Merge branch 'Dev' into kajalp/Intune_DSC_AppleMDMPushCert

CHANGELOG.md

@@ -2,46 +2,54 @@
 
 # UNRELEASED
 
-* IntuneAppleMDMPushNotificationCertificate
-  * Initial release.
-* IntuneMobileThreatDefenseConnector
-  * Initial release.
 * AADAccessReviewDefinition
   * Initial release.
 * AADAccessReviewPolicy
   * Initial release.
 * AADAuthenticationMethodPolicyExternal
   * Initial release.
+* AADConditionalAccessPolicy
+  * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282)
 * AADCustomSecurityAttributeDefinition
   * Fixed missing permissions in settings.json
 * AADHomeRealmDiscoveryPolicy
   * Initial Release
+* AADIdentityAPIConnector
+  * Initial release.
 * AADIdentityB2XUserFlow
   * Initial release.
 * AADIdentityGovernanceProgram
   * Initial release.
-* AADIdentityAPIConnector
+* AADIdentityProtectionPolicySettings
   * Initial release.
 * AADNetworkAccessForwardingProfile
   * Initial release.
 * AADOrganizationCertificateBasedAuthConfiguration
   * Initial release.
 * AADSocialIdentityProvider
   * Fixed missing permissions in settings.json
+* AADVerifiedIdAuthority
+  * Initial release.
 * AzureBillingAccountsAssociatedTenant
   * Initial release.
 * AzureBillingAccountsRoleAssignment
   * Initial release.
+* AzureVerifiedIdFaceCheck
+  * Initial release.
 * EXOArcConfig
   * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers`
     when it has an array
+* AADUserFlowAttribute
+  * Initial Release
 * EXOMailboxAuditBypassAssociation
   * Initial release.
 * EXOTenantAllowBlockListItems
   * Fixed `Test-TargetResource` to correctly mark when this resource is removed
 * IntuneAppCategory
   * Fixed retrieval of resource which could then result in multiple categories
     being created with same name.
+* IntuneAppleMDMPushNotificationCertificate
+  * Initial release.
 * IntuneDerivedCredential
   * Fixed export and deployment when `NotificationType` had more than one option
     selected
@@ -52,10 +60,14 @@
 * IntuneEndpointDetectionAndResponsePolicyWindows10
   * Fixes an issue with `AutoFromConnector` as the Configuration package type.
     FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246)
+* IntuneMobileThreatDefenseConnector
+  * Initial release.
 * IntuneSecurityBaselineDefenderForEndpoint
   * Initial release.
 * Intune workload
   * Fixed missing permissions in settings.json
+* SCPolicyConfig
+  * Initial release.
 * SentinelAlertRule
   * Initial release.
 * SentinelThreatIntelligenceIndicator
@@ -66,11 +78,16 @@
     AllowSelectSecurityGroupsInSPSitesList,
     ExemptNativeUsersFromTenantLevelRestricedAccessControl properties.
   * TenantDefaultTimezone changed to String instead of Array.
+* TeamsMeetingPolicy
+  * Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking,
+    AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls,
+    ContentSharingInExternalMeetings, Copilot, CopyRestriction,
+    DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange,
+    VoiceIsolation
 * M365DSCDRGUtil
   * Fixes an issue where non-unique properties were not combined
     properly with their respective parent setting.
 * DEPENDENCIES
-  * Updated ExchangeOnlineManagement to version 3.6.0.
   * Updated Microsoft.Graph to version 2.24.0.
   * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199.
   * Updated MSCloudLoginAssistant to version 1.1.27
@@ -123,6 +140,8 @@
   * Initial release.
 * IntuneDeviceConfigurationIdentityProtectionPolicyWindows10
   * Added deprecation notice.
+* IntuneDeviceManagementEnrollmentAndroidGooglePlay
+  * Initial release
 * IntuneEndpointDetectionAndResponsePolicyWindows10
   * Migrate to new Settings Catalog cmdlets.
 * IntuneMobileAppsMacOSLobApp

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -92,6 +92,23 @@ function Get-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]
@@ -642,6 +659,11 @@ function Get-TargetResource
         ExcludeExternalTenantsMembershipKind     = [System.String]$Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind
         ExcludeExternalTenantsMembers            = [System.String[]](@() + $Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.AdditionalProperties.members)
 
+        IncludeServicePrincipals                 = $Policy.Conditions.ClientApplications.IncludeServicePrincipals
+        ExcludeServicePrincipals                 = $Policy.Conditions.ClientApplications.ExcludeServicePrincipals
+        ServicePrincipalFilterMode               = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Mode
+        ServicePrincipalFilterRule               = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Rule
+
         IncludePlatforms                         = [System.String[]](@() + $Policy.Conditions.Platforms.IncludePlatforms)
         #no translation needed, return empty string array if undefined
         ExcludePlatforms                         = [System.String[]](@() + $Policy.Conditions.Platforms.ExcludePlatforms)
@@ -794,6 +816,23 @@ function Set-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]
@@ -1340,6 +1379,49 @@ function Set-TargetResource
             $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers)
         }
 
+        Write-Verbose -Message 'Set-Targetresource: process includeServicePrincipals'
+        if ($currentParameters.ContainsKey('IncludeServicePrincipals'))
+        {
+            if (-not $conditions.ContainsKey('clientApplications')) {
+                $conditions.Add('clientApplications', @{})
+            }
+            $conditions.clientApplications.Add('includeServicePrincipals', $IncludeServicePrincipals)
+        }
+
+        Write-Verbose -Message 'Set-Targetresource: process excludeServicePrincipals'
+        if ($currentParameters.ContainsKey('ExcludeServicePrincipals'))
+        {
+            if (-not $conditions.ContainsKey('clientApplications')) {
+                $conditions.Add('clientApplications', @{})
+            }
+            $conditions.clientApplications.Add('excludeServicePrincipals', $ExcludeServicePrincipals)
+        }
+
+        Write-Verbose -Message 'Set-Targetresource: process servicePrincipalFilter'
+        if ($currentParameters.ContainsKey('ServicePrincipalFilterMode') -and $currentParameters.ContainsKey('ServicePrincipalFilterRule'))
+        {
+            #check if the custom attribute exist.
+            $customattribute = Invoke-MgGraphRequest -Method GET -Uri https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions
+            $ServicePrincipalFilterRule -match "CustomSecurityAttribute.(?<attribute>.*) -.*"
+            $attrinrule = $matches.attribute
+            if ($customattribute.value.id -contains $attrinrule){
+                if (-not $conditions.ContainsKey('clientApplications')) {
+                    $conditions.Add('clientApplications', @{})
+                }
+                $conditions.clientApplications.Add('servicePrincipalFilter', @{})
+                $conditions.clientApplications.servicePrincipalFilter.Add('mode', $ServicePrincipalFilterMode)
+                $conditions.clientApplications.servicePrincipalFilter.Add('rule', $ServicePrincipalFilterRule)
+            }
+            else{
+                $message = "Couldn't find the custom attribute $attrinrule in the tenant, couldn't add the filter to policy $DisplayName"
+                Write-Verbose -Message $message
+                New-M365DSCLogEntry -Message $message `
+                    -Source $($MyInvocation.MyCommand.Source) `
+                    -TenantId $TenantId `
+                    -Credential $Credential
+            }
+        }
+
         Write-Verbose -Message 'Set-Targetresource: process platform condition'
         if ($currentParameters.ContainsKey('IncludePlatforms') -or $currentParameters.ContainsKey('ExcludePlatforms'))
         {
@@ -1661,6 +1743,9 @@ function Set-TargetResource
         $NewParameters.Add('sessionControls', $sessioncontrols)
         #add SessionControls to the parameter list
     }
+
+    Write-Host "newparameters: $($NewParameters | ConvertTo-Json -Depth 5)"
+
     if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Set-Targetresource: Change policy $DisplayName"
@@ -1829,6 +1914,23 @@ function Test-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -21,6 +21,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[];
     [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[];
+    [Write, Description("Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed.")] String IncludeServicePrincipals[];
+    [Write, Description("Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed.")] String ExcludeServicePrincipals[];
+    [Write, Description("Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ServicePrincipalFilterMode;
+    [Write, Description("Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.")] String ServicePrincipalFilterRule;
     [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[];
     [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[];
     [Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[];

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json

@@ -27,6 +27,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ],
                 "update": [
@@ -47,6 +50,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ]
             },
@@ -69,6 +75,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ],
                 "update": [
@@ -92,6 +101,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ]
             }