Skip to content

Commit

Permalink
Merge pull request #5324 from FabienTschanz/fix/intune-acc-prot-group…
Browse files Browse the repository at this point in the history
…-membership

Update values in UserSelectionType
  • Loading branch information
NikCharlebois authored Nov 5, 2024
2 parents 8409276 + 7d28b55 commit 1c3ee41
Show file tree
Hide file tree
Showing 4 changed files with 130 additions and 427 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@
* Fixed `Test-TargetResource` to correctly mark when this resource is removed
* EXOTenantAllowBlockListSpoofItems
* Initial release.
* IntuneAccountProtectionLocalUserGroupMembershipPolicy
* Updates values in `UserSelectionType`.
FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318)
* IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr
* Initial release.
* IntuneAppCategory
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ function Get-TargetResource
{
$policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue

if(([array]$devicePolicy).count -gt 1)
if(([array]$devicePolicy).Count -gt 1)
{
throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique"
}
Expand All @@ -109,7 +109,7 @@ function Get-TargetResource


#Retrieve policy specific settings
$Identity = $policy.id
$Identity = $policy.Id
[array]$settings = $policy.settings

$returnHashtable = @{}
Expand Down Expand Up @@ -295,12 +295,12 @@ function Set-TargetResource
$settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters)

$createParameters = @{}
$createParameters.add('name', $DisplayName)
$createParameters.add('description', $Description)
$createParameters.add('settings', @($settings))
$createParameters.add('platforms', $platforms)
$createParameters.add('technologies', $technologies)
$createParameters.add('templateReference', @{
$createParameters.Add('name', $DisplayName)
$createParameters.Add('description', $Description)
$createParameters.Add('settings', @($settings))
$createParameters.Add('platforms', $platforms)
$createParameters.Add('technologies', $technologies)
$createParameters.Add('templateReference', @{
templateId = $templateReferenceId
})
$policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters
Expand All @@ -323,11 +323,11 @@ function Set-TargetResource

$settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters)

Update-DeviceManagementConfigurationPolicy `
-DeviceManagementConfigurationPolicyId $currentPolicy.Identity `
-DisplayName $DisplayName `
Update-IntuneDeviceConfigurationPolicy `
-DeviceConfigurationPolicyId $currentPolicy.Identity `
-Name $DisplayName `
-Description $Description `
-TemplateReference $templateReferenceId `
-TemplateReferenceId $templateReferenceId `
-Platforms $platforms `
-Technologies $technologies `
-Settings $settings
Expand Down Expand Up @@ -419,69 +419,45 @@ function Test-TargetResource
Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}"

$CurrentValues = Get-TargetResource @PSBoundParameters
if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues))
{
Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed"
throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information."
}
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$ValuesToCheck.Remove('Identity') | Out-Null
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()

$testResult = $true
if ($CurrentValues.Ensure -ne $Ensure)
{
$testResult = $false
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
$testResult = $true

#region LocalUserGroupCollection
if ($testResult)
{
if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection))
{
Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null'
return $false
}
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

if ($CurrentValues.LocalUserGroupCollection)
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count)
if ($source.UserSelectionType -eq 'add_replace')
{
Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}"
return $false
Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'"
$source.UserSelectionType = 'add_restrict'
}
for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++)
{
$source = $ValuesToCheck.LocalUserGroupCollection[$i]
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i]
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)

if (-not $testResult)
{
$testResult = $false
break
}
if (-not $testResult)
{
break
}

$ValuesToCheck.Remove($key) | Out-Null
}
if (-not $testResult)
{
return $false
}
$ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null
}
#endregion

#region Assignments
if ($testResult)
{
$source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments
$target = $CurrentValues.Assignments
$testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target
$ValuesToCheck.Remove('Assignments') | Out-Null
}
#endregion
$ValuesToCheck.Remove('Identity') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck

if ($testResult)
{
Expand Down Expand Up @@ -714,6 +690,11 @@ function Get-M365DSCIntuneDeviceConfigurationSettings
}
foreach ($groupConfiguration in $Properties.LocalUserGroupCollection)
{
if ($groupConfiguration.UserSelectionType -eq 'add_replace')
{
Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'"
$groupConfiguration.UserSelectionType = 'add_restrict'
}
$groupDefaultValue = @{
children = @(
@{
Expand Down Expand Up @@ -783,57 +764,4 @@ function Get-M365DSCIntuneDeviceConfigurationSettings
return $defaultValue
}

function Update-DeviceManagementConfigurationPolicy
{
[CmdletBinding()]
param (
[Parameter(Mandatory = 'true')]
[System.String]
$DeviceManagementConfigurationPolicyId,

[Parameter(Mandatory = 'true')]
[System.String]
$DisplayName,

[Parameter()]
[System.String]
$Description,

[Parameter()]
[System.String]
$TemplateReferenceId,

[Parameter()]
[System.String]
$Platforms,

[Parameter()]
[System.String]
$Technologies,

[Parameter()]
[System.Array]
$Settings
)

$templateReference = @{
'templateId' = $TemplateReferenceId
}

$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId"
$policy = @{
'name' = $DisplayName
'description' = $Description
'platforms' = $Platforms
'technologies' = $Technologies
'settings' = $Settings
'templateReference' = $templateReference
}

Invoke-MgGraphRequest -Method PUT `
-Uri $Uri `
-ContentType 'application/json' `
-Body ($policy | ConvertTo-Json -Depth 20) 4> $null
}

Export-ModuleMember -Function *-TargetResource
Binary file not shown.
Loading

0 comments on commit 1c3ee41

Please sign in to comment.