Skip to content

Commit

Permalink
FirstBatch
Browse files Browse the repository at this point in the history
  • Loading branch information
William-Francillette committed Feb 14, 2024
1 parent 8b78553 commit 1c44711
Show file tree
Hide file tree
Showing 21 changed files with 833 additions and 1,588 deletions.
29 changes: 29 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,34 @@
# Change log for Microsoft365DSC

# UNRELEASED

* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy
* Added support for assignment GroupDisplayName
* IntuneAccountProtectionLocalUserGroupMembershipPolicy
* Added support for assignment GroupDisplayName
* IntuneAccountProtectionPolicy
* Added support for assignment GroupDisplayName
* IntuneAntivirusPolicyWindows10SettingCatalog
* Added support for assignment GroupDisplayName
* IntuneAppConfigurationPolicy
* Added support for assignment GroupDisplayName
* IntuneApplicationControlPolicyWindows10
* Added support for assignment GroupDisplayName
* IntuneASRRulesPolicyWindows10
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyAndroid
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyAndroidDeviceOwner
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyAndroidWorkProfile
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyiOs
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyMacOS
* Added support for assignment GroupDisplayName
* IntuneDeviceCompliancePolicyWindows10
* Added support for assignment GroupDisplayName

# 1.24.131.2

* TeamsMeetingPolicy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,10 @@ function Get-TargetResource
try
{
#Retrieve policy general settings

$policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue
if (-not [string]::IsNullOrEmpty($Identity))
{
$policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue
}

if ($null -eq $policy)
{
Expand All @@ -189,6 +191,11 @@ function Get-TargetResource
{
$policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue
}

if(([array]$policy).count -gt 1)
{
throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique"
}
}
if ($null -eq $policy)
{
Expand Down Expand Up @@ -225,19 +232,12 @@ function Get-TargetResource
$returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent)

$returnAssignments = @()
$returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id
$assignmentResult = @()
foreach ($assignmentEntry in $returnAssignments)
$graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id
if ($graphAssignments.count -gt 0)
{
$assignmentValue = @{
dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type'
deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString()
deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId
groupId = $assignmentEntry.Target.AdditionalProperties.groupId
}
$assignmentResult += $assignmentValue
$returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true
}
$returnHashtable.Add('Assignments', $assignmentResult)
$returnHashtable.Add('Assignments', $returnAssignments)

return $returnHashtable
}
Expand All @@ -260,7 +260,7 @@ function Get-TargetResource
-Credential $Credential
}

return $nullResult
throw
}
}

Expand Down Expand Up @@ -546,7 +546,7 @@ function Set-TargetResource
#Using Rest to reduce the number of calls
$Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings"
$body = @{'settings' = $settings }
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json'
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null

#region Assignments
$assignmentsHash = @()
Expand Down Expand Up @@ -748,75 +748,28 @@ function Test-TargetResource
$ValuesToCheck.Remove('ApplicationSecret') | Out-Null
$ValuesToCheck.Remove('Identity') | Out-Null

$testResult = $true
if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure)
{
return $false
$testResult = $false
}
#region Assignments
$testResult = $true

if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments))
if ($testResult)
{
Write-Verbose -Message 'Configuration drift: one the assignment is null'
return $false
$source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments
$target = $CurrentValues.Assignments
$testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target
$ValuesToCheck.Remove('Assignments') | Out-Null
}
#endregion

if ($CurrentValues.Assignments)
{
if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count)
{
Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}"
return $false
}
foreach ($assignment in $CurrentValues.Assignments)
{
#GroupId Assignment
if (-not [String]::IsNullOrEmpty($assignment.groupId))
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}
#AllDevices/AllUsers assignment
else
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}

if (-not $testResult)
{
$testResult = $false
break
}

}
}
if (-not $testResult)
if ($testResult)
{
return $false
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
$ValuesToCheck.Remove('Assignments') | Out-Null
#endregion

$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys

Write-Verbose -Message "Test-TargetResource returned $TestResult"

return $TestResult
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,36 +130,40 @@ function Get-TargetResource
try
{
#Retrieve policy general settings
$policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue
$policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue

if ($null -eq $policy)
{
Write-Verbose -Message "No Account Protection LAPS Policy {id: '$Identity'} was found"
$policyTemplateID = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1'
$filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'"
$policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue

if(([array]$policy).count -gt 1)
{
throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique"
}

if ($null -eq $policy)
{
Write-Verbose -Message "No Account Protection LAPS Policy {displayName: '$DisplayName'} was found"
return $nullResult
}

$policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty settings -ErrorAction SilentlyContinue
}

$Identity = $policy.Id

Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.id):$($policy.Name)}"

#Retrieve policy specific settings
[array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting `
-DeviceManagementConfigurationPolicyId $Identity `
-ErrorAction Stop
[array]$settings = $policy.settings

$returnHashtable = @{}
$returnHashtable.Add('Identity', $Identity)
$returnHashtable.Add('DisplayName', $policy.name)
$returnHashtable.Add('Description', $policy.description)

foreach ($setting in $settings.settingInstance)
foreach ($setting in $settings.SettingInstance)
{
$addToParameters = $true
$settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1
Expand Down Expand Up @@ -226,9 +230,16 @@ function Get-TargetResource

}
$returnAssignments = @()
$returnAssignments += Get-DeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity
$graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id
if ($graphAssignments.count -gt 0)
{
$returnAssignments += ConvertFrom-IntunePolicyAssignment `
-IncludeDeviceFilter:$true `
-Assignments ($graphAssignments)
}
$returnHashtable.Add('Assignments', $returnAssignments)


Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.name)}"

$returnHashtable.Add('Ensure', 'Present')
Expand All @@ -249,7 +260,7 @@ function Get-TargetResource
-TenantId $TenantId `
-Credential $Credential

return $nullResult
throw
}
}

Expand Down Expand Up @@ -566,83 +577,24 @@ function Test-TargetResource
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

$ValuesToCheck = $PSBoundParameters
$ValuesToCheck = ([hashtable]$PSBoundParameters).clone()
$ValuesToCheck.Remove('Identity') | Out-Null
$ValuesToCheck.Remove('Credential') | Out-Null
$ValuesToCheck.Remove('ApplicationId') | Out-Null
$ValuesToCheck.Remove('TenantId') | Out-Null
$ValuesToCheck.Remove('ApplicationSecret') | Out-Null
$ValuesToCheck.Remove('Identity') | Out-Null

if ($BackupDirectory -eq 0)
{
$ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null
$ValuesToCheck.Remove('PasswordAgeDays') | Out-Null
$ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null
$ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null
$ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null
$ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null
}
elseif ($BackupDirectory -eq 1) {
$ValuesToCheck.Remove('PasswordAgeDays') | Out-Null
$ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null
$ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null
$ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null
$ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null
} elseif ($BackupDirectory -eq 2)
{
$ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null
}

$testResult = $true
if ([Array]$Assignments.count -ne $CurrentValues.Assignments.count)
if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure)
{
Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)"
$testResult = $false
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
if ($testResult)
{
foreach ($assignment in $CurrentValues.Assignments)
{
if ($null -ne $Assignment)
{
#GroupId Assignment
if (-not [String]::IsNullOrEmpty($assignment.groupId))
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}
#AllDevices/AllUsers assignment
else
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}
}

if (-not $testResult)
{
$testResult = $false
break
}

}

}
#Compare Cim instances
$source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments
$target = $CurrentValues.Assignments
$testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target
$ValuesToCheck.Remove('Assignments') | Out-Null

if ($testResult)
Expand Down Expand Up @@ -752,7 +704,8 @@ function Export-TargetResource

if ($Results.Assignments)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) `
-CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments
if ($complexTypeStringResult)
{
$Results.Assignments = $complexTypeStringResult
Expand All @@ -771,12 +724,7 @@ function Export-TargetResource

if ($Results.Assignments)
{
$isCIMArray = $false
if ($Results.Assignments.getType().Fullname -like '*[[\]]')
{
$isCIMArray = $true
}
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true
}

$dscContent += $currentDSCBlock
Expand Down
Loading

0 comments on commit 1c44711

Please sign in to comment.