client configuration for the extension | | +| **EndpointConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration | Endpoint configuration for the extension | | +| **CallbackConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration | Callback configuration for the extension | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **timeoutInMilliseconds** | Write | UInt32 | The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between 200 and 2000 milliseconds. Default duration is 1000. | | +| **maximumRetries** | Write | UInt32 | The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If null, the default for the service applies. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **logicAppWorkflowName** | Write | String | The name of the logic app. | | +| **resourceGroupName** | Write | String | The Azure resource group name for the logic app. | | +| **subscriptionId** | Write | String | Identifier of the Azure subscription for the logic app. | | +| **url** | Write | String | Url of the logic app. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **timeoutDuration** | Write | String | Callback time out in ISO 8601 time duration. Accepted time durations are between five minutes to three hours. For example, PT5M for five minutes and PT3H for three hours. Inherited from customExtensionCallbackConfiguration. | | +| **authorizedApps** | Write | StringArray[] | List of apps names that are allowed to resume a task processing result. | | + + +## Description + +Configures custom extensions for Lifecycle workflows in Entra id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - LifecycleWorkflows.Read.All + +- **Update** + + - LifecycleWorkflows.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md b/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md new file mode 100644 index 0000000000..057e20c65d --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md @@ -0,0 +1,85 @@ +# AADIdentityProtectionPolicySettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsUserRiskClearedOnPasswordReset** | Write | Boolean | If true, user risk is cleared on password reset. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to monitor the identity protection policy settings in AAD. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.Read.IdentityProtection + +- **Update** + + - Policy.ReadWrite.IdentityProtection + +#### Application permissions + +- **Read** + + - Policy.Read.IdentityProtection + +- **Update** + + - Policy.ReadWrite.IdentityProtection + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityProtectionPolicySettings "AADIdentityProtectionPolicySettings" + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md new file mode 100644 index 0000000000..a2cc229b9c --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md @@ -0,0 +1,124 @@ +# AADNetworkAccessForwardingPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the forwarding policy | | +| **PolicyRules** | Write | MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule[] | List of rules associated to this forwarding policy. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Policy Rule Name. Required | | +| **ActionValue** | Write | String | Action value. | | +| **RuleType** | Write | String | Type of Rule | | +| **Ports** | Write | UInt32Array[] | List of Ports. | | +| **Protocol** | Write | String | Protocol Value | | +| **Destinations** | Write | StringArray[] | List of destinations. | | + + +## Description + +Use this resource to monitor the forwarding policy rules associated with the forwarding policies. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - NetworkAccessPolicy.Read.All + +- **Update** + + - NetworkAccessPolicy.ReadWrite.All + +#### Application permissions + +- **Read** + + - NetworkAccessPolicy.Read.All + +- **Update** + + - NetworkAccessPolicy.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessForwardingPolicy "AADNetworkAccessForwardingPolicy-Custom Bypass" + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md new file mode 100644 index 0000000000..6f14c1d50b --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md @@ -0,0 +1,115 @@ +# AADNetworkAccessForwardingProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Profile Name. Required. | | +| **Id** | Write | String | Id of the profile. Unique Identifier | | +| **State** | Write | String | status of the profile | | +| **Policies** | Write | MSFT_MicrosoftGraphNetworkaccessPolicyLink[] | Traffic forwarding policies associated with this profile. | | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphNetworkaccessPolicyLink + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Policy Name. Required | | +| **PolicyLinkId** | Write | String | Policy Link Id | | +| **state** | Write | String | status | | + + +## Description + +This resource configure the Azure AD Network Access Forwarding Profile + + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + AADNetworkAccessForwardingProfile "AADNetworkAccessForwardingProfile-Internet traffic forwarding profile" + { + + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Name = "Internet traffic forwarding profile"; + Policies = @(MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'disabled' + PolicyLinkId = 'f8a43f3f-3f44-4738-8025-088bb095a711' + Name = 'Custom Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'b45d1db0-9965-487b-afb1-f4d25174e9db' + Name = 'Default Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'dfd9cd59-90ca-44fc-b997-7cc71f08e438' + Name = 'Default Acquire' + } + ); + State = "disabled"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md b/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md new file mode 100644 index 0000000000..8c7f703bd6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md @@ -0,0 +1,84 @@ +# AADNetworkAccessSettingConditionalAccess + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **SignalingStatus** | Write | String | Enable CA Signaling for Entra ID (covering all cloud apps). Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures the adaptive access settings in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingConditionalAccess "AADNetworkAccessSettingConditionalAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md b/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md new file mode 100644 index 0000000000..1e5670e4df --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md @@ -0,0 +1,84 @@ +# AADNetworkAccessSettingCrossTenantAccess + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **NetworkPacketTaggingStatus** | Write | String | Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures the universal tenant restrictions in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingCrossTenantAccess "AADNetworkAccessSettingCrossTenantAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index 6e564a95c8..b181913de7 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -31,6 +31,8 @@ | **Credential** | Write | PSCredential | Credentials of the Azure AD Admin | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | +| **PasswordCredentials** | Write | MSFT_MicrosoftGraphpasswordCredential[] | The collection of password credentials associated with the service principal. Not nullable. | | +| **KeyCredentials** | Write | MSFT_MicrosoftGraphkeyCredential[] | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le). | | ### MSFT_AADServicePrincipalRoleAssignment @@ -72,6 +74,33 @@ | **AttributeSetName** | Write | String | Attribute Set Name. | | | **AttributeValues** | Write | MSFT_AADServicePrincipalAttributeValue[] | List of attribute values. | | +### MSFT_MicrosoftGraphKeyCredential + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **CustomKeyIdentifier** | Write | String | A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate. | | +| **DisplayName** | Write | String | Friendly name for the key. Optional. | | +| **EndDateTime** | Write | String | The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | | +| **KeyId** | Write | String | The unique identifier (GUID) for the key. | | +| **Key** | Write | String | The certificate's raw data in byte array converted to Base64 string. | | +| **StartDateTime** | Write | String | The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | | +| **Type** | Write | String | The type of key credential for example, Symmetric, AsymmetricX509Cert. | | +| **Usage** | Write | String | A string that describes the purpose for which the key can be used for example, Verify. | | + +### MSFT_MicrosoftGraphPasswordCredential + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Friendly name for the password. Optional. | | +| **EndDateTime** | Write | String | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. | | +| **Hint** | Write | String | Contains the first three characters of the password. Read-only. | | +| **KeyId** | Write | String | The unique identifier for the password. | | +| **StartDateTime** | Write | String | The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. diff --git a/docs/docs/resources/azure-ad/AADUserFlowAttribute.md b/docs/docs/resources/azure-ad/AADUserFlowAttribute.md new file mode 100644 index 0000000000..648be9e29a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADUserFlowAttribute.md @@ -0,0 +1,169 @@ +# AADUserFlowAttribute + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | User flow attribute Id. | | +| **DisplayName** | Key | String | Display name of the user flow attribute. | | +| **Description** | Write | String | Description of the user flow attribute. | | +| **DataType** | Write | String | Defines the user flow attribute data type. | | +| **Ensure** | Write | String | Specify if the Azure AD role setting should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource configure User flow attributes which are custom attributes that you can define and use in your user flows, which are predefined, configurable policies that control the user experience during sign-up, sign-in, and profile editing processes. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - IdentityUserFlow.Read.All, IdentityUserFlow.ReadWrite.All + +- **Update** + + - IdentityUserFlow.ReadWrite.All + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md b/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md new file mode 100644 index 0000000000..edd88ff237 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md @@ -0,0 +1,201 @@ +# AADVerifiedIdAuthority + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Name of the Verified ID Authority. | | +| **Id** | Write | String | Id of the Verified ID Authority. | | +| **LinkedDomainUrl** | Key | String | URL of the linked domain. | | +| **DidMethod** | Write | String | DID method used by the Verified ID Authority. | | +| **KeyVaultMetadata** | Write | MSFT_AADVerifiedIdAuthorityKeyVaultMetadata | Key Vault metadata for the Verified ID Authority. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADVerifiedIdAuthorityKeyVaultMetadata + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **SubscriptionId** | Write | String | Subscription ID of the Key Vault. | | +| **ResourceGroup** | Write | String | Resource group of the Key Vault. | | +| **ResourceName** | Write | String | Resource name of the Key Vault. | | +| **ResourceUrl** | Write | String | Resource URL of the Key Vault. | | + + +## Description + +Azure AD Verified Identity Authority +Use the VerifiableCredential.Authority.ReadWrite permission to read and write the authority. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#authorities + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md b/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md new file mode 100644 index 0000000000..29d4697a49 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md @@ -0,0 +1,475 @@ +# AADVerifiedIdAuthorityContract + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **id** | Write | String | Id of the Verified ID Authority Contract. | | +| **linkedDomainUrl** | Key | String | URL of the linked domain of the authority. | | +| **authorityId** | Write | String | Id of the Verified ID Authority. | | +| **name** | Key | String | Name of the Verified ID Authority Contract. | | +| **displays** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayModel[] | Display settings of the Authority Contract. | | +| **rules** | Write | MSFT_AADVerifiedIdAuthorityContractRulesModel | Rules settings of the Authority Contract. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **uri** | Write | String | URI of the logo. If this is a URL, it must be reachable over the public internet anonymously. | | +| **description** | Write | String | Description of the logo. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayCard + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **title** | Write | String | Title of the credential. | | +| **issuedBy** | Write | String | The name of the issuer of the credential. | | +| **backgroundColor** | Write | String | Background color of the credential in hex, for example, #FFAABB. | | +| **textColor** | Write | String | Text color of the credential in hex, for example, #FFAABB. | | +| **description** | Write | String | Supplemental text displayed alongside each credential. | | +| **logo** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo | The logo to use for the credential. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayConsent + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **title** | Write | String | Title of the consent. | | +| **instructions** | Write | String | Supplemental text to use when displaying consent. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayClaims + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **label** | Write | String | The label of the claim in display. | | +| **claim** | Write | String | The name of the claim to which the label applies. | | +| **type** | Write | String | The type of the claim. | | +| **description** | Write | String | The description of the claim. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayModel + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **locale** | Write | String | The locale of this display. | | +| **card** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayCard | The display properties of the verifiable credential. | | +| **consent** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayConsent | Supplemental data when the verifiable credential is issued. | | +| **claims** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayClaims[] | Labels for the claims included in the verifiable credential. | | + +### MSFT_AADVerifiedIdAuthorityContractClaimMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **inputClaim** | Write | String | The name of the claim to use from the input. | | +| **outputClaim** | Write | String | The name of the claim in the verifiable credential. | | +| **indexed** | Write | Boolean | Indicating whether the value of this claim is used for searching. | | +| **required** | Write | Boolean | Indicating whether this mapping is required or not. | | +| **type** | Write | String | Type of claim. | | + +### MSFT_AADVerifiedIdAuthorityContractAttestationValues + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **mapping** | Write | MSFT_AADVerifiedIdAuthorityContractClaimMapping[] | Rules to map input claims into output claims in the verifiable credential. | | +| **required** | Write | Boolean | Indicating whether this attestation is required or not. | | +| **trustedIssuers** | Write | StringArray[] | A list of DIDs allowed to issue the verifiable credential for this contract. | | +| **credentialType** | Write | String | Required credential type of the input. | | +| **configuration** | Write | String | Location of the identity provider's configuration document. | | +| **clientId** | Write | String | Client ID to use when obtaining the ID token. | | +| **redirectUri** | Write | String | Redirect URI to use when obtaining the ID token. MUST BE vcclient://openid/ | | +| **scopeValue** | Write | String | Space delimited list of scopes to use when obtaining the ID token. | | + +### MSFT_AADVerifiedIdAuthorityContractAttestations + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **idTokenHints** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Id token hints attestations. | | +| **idTokens** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Id token attestations. | | +| **presentations** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Presentations attestations. | | +| **selfIssued** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Self Issued attestations. | | +| **accessTokens** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Access Token attestations. | | + +### MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **url** | Write | String | The URL of the custom status endpoint. | | +| **type** | Write | String | The type of the endpoint. | | + +### MSFT_AADVerifiedIdAuthorityContractVcType + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **type** | Write | StringArray[] | The type of the vc. | | + +### MSFT_AADVerifiedIdAuthorityContractRulesModel + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **attestations** | Write | MSFT_AADVerifiedIdAuthorityContractAttestations | Describing supported inputs for the rules. | | +| **validityInterval** | Write | UInt32 | This value shows the lifespan of the credential. | | +| **vc** | Write | MSFT_AADVerifiedIdAuthorityContractVcType | Types for this contract. | | +| **customStatusEndpoint** | Write | MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint | Status endpoint to include in the verifiable credential for this contract. | | + +## Description + +Azure AD Verified Identity Authority Contract +Use the VerifiableCredential.Contract.ReadWrite permission to read and write the authority contract. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#contracts + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md b/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md new file mode 100644 index 0000000000..de7c72e4f6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md @@ -0,0 +1,172 @@ +# AzureBillingAccountsAssociatedTenant + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AssociatedTenantId** | Key | String | The ID that uniquely identifies a tenant. | | +| **DisplayName** | Write | String | The name of the associated tenant. | | +| **BillingAccount** | Write | String | Name of the billing account. | | +| **BillingManagementState** | Write | String | The state determines whether users from the associated tenant can be assigned roles for commerce activities like viewing and downloading invoices, managing payments, and making purchases. | | +| **ProvisioningManagementState** | Write | String | The state determines whether subscriptions and licenses can be provisioned in the associated tenant. It can be set to 'Pending' to initiate a billing request. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures associated tenants to billing accounts in the Microsoft Admin Center. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "NotAllowed"; # Drift + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Absent"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md b/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md new file mode 100644 index 0000000000..cfd9f32a3f --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md @@ -0,0 +1,172 @@ +# AzureBillingaccountsRoleAssignment + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PrincipalName** | Key | String | Name of the principal associated to the role assignment. | | +| **RoleDefinition** | Key | String | Name of the role assigned to the principal. | | +| **PrincipalType** | Write | String | Principal type. Can be User, Group or ServicePrincipal. | | +| **BillingAccount** | Write | String | Name of the billing account. | | +| **PrincipalTenantId** | Write | String | The principal tenant id of the user to whom the role was assigned. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Manages roles on billing accounts. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md b/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md new file mode 100644 index 0000000000..44e5666222 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md @@ -0,0 +1,92 @@ +# AzureVerifiedIdFaceCheck + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **SubscriptionId** | Key | String | Id of the Azure subscription. | | +| **ResourceGroupName** | Key | String | Name of the associated resource group. | | +| **VerifiedIdAuthorityId** | Key | String | Id of the verified ID authority. | | +| **FaceCheckEnabled** | Write | Boolean | Represents whether or not FaceCheck is enabled for the authrotiy. | | +| **VerifiedIdAuthorityLocation** | Write | String | Location of the Verified ID Authority. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures Azure Verified Id FaceCheck. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureVerifiedIdFaceCheck "AzureVerifiedIdFaceCheck" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + FaceCheckEnabled = $True; + ResourceGroupName = "website"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + TenantId = $TenantId; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOServicePrincipal.md b/docs/docs/resources/exchange/EXOServicePrincipal.md new file mode 100644 index 0000000000..caffb4f533 --- /dev/null +++ b/docs/docs/resources/exchange/EXOServicePrincipal.md @@ -0,0 +1,192 @@ +# EXOServicePrincipal + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AppName** | Key | String | The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. | | +| **DisplayName** | Write | String | The DisplayName parameter specifies the friendly name of the service principal. | | +| **Identity** | Write | String | The Identity parameter specifies the service principal that you want to view. | | +| **AppId** | Write | String | The AppId parameter specifies the unique AppId GUID value for the service principal. | | +| **Ensure** | Write | String | Present ensures the group exists, absent ensures it is removed | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Exchange Global Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +Use the ServicePrincipal cmdlets to create, change service principals in your cloud-based organization. + +## Parameters + +- Identity: The Identity parameter specifies the service principal that you want to modify. You can use any value that uniquely identifies the service principal. For example: Name, Distinguished name (DN), GUID, AppId, ObjectId +- AppName: The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. +- DisplayName: The DisplayName parameter specifies the friendly name of the service principal. If the name contains spaces, enclose the name in quotation marks ("). +- AppId: The AppId parameter specifies the unique AppId GUID value for the service principal. +- ObjectId: The ObjectId parameter specifies the unique ObjectId GUID value for the service principal. + +## Examples + +- Set-ServicePrincipal -Identity dc873ad4-0397-4d74-b5c0-897cd3a94731 -DisplayName "Another App Name" +- New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId 6233fba6-0198-4277-892f-9275bf728bcc + +## Parameters present in New and not in Set + +- AppId +- ObjectId + +## Parameters present in Set and not in New + +- Identity + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md b/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md new file mode 100644 index 0000000000..e29c0d7be2 --- /dev/null +++ b/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md @@ -0,0 +1,171 @@ +# IntuneAppleMDMPushNotificationCertificate + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AppleIdentifier** | Key | String | The name of the Apple Identifier. | | +| **Certificate** | Write | String | The Apple Push notification certificate. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DataSharingConsetGranted** | Write | Boolean | The boolean indicating DataSharing Conset agreement granted or not between Intune and Apple. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures a resource for Apple MDM Push notification certificate used for device enrollment. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Patched cert"; #drift + Certificate = "PatchedFakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; #drift + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "AppleID"; + Certificate = ""; + + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDerivedCredential.md b/docs/docs/resources/intune/IntuneDerivedCredential.md index c43b79bec9..b42c76a61e 100644 --- a/docs/docs/resources/intune/IntuneDerivedCredential.md +++ b/docs/docs/resources/intune/IntuneDerivedCredential.md @@ -9,7 +9,7 @@ | **HelpUrl** | Write | String | The URL that will be accessible to end users as they retrieve a derived credential using the Company Portal. | | | **RenewalThresholdPercentage** | Write | UInt32 | The nominal percentage of time before certificate renewal is initiated by the client. | | | **Issuer** | Write | String | Supported values for the derived credential issuer. | `intercede`, `entrustDatacard`, `purebred` | -| **NotificationType** | Write | String | Supported values for the notification type to use. | `none`, `email`, `companyPortal` | +| **NotificationType** | Write | String | Supported values for the notification type to use. | `none`, `email`, `companyPortal`, `companyPortal,email` | | **Ensure** | Write | String | Supported values for the notification type to use. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Intune Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md b/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md new file mode 100644 index 0000000000..dc012b2780 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md @@ -0,0 +1,93 @@ +# IntuneDeviceManagementEnrollmentAndroidGooglePlay + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | Primary key identifier of the Android Managed Store Account Enterprise Setting. | | +| **BindStatus** | Write | String | Binding status of the Android Managed Store Account Enterprise Setting (e.g., 'bound', 'notBound'). | | +| **OwnerUserPrincipalName** | Write | String | The user principal name of the owner of the Android Managed Store Account. | | +| **OwnerOrganizationName** | Write | String | The organization name of the owner of the Android Managed Store Account. | | +| **EnrollmentTarget** | Write | String | Specifies the enrollment target for the account enterprise setting (e.g., 'defaultEnrollmentRestrictions', 'targetedAsEnrollmentRestrictions'). | | +| **DeviceOwnerManagementEnabled** | Write | Boolean | Specifies whether device owner management is enabled. | | +| **AndroidDeviceOwnerFullyManagedEnrollmentEnabled** | Write | Boolean | Specifies whether fully managed enrollment is enabled for Android devices. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin. | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Credential for the application secret used in authentication. | | +| **ManagedIdentity** | Write | Boolean | Indicates whether a Managed Identity is used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access tokens used for authentication in scenarios requiring multiple tokens. | | + + +## Description + +This resource configures Android Enterprise enrollment settings for device management within Microsoft Intune. +Note: Currently the bind API to enroll is waiting for the product team to make changes so the API can be called outside of an Intune portal. Until those changes are made, we can only unbind (disconnect/unenroll). For that reason we have commented out certain parameters that cannot be set. This will be uncommented once those changes are made. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementEnrollmentAndroidGooglePlay "RemoveAndroidGooglePlayEnrollment" + { + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md new file mode 100644 index 0000000000..5418d04e0f --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md @@ -0,0 +1,223 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name for the enrollment profile. | | +| **Id** | Write | String | Unique GUID for the enrollment profile. Read-Only. | | +| **AccountId** | Write | String | Intune AccountId GUID the enrollment profile belongs to. | | +| **Description** | Write | String | Description for the enrollment profile. | | +| **EnrollmentMode** | Write | String | The enrollment mode of devices that use this enrollment profile. | `corporateOwnedDedicatedDevice`, `corporateOwnedFullyManaged`, `corporateOwnedWorkProfile`, `corporateOwnedAOSPUserlessDevice`, `corporateOwnedAOSPUserAssociatedDevice` | +| **EnrollmentTokenType** | Write | String | The enrollment token type for an enrollment profile. | `default`, `corporateOwnedDedicatedDeviceWithAzureADSharedMode`, `deviceStaging` | +| **TokenValue** | Write | String | Value of the most recently created token for this enrollment profile. | | +| **TokenCreationDateTime** | Write | String | Date time the most recently created token was created. | | +| **TokenExpirationDateTime** | Write | String | Date time the most recently created token will expire. | | +| **EnrolledDeviceCount** | Write | UInt32 | Total number of Android devices that have enrolled using this enrollment profile. | | +| **EnrollmentTokenUsageCount** | Write | UInt32 | Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000 | | +| **QrCodeContent** | Write | String | String used to generate a QR code for the token. | | +| **QrCodeImage** | Write | String | String used to generate a QR code for the token. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **ConfigureWifi** | Write | Boolean | Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default. | | +| **WifiSsid** | Write | String | String that contains the wi-fi login ssid | | +| **WifiPassword** | Write | PSCredential | String that contains the wi-fi login password. The parameter is a PSCredential object. | | +| **WifiSecurityType** | Write | String | String that contains the wi-fi security type. | `none`, `wpa`, `wep` | +| **WifiHidden** | Write | Boolean | Boolean that indicates if hidden wifi networks are enabled | | +| **IsTeamsDeviceProfile** | Write | Boolean | Boolean indicating if this profile is an Android AOSP for Teams device profile. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **type** | Write | String | Indicates the content mime type. | | +| **value** | Write | String | The byte array that contains the actual content. | | + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md new file mode 100644 index 0000000000..66dee65b7e --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md @@ -0,0 +1,227 @@ +# IntuneMobileThreatDefenseConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **DisplayName** | Write | String | The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API. | | +| **AllowPartnerToCollectIosApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AllowPartnerToCollectIosPersonalApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AndroidDeviceBlockedOnMissingPartnerData** | Write | Boolean | For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **AndroidEnabled** | Write | Boolean | For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **AndroidMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **IosDeviceBlockedOnMissingPartnerData** | Write | Boolean | For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **IosEnabled** | Write | Boolean | For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **IosMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **LastHeartbeatDateTime** | Write | DateTime | DateTime of last Heartbeat received from the Mobile Threat Defense partner. | | +| **MicrosoftDefenderForEndpointAttachEnabled** | Write | Boolean | When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE. | | +| **PartnerState** | Write | String | Partner state of this tenant. | | +| **PartnerUnresponsivenessThresholdInDays** | Write | UInt32 | Get or Set days the per tenant tolerance to unresponsiveness for this partner integration. | | +| **PartnerUnsupportedOSVersionBlocked** | Write | Boolean | Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner. | | +| **WindowsDeviceBlockedOnMissingPartnerData** | Write | Boolean | When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE. | | +| **WindowsEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +This resource configures a connection to Mobile Threat Defense partner. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md new file mode 100644 index 0000000000..af77fafef9 --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md @@ -0,0 +1,342 @@ +# IntuneSecurityBaselineDefenderForEndpoint + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint | Scope for Device Setting | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint | Scope for Device Setting | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DeviceInstall_Classes_Deny** | Write | String | Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Classes_Deny_List** | Write | StringArray[] | Prevented Classes - Depends on DeviceInstall_Classes_Deny | | +| **DeviceInstall_Classes_Deny_Retroactive** | Write | String | Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True) | `0`, `1` | +| **EncryptionMethodWithXts_Name** | Write | String | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) (0: Disabled, 1: Enabled) | `0`, `1` | +| **EncryptionMethodWithXtsOsDropDown_Name** | Write | String | Select the encryption method for operating system drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **EncryptionMethodWithXtsFdvDropDown_Name** | Write | String | Select the encryption method for fixed data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **EncryptionMethodWithXtsRdvDropDown_Name** | Write | String | Select the encryption method for removable data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit (default), 4: AES-CBC 256-bit, 6: XTS-AES 128-bit, 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **FDVRecoveryUsage_Name** | Write | String | Choose how BitLocker-protected fixed drives can be recovered (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVActiveDirectoryBackup_Name** | Write | String | Save BitLocker recovery information to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVHideRecoveryPage_Name** | Write | String | Omit recovery options from the BitLocker setup wizard - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVRecoveryPasswordUsageDropDown_Name** | Write | String | Configure user storage of BitLocker recovery information: - Depends on FDVRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) | `2`, `1`, `0` | +| **FDVRequireActiveDirectoryBackup_Name** | Write | String | Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVAllowDRA_Name** | Write | String | Allow data recovery agent - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVActiveDirectoryBackupDropDown_Name** | Write | String | Configure storage of BitLocker recovery information to AD DS: - Depends on FDVRecoveryUsage_Name (1: Backup recovery passwords and key packages, 2: Backup recovery passwords only) | `1`, `2` | +| **FDVRecoveryKeyUsageDropDown_Name** | Write | String | - Depends on FDVRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) | `2`, `1`, `0` | +| **FDVDenyWriteAccess_Name** | Write | String | Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVEncryptionType_Name** | Write | String | Enforce drive encryption type on fixed data drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) - Depends on FDVEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **EnablePreBootPinExceptionOnDECapableDevice_Name** | Write | String | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (0: Disabled, 1: Enabled) | `0`, `1` | +| **EnhancedPIN_Name** | Write | String | Allow enhanced PINs for startup (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSRecoveryUsage_Name** | Write | String | Choose how BitLocker-protected operating system drives can be recovered (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSRequireActiveDirectoryBackup_Name** | Write | String | Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSActiveDirectoryBackup_Name** | Write | String | Save BitLocker recovery information to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSRecoveryPasswordUsageDropDown_Name** | Write | String | Configure user storage of BitLocker recovery information: - Depends on OSRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) | `2`, `1`, `0` | +| **OSHideRecoveryPage_Name** | Write | String | Omit recovery options from the BitLocker setup wizard - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSAllowDRA_Name** | Write | String | Allow data recovery agent - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSRecoveryKeyUsageDropDown_Name** | Write | String | - Depends on OSRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) | `2`, `1`, `0` | +| **OSActiveDirectoryBackupDropDown_Name** | Write | String | Configure storage of BitLocker recovery information to AD DS: - Depends on OSRecoveryUsage_Name (1: Store recovery passwords and key packages, 2: Store recovery passwords only) | `1`, `2` | +| **EnablePrebootInputProtectorsOnSlates_Name** | Write | String | Enable use of BitLocker authentication requiring preboot keyboard input on slates (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSEncryptionType_Name** | Write | String | Enforce drive encryption type on operating system drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) - Depends on OSEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **ConfigureAdvancedStartup_Name** | Write | String | Require additional authentication at startup (0: Disabled, 1: Enabled) | `0`, `1` | +| **ConfigureTPMStartupKeyUsageDropDown_Name** | Write | String | Configure TPM startup key: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key with TPM, 1: Require startup key with TPM, 0: Do not allow startup key with TPM) | `2`, `1`, `0` | +| **ConfigureTPMPINKeyUsageDropDown_Name** | Write | String | Configure TPM startup key and PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key and PIN with TPM, 1: Require startup key and PIN with TPM, 0: Do not allow startup key and PIN with TPM) | `2`, `1`, `0` | +| **ConfigureTPMUsageDropDown_Name** | Write | String | Configure TPM startup: - Depends on ConfigureAdvancedStartup_Name (2: Allow TPM, 1: Require TPM, 0: Do not allow TPM) | `2`, `1`, `0` | +| **ConfigureNonTPMStartupKeyUsage_Name** | Write | String | Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - Depends on ConfigureAdvancedStartup_Name (0: False, 1: True) | `0`, `1` | +| **ConfigurePINUsageDropDown_Name** | Write | String | Configure TPM startup PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup PIN with TPM, 1: Require startup PIN with TPM, 0: Do not allow startup PIN with TPM) | `2`, `1`, `0` | +| **RDVConfigureBDE** | Write | String | Control use of BitLocker on removable drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVAllowBDE_Name** | Write | String | Allow users to apply BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) | `0`, `1` | +| **RDVEncryptionType_Name** | Write | String | Enforce drive encryption type on removable data drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **RDVDisableBDE_Name** | Write | String | Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) | `0`, `1` | +| **RDVDenyWriteAccess_Name** | Write | String | Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVCrossOrg** | Write | String | Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True) | `0`, `1` | +| **EnableSmartScreen** | Write | String | Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **EnableSmartScreenDropdown** | Write | String | Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn) | `block`, `warn` | +| **DisableSafetyFilterOverrideForAppRepUnknown** | Write | String | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled) | `0`, `1` | +| **Disable_Managing_Safety_Filter_IE9** | Write | String | Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled) | `0`, `1` | +| **IE9SafetyFilterOptions** | Write | String | Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On) | `0`, `1` | +| **AllowWarningForOtherDiskEncryption** | Write | String | Allow Warning For Other Disk Encryption (0: Disabled, 1: Enabled) | `0`, `1` | +| **AllowStandardUserEncryption** | Write | String | Allow Standard User Encryption - Depends on AllowWarningForOtherDiskEncryption (0: This is the default, when the policy is not set. If current logged on user is a standard user, 'RequireDeviceEncryption' policy will not try to enable encryption on any drive., 1: 'RequireDeviceEncryption' policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.) | `0`, `1` | +| **ConfigureRecoveryPasswordRotation** | Write | String | Configure Recovery Password Rotation (0: Refresh off (default), 1: Refresh on for Azure AD-joined devices, 2: Refresh on for both Azure AD-joined and hybrid-joined devices) | `0`, `1`, `2` | +| **RequireDeviceEncryption** | Write | String | Require Device Encryption (0: Disabled, 1: Enabled) | `0`, `1` | +| **AllowArchiveScanning** | Write | String | Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.) | `0`, `1` | +| **AllowBehaviorMonitoring** | Write | String | Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.) | `0`, `1` | +| **AllowCloudProtection** | Write | String | Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.) | `0`, `1` | +| **AllowEmailScanning** | Write | String | Allow Email Scanning (0: Not allowed. Turns off email scanning., 1: Allowed. Turns on email scanning.) | `0`, `1` | +| **AllowFullScanRemovableDriveScanning** | Write | String | Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.) | `0`, `1` | +| **AllowOnAccessProtection** | Write | String | Allow On Access Protection (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowRealtimeMonitoring** | Write | String | Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.) | `0`, `1` | +| **AllowScanningNetworkFiles** | Write | String | Allow Scanning Network Files (0: Not allowed. Turns off scanning of network files., 1: Allowed. Scans network files.) | `0`, `1` | +| **AllowIOAVProtection** | Write | String | Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowScriptScanning** | Write | String | Allow Script Scanning (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowUserUIAccess** | Write | String | Allow User UI Access (0: Not allowed. Prevents users from accessing UI., 1: Allowed. Lets users access UI.) | `0`, `1` | +| **BlockExecutionOfPotentiallyObfuscatedScripts** | Write | String | Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockWin32APICallsFromOfficeMacros** | Write | String | Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion** | Write | String | Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeCommunicationAppFromCreatingChildProcesses** | Write | String | Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAllOfficeApplicationsFromCreatingChildProcesses** | Write | String | Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAdobeReaderFromCreatingChildProcesses** | Write | String | Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem** | Write | String | Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent** | Write | String | Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockWebshellCreationForServers** | Write | String | Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockWebshellCreationForServers_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockUntrustedUnsignedProcessesThatRunFromUSB** | Write | String | Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockPersistenceThroughWMIEventSubscription** | Write | String | Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUseOfCopiedOrImpersonatedSystemTools** | Write | String | [PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAbuseOfExploitedVulnerableSignedDrivers** | Write | String | Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockProcessCreationsFromPSExecAndWMICommands** | Write | String | Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeApplicationsFromCreatingExecutableContent** | Write | String | Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses** | Write | String | Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockRebootingMachineInSafeMode** | Write | String | [PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **UseAdvancedProtectionAgainstRansomware** | Write | String | Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockExecutableContentFromEmailClientAndWebmail** | Write | String | Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **CheckForSignaturesBeforeRunningScan** | Write | String | Check For Signatures Before Running Scan (0: Disabled, 1: Enabled) | `0`, `1` | +| **CloudBlockLevel** | Write | String | Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance) | `0`, `2`, `4`, `6` | +| **CloudExtendedTimeout** | Write | SInt32 | Cloud Extended Timeout | | +| **DisableLocalAdminMerge** | Write | String | Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge) | `0`, `1` | +| **EnableNetworkProtection** | Write | String | Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode)) | `0`, `1`, `2` | +| **HideExclusionsFromLocalAdmins** | Write | String | Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.) | `1`, `0` | +| **HideExclusionsFromLocalUsers** | Write | String | Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.) | `1`, `0` | +| **OobeEnableRtpAndSigUpdate** | Write | String | Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.) | `1`, `0` | +| **PUAProtection** | Write | String | PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.) | `0`, `1`, `2` | +| **RealTimeScanDirection** | Write | String | Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.) | `0`, `1`, `2` | +| **ScanParameter** | Write | String | Scan Parameter (1: Quick scan, 2: Full scan) | `1`, `2` | +| **ScheduleQuickScanTime** | Write | SInt32 | Schedule Quick Scan Time | | +| **ScheduleScanDay** | Write | String | Schedule Scan Day (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan) | `0`, `1`, `2`, `3`, `4`, `5`, `6`, `7`, `8` | +| **ScheduleScanTime** | Write | SInt32 | Schedule Scan Time | | +| **SignatureUpdateInterval** | Write | SInt32 | Signature Update Interval | | +| **SubmitSamplesConsent** | Write | String | Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.) | `0`, `1`, `2`, `3` | +| **LsaCfgFlags** | Write | String | Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.) | `0`, `1`, `2` | +| **DeviceEnumerationPolicy** | Write | String | Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive)) | `0`, `1`, `2` | +| **SmartScreenEnabled** | Write | String | Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenPuaEnabled** | Write | String | Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenDnsRequestsEnabled** | Write | String | Enable Microsoft Defender SmartScreen DNS requests (0: Disabled, 1: Enabled) | `0`, `1` | +| **NewSmartScreenLibraryEnabled** | Write | String | Enable new SmartScreen library (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenForTrustedDownloadsEnabled** | Write | String | Force Microsoft Defender SmartScreen checks on downloads from trusted sources (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverride** | Write | String | Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverrideForFiles** | Write | String | Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled) | `0`, `1` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisableSafetyFilterOverrideForAppRepUnknown** | Write | String | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | + + +## Description + +Intune Security Baseline Defender For Endpoint + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '0' #drift + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/security-compliance/SCPolicyConfig.md b/docs/docs/resources/security-compliance/SCPolicyConfig.md new file mode 100644 index 0000000000..24d6efb596 --- /dev/null +++ b/docs/docs/resources/security-compliance/SCPolicyConfig.md @@ -0,0 +1,481 @@ +# SCPolicyConfig + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Accepted value is 'Yes'. | `Yes` | +| **AdvancedClassificationEnabled** | Write | Boolean | TBD | | +| **AuditFileActivity** | Write | Boolean | TBD | | +| **BandwidthLimitEnabled** | Write | Boolean | TBD | | +| **BusinessJustificationList** | Write | MSFT_PolicyConfigBusinessJustificationList[] | TBD | | +| **CloudAppMode** | Write | String | TBD | | +| **CloudAppRestrictionList** | Write | StringArray[] | TBD | | +| **CustomBusinessJustificationNotification** | Write | UInt32 | TBD | | +| **DailyBandwidthLimitInMB** | Write | UInt32 | TBD | | +| **DLPAppGroups** | Write | MSFT_PolicyConfigDLPAppGroups[] | TBD | | +| **DLPNetworkShareGroups** | Write | MSFT_PolicyConfigDLPNetworkShareGroups[] | TBD | | +| **DLPPrinterGroups** | Write | MSFT_PolicyConfigDLPPrinterGroups[] | TBD | | +| **DLPRemovableMediaGroups** | Write | MSFT_PolicyConfigDLPRemovableMediaGroups[] | TBD | | +| **IncludePredefinedUnallowedBluetoothApps** | Write | Boolean | TBD | | +| **MacDefaultPathExclusionsEnabled** | Write | Boolean | TBD | | +| **MacPathExclusion** | Write | StringArray[] | TBD | | +| **NetworkPathEnforcementEnabled** | Write | Boolean | TBD | | +| **NetworkPathExclusion** | Write | String | TBD | | +| **PathExclusion** | Write | StringArray[] | TBD | | +| **serverDlpEnabled** | Write | Boolean | TBD | | +| **EvidenceStoreSettings** | Write | MSFT_PolicyConfigEvidenceStoreSettings | TBD | | +| **SiteGroups** | Write | MSFT_PolicyConfigDLPSiteGroups[] | TBD | | +| **UnallowedApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedCloudSyncApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedBluetoothApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedBrowser** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **QuarantineParameters** | Write | MSFT_PolicyConfigQuarantineParameters | TBD | | +| **VPNSettings** | Write | StringArray[] | TBD | | +| **EnableLabelCoauth** | Write | Boolean | TBD | | +| **EnableSpoAipMigration** | Write | Boolean | TBD | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_PolicyConfigApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Value** | Write | String | Name of the application. | | +| **Executable** | Write | String | Name of the executable file. | | + +### MSFT_PolicyConfigStorageAccount + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | TBD | | +| **BlobUri** | Write | String | TBD | | + +### MSFT_PolicyConfigSiteGroupAddress + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **MatchType** | Write | String | TBD | | +| **Url** | Write | String | TBD | | +| **AddressLower** | Write | String | TBD | | +| **AddressUpper** | Write | String | TBD | | + +### MSFT_PolicyConfigDLPSiteGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **addresses** | Write | MSFT_PolicyConfigSiteGroupAddress[] | TBD | | + +### MSFT_PolicyConfigRemovableMedia + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **deviceId** | Write | String | TBD | | +| **removableMediaVID** | Write | String | TBD | | +| **name** | Write | String | TBD | | +| **alias** | Write | String | TBD | | +| **removableMediaPID** | Write | String | TBD | | +| **instancePathId** | Write | String | TBD | | +| **serialNumberId** | Write | String | TBD | | +| **hardwareId** | Write | String | TBD | | + +### MSFT_PolicyConfigDLPRemovableMediaGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **removableMedia** | Write | MSFT_PolicyConfigRemovableMedia[] | TBD | | + +### MSFT_PolicyConfigIPRange + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **fromAddress** | Write | String | TBD | | +| **toAddress** | Write | String | TBD | | + +### MSFT_PolicyConfigPrinter + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **universalPrinter** | Write | Boolean | TBD | | +| **usbPrinter** | Write | Boolean | TBD | | +| **usbPrinterId** | Write | String | TBD | | +| **name** | Write | String | TBD | | +| **alias** | Write | String | TBD | | +| **usbPrinterVID** | Write | String | TBD | | +| **ipRange** | Write | MSFT_PolicyConfigIPRange | TBD | | +| **corporatePrinter** | Write | Boolean | TBD | | +| **printToLocal** | Write | Boolean | TBD | | +| **printToFile** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPNetworkShareGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **groupId** | Write | String | TBD | | +| **networkPaths** | Write | StringArray[] | TBD | | + +### MSFT_PolicyConfigDLPApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ExecutableName** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **Quarantine** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPAppGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **Description** | Write | String | TBD | | +| **Apps** | Write | MSFT_PolicyConfigDLPApp[] | TBD | | + +### MSFT_PolicyConfigEvidenceStoreSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **FileEvidenceIsEnabled** | Write | Boolean | TBD | | +| **NumberOfDaysToRetain** | Write | UInt32 | TBD | | +| **StorageAccounts** | Write | MSFT_PolicyConfigStorageAccount[] | TBD | | +| **Store** | Write | String | TBD | | + +### MSFT_PolicyConfigBusinessJustificationList + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **justificationText** | Write | String | TBD | | +| **Enable** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPPrinterGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **groupId** | Write | String | TBD | | +| **printers** | Write | MSFT_PolicyConfigPrinter[] | TBD | | + +### MSFT_PolicyConfigQuarantineParameters + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EnableQuarantineForCloudSyncApps** | Write | Boolean | TBD | | +| **QuarantinePath** | Write | String | TBD | | +| **MacQuarantinePath** | Write | String | TBD | | +| **ShouldReplaceFile** | Write | Boolean | TBD | | +| **FileReplacementText** | Write | String | TBD | | + + +## Description + +Configures the Data Loss Prevention settings in Purview. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SCPolicyConfig "SCPolicyConfig" + { + AdvancedClassificationEnabled = $True; + ApplicationId = $ApplicationId; + AuditFileActivity = $False; + BandwidthLimitEnabled = $False; + BusinessJustificationList = @( + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } + ); + CertificateThumbprint = $CertificateThumbprint; + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + MSFT_PolicyConfigDLPAppGroups + { + Name = 'Maracas' + Id = '5c124091-bb75-4d20-9c09-b00d584c6270' + Description = 'Lacucaracha' + Apps = @( + MSFT_PolicyConfigDLPApp + { + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } + ) + } + ); + DLPNetworkShareGroups = @( + MSFT_PolicyConfigDLPNetworkShareGroups + { + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } + ); + DLPPrinterGroups = @( + MSFT_PolicyConfigDLPPrinterGroups + { + groupName = 'MyGroup' + groupId = '928f8844-80af-4740-b563-232b33b29f5d' + printers = @( + MSFT_PolicyConfigPrinter + { + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = MSFT_PolicyConfigIPRange + { + fromAddress = '' + toAddress = '' + } + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } + ) + } + ); + DLPRemovableMediaGroups = @( + MSFT_PolicyConfigDLPRemovableMediaGroups + { + groupName = 'My Removable USB device group' + removablemedia = @( + MSFT_PolicyConfigRemovableMedia + { + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } + ) + } + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = MSFT_PolicyConfigEvidenceStoreSettings + { + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = @( + MSFT_PolicyConfigStorageAccount + { + Name = 'My storage' + BlobUri = 'https://contoso.com' + } + MSFT_PolicyConfigStorageAccount + { + Name = 'My 2nd storage' + BlobUri = 'https://coucou.com' + } + ) + Store = 'CustomerManaged' + }; + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = MSFT_PolicyConfigQuarantineParameters + { + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } + serverDlpEnabled = $True; + SiteGroups = @( + MSFT_PolicyConfigDLPSiteGroups + { + Id = 'cfa0d856-4dc9-4497-b0aa-93584e919a83' + Name = 'Whatever' + Addresses = @( + MSFT_PolicyConfigSiteGroupAddress + { + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } + ) + } + ); + TenantId = $TenantId; + UnallowedApp = @( + MSFT_PolicyConfigApp + { + Value = 'Caramel' + Executable = 'cara.exe' + } + MSFT_PolicyConfigApp + { + Value = 'Fudge' + Executable = 'chocolate.exe' + } + ); + UnallowedBluetoothApp = @( + MSFT_PolicyConfigApp + { + Value = 'bluetooth' + Executable = 'micase.exe' + } + MSFT_PolicyConfigApp + { + Value = 'marmelade' + Executable = 'julia.exe' + } + ); + UnallowedBrowser = @( + MSFT_PolicyConfigApp + { + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } + MSFT_PolicyConfigApp + { + Value = 'CapitainOS' + Executable = 'captn.exe' + } + ); + UnallowedCloudSyncApp = @( + MSFT_PolicyConfigApp + { + Value = 'ikochou' + Executable = 'gillex.msi' + } + MSFT_PolicyConfigApp + { + Value = 'johny' + Executable = 'boo.msi' + } + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + } + } +} +``` + diff --git a/docs/docs/resources/teams/TeamsMeetingPolicy.md b/docs/docs/resources/teams/TeamsMeetingPolicy.md index eb0d697b33..acefdca8e8 100644 --- a/docs/docs/resources/teams/TeamsMeetingPolicy.md +++ b/docs/docs/resources/teams/TeamsMeetingPolicy.md @@ -6,67 +6,79 @@ | --- | --- | --- | --- | --- | | **Identity** | Key | String | Identity of the Teams Meeting Policy. | | | **Description** | Write | String | Description of the Teams Meeting Policy. | | -| **AllowChannelMeetingScheduling** | Write | Boolean | Determines whether a user can schedule channel meetings. Set this to TRUE to allow a user to schedule channel meetings. Set this to FALSE to prohibit the user from scheduling channel meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | -| **AllowMeetNow** | Write | Boolean | Determines whether a user can start ad-hoc meetings. Set this to TRUE to allow a user to start ad-hoc meetings. Set this to FALSE to prohibit the user from starting ad-hoc meetings. | | -| **AllowPrivateMeetNow** | Write | Boolean | Determines whether a user can start private ad-hoc meetings. Set this to TRUE to allow a user to start private ad-hoc meetings. Set this to FALSE to prohibit the user from starting private ad-hoc meetings. | | -| **MeetingChatEnabledType** | Write | String | Determines whether or not Chat will be enabled, enabled except anonymous or disabled for meetings. | `Disabled`, `Enabled`, `EnabledExceptAnonymous` | -| **LiveCaptionsEnabledType** | Write | String | Determines whether a user should have the option to view live captions or not in a meeting. | `Disabled`, `DisabledUserOverride` | -| **AllowIPAudio** | Write | Boolean | Determines whether audio is enabled in a user's meetings or calls. Set this to TRUE to allow the user to share their audioo. Set this to FALSE to prohibit the user from sharing their audio. | | -| **AllowIPVideo** | Write | Boolean | Determines whether video is enabled in a user's meetings or calls. Set this to TRUE to allow the user to share their video. Set this to FALSE to prohibit the user from sharing their video. | | -| **AllowEngagementReport** | Write | String | Determines whether or not a meeting Organizer can track join and leave times for all users within their meetings as well as download a roster. | `Enabled`, `Disabled` | -| **IPAudioMode** | Write | String | Determines whether or not a user can use audio in a meeting that supports it. | `EnabledOutgoingIncoming`, `Disabled` | -| **IPVideoMode** | Write | String | Determines whether or not a user can use video in a meeting that supports it. Can only be enabled if IPAudioMode is enabled | `EnabledOutgoingIncoming`, `Disabled` | +| **AllowAnnotations** | Write | Boolean | Determines whether a user can use the Annotation feature | | | **AllowAnonymousUsersToDialOut** | Write | Boolean | CURRENTLY DISABLED: Determines whether anonymous users can use the Call Me At feature for meeting audio. | | -| **AllowAnonymousUsersToStartMeeting** | Write | Boolean | Determines whether anonymous users can initiate a meeting. Set this to TRUE to allow anonymous users to initiate a meeting. Set this to FALSE to prohibit them from initiating a meeting. | | -| **AllowPrivateMeetingScheduling** | Write | Boolean | Determines whether a user can schedule private meetings. Set this to TRUE to allow a user to schedule private meetings. Set this to FALSE to prohibit the user from scheduling private meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | -| **AutoAdmittedUsers** | Write | String | Determines what types of participants will automatically be added to meetings organized by this user. Set this to EveryoneInCompany if you would like meetings to place every external user in the lobby but allow all users in the company to join the meeting immediately. Set this to Everyone if you'd like to admit anonymous users by default. Set this to EveryoneInSameAndFederatedCompany if you would like meetings to allow federated users to join like your company's users, but place all other external users in a lobby. Set this to InvitedUsers if you would like meetings to allow only the invited users. | `EveryoneInCompany`, `Everyone`, `EveryoneInSameAndFederatedCompany`, `OrganizerOnly`, `InvitedUsers`, `EveryoneInCompanyExcludingGuests` | -| **AllowPSTNUsersToBypassLobby** | Write | Boolean | Determines whether PSTN users should be automatically admitted to the meetings. Set this to TRUE to allow the PSTN user to be able bypass the meetinglobby. Set this to FALSE to prohibit the PSTN user from bypassing the meetinglobby. | | -| **AllowCloudRecording** | Write | Boolean | Determines whether cloud recording is allowed in a user's meetings. Set this to TRUE to allow the user to be able to record meetings. Set this to FALSE to prohibit the user from recording meetings. | | -| **AllowRecordingStorageOutsideRegion** | Write | Boolean | Determines whether cloud recording can be stored out of region for go-local tenants where recording is not yet enabled. | | -| **DesignatedPresenterRoleMode** | Write | String | Determines if users can change the default value of the Who can present? setting in Meeting options in the Teams client. This policy setting affects all meetings, including Meet Now meetings. | `OrganizerOnlyUserOverride`, `EveryoneInCompanyUserOverride`, `EveryoneUserOverride` | -| **AllowOutlookAddIn** | Write | Boolean | Determines whether a user can schedule Teams Meetings in Outlook desktop client. Set this to TRUE to allow the user to be able to schedule Teams meetings in Outlook client. Set this to FALSE to prohibit a user from scheduling Teams meeting in Outlook client. | | -| **AllowPowerPointSharing** | Write | Boolean | Determines whether Powerpoint sharing is allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowParticipantGiveRequestControl** | Write | Boolean | Determines whether participants can request or give control of screen sharing during meetings scheduled by this user. Set this to TRUE to allow the user to be able to give or request control. Set this to FALSE to prohibit the user from giving, requesting control in a meeting. | | -| **AllowExternalParticipantGiveRequestControl** | Write | Boolean | Determines whether external participants can request or give control of screen sharing during meetings scheduled by this user. Set this to TRUE to allow the user to be able to give or request control. Set this to FALSE to prohibit an external user from giving or requesting control in a meeting. | | -| **AllowSharedNotes** | Write | Boolean | Determines whether users are allowed to take shared notes. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowWhiteboard** | Write | Boolean | Determines whether whiteboard is allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowTranscription** | Write | Boolean | Determines whether real-time and/or post-meeting captions and transcriptions are allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **MediaBitRateKb** | Write | UInt32 | Determines the media bit rate for audio/video/app sharing transmissions in meetings. | | -| **ScreenSharingMode** | Write | String | Determines the mode in which a user can share a screen in calls or meetings. Set this to SingleApplication to allow the user to share an application at a given point in time. Set this to EntireScreen to allow the user to share anything on their screens. Set this to Disabled to prohibit the user from sharing their screens. | `SingleApplication`, `EntireScreen`, `Disabled` | -| **VideoFiltersMode** | Write | String | Determines which background filters are available to meeting attendees. | `NoFilters`, `BlurOnly`, `BlurAndDefaultBackgrounds`, `AllFilters` | -| **AllowOrganizersToOverrideLobbySettings** | Write | Boolean | Determines whether organizers can override lobby settings for both VOIP and PSTN. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **PreferredMeetingProviderForIslandsMode** | Write | String | Determines which Outlook Add-in the user will get as preferred Meeting provider(TeamsAndSfb or Teams). | `TeamsAndSfb`, `Teams` | -| **AllowNDIStreaming** | Write | Boolean | Determines whether a user is able to use NDI (Network Device Interface) in meetings - both for output and input streams. | | -| **AllowUserToJoinExternalMeeting** | Write | String | Determines what types of external meetings users can join. Enabled is able join all external meetings. | `Enabled`, `FederatedOnly`, `Disabled` | -| **EnrollUserOverride** | Write | String | Determines whether or not users will be able to enroll/capture their Biometric data: Face & Voice. | `Disabled`, `Enabled` | -| **RoomAttributeUserOverride** | Write | String | Determines whether or not biometric data will be used to distinguish and or attribute in the transcript. | `Off`, `Distinguish`, `Attribute` | -| **StreamingAttendeeMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the meeting overflow capability. | `Disabled`, `Enabled` | +| **AllowAnonymousUsersToJoinMeeting** | Write | Boolean | Determines whether anonymous users can join the meetings that impacted users organize. | | +| **AllowAnonymousUsersToStartMeeting** | Write | Boolean | Determines whether anonymous users can initiate a meeting. | | | **AllowBreakoutRooms** | Write | Boolean | Determines whether or not meetings created by users with this policy are able to utilize the Breakout Rooms feature. | | -| **TeamsCameraFarEndPTZMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the Camera Far-End PTZ Mode. | `Disabled`, `AutoAcceptInTenant`, `AutoAcceptAll` | +| **AllowCartCaptionsScheduling** | Write | String | Determines whether a user can add a URL for captions from a Communications Access Real-Time Translation (CART) captioner for providing real-time captions in meetings. | `EnabledUserOverride`, `DisabledUserOverride`, `Disabled` | +| **AllowChannelMeetingScheduling** | Write | Boolean | Determines whether a user can schedule channel meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | +| **AllowCloudRecording** | Write | Boolean | Determines whether cloud recording is allowed in a user's meetings. | | +| **AllowDocumentCollaboration** | Write | String | This setting will allow admins to choose which users will be able to use the Document Collaboration feature. | `Enabled`, `Disabled` | +| **AllowedStreamingMediaInput** | Write | String | Enables the use of RTMP-In in Teams meetings. | | +| **AllowEngagementReport** | Write | String | Determines whether or not a meeting Organizer can track join and leave times for all users within their meetings as well as download a roster. | `Enabled`, `Disabled`, `ForceEnabled` | +| **AllowExternalNonTrustedMeetingChat** | Write | Boolean | This field controls whether a user is allowed to chat in external meetings with users from non trusted organizations. | | +| **AllowExternalParticipantGiveRequestControl** | Write | Boolean | Determines whether external participants can request or give control of screen sharing during meetings scheduled by this user. | | +| **AllowIPAudio** | Write | Boolean | Determines whether audio is enabled in a user's meetings or calls. | | +| **AllowIPVideo** | Write | Boolean | Determines whether video is enabled in a user's meetings or calls. | | +| **AllowMeetingCoach** | Write | Boolean | This setting will allow admins to allow users the option of turning on Meeting Coach during meetings, which provides users with private personalized feedback on their communication and inclusivity. | | | **AllowMeetingReactions** | Write | Boolean | Determines whether or not meetings created by users with this policy are able to utilize the Meeting Reactions feature. | | -| **WhoCanRegister** | Write | String | Specifies who can attend and register for webinars. | `Everyone`, `EveryoneInCompany` | -| **AllowAnnotations** | Write | Boolean | N/A | | -| **AllowAnonymousUsersToJoinMeeting** | Write | Boolean | Determines whether anonymous users can join the meetings that impacted users organize. Set this to TRUE to allow anonymous users to join a meeting. Set this to FALSE to prohibit them from joining a meeting. | | -| **AllowMeetingCoach** | Write | Boolean | N/A | | | **AllowMeetingRegistration** | Write | Boolean | Controls if a user can create a webinar meeting. The default value is True. | | +| **AllowMeetNow** | Write | Boolean | Determines whether a user can start ad-hoc meetings. | | +| **AllowNDIStreaming** | Write | Boolean | Determines whether a user is able to use NDI (Network Device Interface) in meetings - both for output and input streams. | | | **AllowNetworkConfigurationSettingsLookup** | Write | Boolean | Determines whether network configuration setting lookups can be made by users who are not Enterprise Voice enabled. It is used to enable Network Roaming policies. | | -| **AllowWatermarkForCameraVideo** | Write | Boolean | N/A | | -| **AllowWatermarkForScreenSharing** | Write | Boolean | N/A | | -| **NewMeetingRecordingExpirationDays** | Write | SInt32 | Specifies the number of days before meeting recordings will expire and move to the recycle bin. Value can be from 1 to 99,999 days. NOTE: You may opt to set Meeting Recordings to never expire by entering the value -1. | | -| **AllowCartCaptionsScheduling** | Write | String | Determines whether a user can add a URL for captions from a Communications Access Real-Time Translation (CART) captioner for providing real-time captions in meetings. | `EnabledUserOverride`, `DisabledUserOverride`, `Disabled` | -| **AllowDocumentCollaboration** | Write | String | N/A | | -| **AllowedStreamingMediaInput** | Write | String | N/A | | +| **AllowOrganizersToOverrideLobbySettings** | Write | Boolean | Determines whether organizers can override lobby settings for both VOIP and PSTN. | | +| **AllowOutlookAddIn** | Write | Boolean | Determines whether a user can schedule Teams Meetings in Outlook desktop client. | | +| **AllowParticipantGiveRequestControl** | Write | Boolean | Determines whether participants can request or give control of screen sharing during meetings scheduled by this user. | | +| **AllowPowerPointSharing** | Write | Boolean | Determines whether Powerpoint sharing is allowed in a user's meetings. | | +| **AllowPrivateMeetingScheduling** | Write | Boolean | Determines whether a user can schedule private meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | +| **AllowPrivateMeetNow** | Write | Boolean | Determines whether a user can start private ad-hoc meetings. | | +| **AllowPSTNUsersToBypassLobby** | Write | Boolean | Determines whether PSTN users should be automatically admitted to the meetings. | | +| **AllowRecordingStorageOutsideRegion** | Write | Boolean | Determines whether cloud recording can be stored out of region for go-local tenants where recording is not yet enabled. | | +| **AllowSharedNotes** | Write | Boolean | Determines whether users are allowed to take shared notes. | | +| **AllowTranscription** | Write | Boolean | Determines whether real-time and/or post-meeting captions and transcriptions are allowed in a user's meetings. | | +| **AllowUserToJoinExternalMeeting** | Write | String | Determines what types of external meetings users can join. Enabled is able join all external meetings. | `Enabled`, `FederatedOnly`, `Disabled` | +| **AllowWatermarkForCameraVideo** | Write | Boolean | This setting allows scheduling meetings with watermarking for video enabled. | | +| **AllowWatermarkForScreenSharing** | Write | Boolean | This setting allows scheduling meetings with watermarking for screen sharing enabled. | | +| **AllowWhiteboard** | Write | Boolean | Determines whether whiteboard is allowed in a user's meetings. | | +| **AttendeeIdentityMasking** | Write | String | This setting will allow admins to enable or disable Masked Attendee mode in Meetings. Masked Attendee meetings will hide attendees' identifying information (e.g., name, contact information, profile photo). | `Enabled`, `Disabled`, `DisabledUserOverride` | +| **AutoAdmittedUsers** | Write | String | Determines what types of participants will automatically be added to meetings organized by this user. Set this to EveryoneInCompany if you would like meetings to place every external user in the lobby but allow all users in the company to join the meeting immediately. Set this to Everyone if you'd like to admit anonymous users by default. Set this to EveryoneInSameAndFederatedCompany if you would like meetings to allow federated users to join like your company's users, but place all other external users in a lobby. Set this to InvitedUsers if you would like meetings to allow only the invited users. | `EveryoneInCompany`, `Everyone`, `EveryoneInSameAndFederatedCompany`, `OrganizerOnly`, `InvitedUsers`, `EveryoneInCompanyExcludingGuests` | +| **AutomaticallyStartCopilot** | Write | String | This setting gives admins the ability to auto-start Copilot. | `Enabled`, `Disabled` | +| **AutoRecording** | Write | String | This setting will enable Tenant Admins to turn on/off auto recording feature. | `Enabled`, `Disabled` | | **BlockedAnonymousJoinClientTypes** | Write | String | A user can join a Teams meeting anonymously using a Teams client or using a custom application built using Azure Communication Services. When anonymous meeting join is enabled, both types of clients may be used by default. This optional parameter can be used to block one of the client types that can be used. The allowed values are ACS (to block the use of Azure Communication Services clients) or Teams (to block the use of Teams clients). Both can also be specified, separated by a comma, but this is equivalent to disabling anonymous join completely. | | -| **ChannelRecordingDownload** | Write | String | Determines how channel meeting recordings are saved, permissioned, and who can download them. | | -| **ExplicitRecordingConsent** | Write | String | N/A | | -| **ForceStreamingAttendeeMode** | Write | String | N/A | | -| **InfoShownInReportMode** | Write | String | N/A | | +| **ChannelRecordingDownload** | Write | String | Determines how channel meeting recordings are saved, permissioned, and who can download them. | `Allow`, `Block` | +| **ConnectToMeetingControls** | Write | String | Allows external connections of thirdparty apps to Microsoft Teams. | `Enabled`, `Disabled` | +| **ContentSharingInExternalMeetings** | Write | String | This policy allows admins to determine whether the user can share content in meetings organized by external organizations. The user should have a Teams Premium license to be protected under this policy. | `EnabledForAnyone`, `EnabledForTrustedOrgs`, `Disabled` | +| **Copilot** | Write | String | This setting allows the admin to choose whether Copilot will be enabled with a persisted transcript or a non-persisted transcript. | `Enabled`, `EnabledWithTranscript` | +| **CopyRestriction** | Write | Boolean | This parameter enables a setting that controls a meeting option which allows users to disable right-click or Ctrl+C to copy, Copy link, Forward message, and Share to Outlook for meeting chat messages. | | +| **DesignatedPresenterRoleMode** | Write | String | Determines if users can change the default value of the Who can present? setting in Meeting options in the Teams client. This policy setting affects all meetings, including Meet Now meetings. | `OrganizerOnlyUserOverride`, `EveryoneInCompanyUserOverride`, `EveryoneUserOverride` | +| **DetectSensitiveContentDuringScreenSharing** | Write | Boolean | Allows the admin to enable sensitive content detection during screen share. | | +| **EnrollUserOverride** | Write | String | Determines whether or not users will be able to enroll/capture their Biometric data: Face & Voice. | `Disabled`, `Enabled` | +| **ExplicitRecordingConsent** | Write | String | This setting will enable Tenant Admins to turn on/off Explicit Recording Consent feature. | `Disabled`, `Enabled` | +| **ExternalMeetingJoin** | Write | String | Determines whether the user is allowed to join external meetings. | `EnabledForAnyone`, `EnabledForTrustedOrgs`, `Disabled` | +| **InfoShownInReportMode** | Write | String | This policy controls what kind of information get shown for the user's attendance in attendance report/dashboard. | | +| **IPAudioMode** | Write | String | Determines whether audio can be turned on in meetings and group calls. | `EnabledOutgoingIncoming`, `Disabled` | +| **IPVideoMode** | Write | String | Determines whether video can be turned on in meetings and group calls. Can only be enabled if IPAudioMode is enabled | `EnabledOutgoingIncoming`, `Disabled` | +| **LiveCaptionsEnabledType** | Write | String | Determines whether a user should have the option to view live captions or not in a meeting. | `Disabled`, `DisabledUserOverride` | | **LiveInterpretationEnabledType** | Write | String | Determines how meeting organizers can configure a meeting for language interpretation, select attendees of the meeting to become interpreters that other attendees can select and listen to the real-time translation they provide. | | | **LiveStreamingMode** | Write | String | Determines whether you provide support for your users to stream their Teams meetings to large audiences through Real-Time Messaging Protocol (RTMP). | `Disabled`, `Enabled` | +| **MediaBitRateKb** | Write | UInt32 | Determines the media bit rate for audio/video/app sharing transmissions in meetings. | | +| **MeetingChatEnabledType** | Write | String | Determines whether or not Chat will be enabled, enabled except anonymous or disabled for meetings. | `Disabled`, `Enabled`, `EnabledExceptAnonymous` | | **MeetingInviteLanguages** | Write | String | Controls how the join information in meeting invitations is displayed by enforcing a common language or enabling up to two languages to be displayed. Note: All Teams supported languages can be specified using language codes. | | -| **QnAEngagementMode** | Write | String | N/A | | -| **RoomPeopleNameUserOverride** | Write | String | N/A | | -| **SpeakerAttributionMode** | Write | String | Possible values: EnabledUserOverride or Disabled. | `Disabled`, `EnabledUserOverride` | +| **NewMeetingRecordingExpirationDays** | Write | SInt32 | Specifies the number of days before meeting recordings will expire and move to the recycle bin. Value can be from 1 to 99,999 days. NOTE: You may opt to set Meeting Recordings to never expire by entering the value -1. | | +| **ParticipantNameChange** | Write | String | This setting will enable Tenant Admins to turn on/off participant renaming feature. | `Disabled`, `Enabled` | +| **PreferredMeetingProviderForIslandsMode** | Write | String | Determines which Outlook Add-in the user will get as preferred Meeting provider(TeamsAndSfb or Teams). | `TeamsAndSfb`, `Teams` | +| **QnAEngagementMode** | Write | String | This setting enables Microsoft 365 Tenant Admins to Enable or Disable the Questions and Answers experience (Q+A). | `Disabled`, `Enabled` | +| **RoomAttributeUserOverride** | Write | String | Determines whether or not biometric data will be used to distinguish and or attribute in the transcript. | `Off`, `Distinguish`, `Attribute` | +| **RoomPeopleNameUserOverride** | Write | String | Determines if people recognition option is enabled for Teams Rooms. Enabling requires the RoomAttributeUserOverride to be Attribute for allowing individual voice and face profiles to be used for recognition in meetings. | `Off`, `On` | +| **ScreenSharingMode** | Write | String | Determines the mode in which a user can share a screen in calls or meetings. | `SingleApplication`, `EntireScreen`, `Disabled` | +| **SpeakerAttributionMode** | Write | String | Determines if users are identified in transcriptions and if they can change the value of the Automatically identify me in meeting captions and transcripts setting. | `Disabled`, `DisabledUserOverride`, `EnabledUserOverride`, `Enabled` | +| **StreamingAttendeeMode** | Write | String | Controls if Teams uses overflow capability once a meeting reaches its capacity (1,000 users with full functionality). | `Disabled`, `Enabled` | +| **TeamsCameraFarEndPTZMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the Camera Far-End PTZ Mode. | `Disabled`, `AutoAcceptInTenant`, `AutoAcceptAll` | +| **VideoFiltersMode** | Write | String | Determines the background effects that a user can configure in the Teams client. | `NoFilters`, `BlurOnly`, `BlurAndDefaultBackgrounds`, `AllFilters` | +| **VoiceIsolation** | Write | String | Determines whether you provide support for your users to enable voice isolation in Teams meeting calls. | `Disabled`, `Enabled` | +| **WhoCanRegister** | Write | String | Specifies who can attend and register for webinars. | `Everyone`, `EveryoneInCompany` | +| **ForceStreamingAttendeeMode** | Write | String | DEPRECATED | | | **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Teams Global Admin. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/user-guide/get-started/authentication-and-permissions.md b/docs/docs/user-guide/get-started/authentication-and-permissions.md index 4ac4f19396..8c7e4c5262 100644 --- a/docs/docs/user-guide/get-started/authentication-and-permissions.md +++ b/docs/docs/user-guide/get-started/authentication-and-permissions.md @@ -103,10 +103,10 @@ In order to be able to interact with these components, you need to grant your ap Doing so will return an object with two properties. The **ReadPermissions** property contains a list of the minimal permissions that need to be granted for the app to be able to read information about the selected components. These are the permissions you want to grant if you are taking a snapshot of the configuration of an existing tenant. The second property, **UpdatePermissions**, contains the minimal permissions required to interact with and configure the selected components. You will need to grant your application these permissions if you are trying to apply a configuration onto a tenant. -By default, this cmdlet outputs the permissions required for Delegated permissions. To output the Application permissions, use the PermissionsType parameter +By default, this cmdlet outputs the permissions required for Delegated permissions. To output the Application permissions, use the PermissionType and AccessType parameters ```PowerShell -Get-M365DSCCompiledPermissionList -ResourceNameList @('AADUser', 'AADApplication') -PermissionsType 'Application' +Get-M365DSCCompiledPermissionList -ResourceNameList @('AADUser', 'AADApplication') -PermissionType 'Application' -AccessType 'Read' ``` If you are trying to interact with all available components in Microsoft365DSC, you can get a complete picture of all permissions required across all resources by running the following line of PowerShell. diff --git a/docs/docs/user-guide/get-started/cloning-tenants.md b/docs/docs/user-guide/get-started/cloning-tenants.md index 5884cd7e38..e1a02fa04b 100644 --- a/docs/docs/user-guide/get-started/cloning-tenants.md +++ b/docs/docs/user-guide/get-started/cloning-tenants.md @@ -29,7 +29,15 @@ $SourceCredential = Get-Credential Update-M365DSCAllowedGraphScopes -ResourceNameList @("AADGroupsNamingPolicy") -Type Read Export-M365DSCConfiguration -Components @("AADGroupsNamingPolicy") -Credential $SourceCredential -Path C:\Dsc +``` + +Now browse to the specified export folder and open the generated ConfigurationData.psd1 file. Update all tenant specific information in this file with the correct information for the target tenant. For example, a UPN suffix (tenantname.onmicrosoft.com) or the SharePoint URL (tenantname.sharepoint.com). + +Then open the M365TenantConfig.ps1 file and replace all instances of tenant specific information in this file. +> **NOTE:** Our goal is to save all tenant specific information to just the ConfigurationData.psd1 file during export. Unfortunately, at the moment there are a couple of instances where this isn't implemented consistently and tenant specific information is also written in the M365TenantConfig.ps1 file. + +```PowerShell $TargetCredential = Get-Credential Update-M365DSCAllowedGraphScopes -ResourceNameList @("AADGroupsNamingPolicy") -Type Update