Skip to content

Commit

Permalink
Merge pull request #5539 from microsoft/Dev
Browse files Browse the repository at this point in the history
Release 1.24.1211.1
  • Loading branch information
ykuijs authored Dec 12, 2024
2 parents f9e085d + 4152ed1 commit 2130ad3
Show file tree
Hide file tree
Showing 146 changed files with 6,245 additions and 502 deletions.
34 changes: 32 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,28 @@
# Change log for Microsoft365DSC

# UNRELEASED

# 1.24.1211.1

* AADApplication
* Changed logic to remove all permissions when an empty array is specified.
FIXES [#5534](https://github.com/microsoft/Microsoft365DSC/issues/5534)
* AADFeatureRolloutPolicy
* Fixed policy retrieval
FIXES [#5521](https://github.com/microsoft/Microsoft365DSC/issues/5521)
* IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile
* Fixing issue with the way the QrCodeImage property was exported and handled.
* IntuneFirewallPolicyWindows10
* Fix export of properties that appear multiple times in subsections.
* M365DSCDRGUtil
* Improve settings catalog handling for nested objects.
* M365DSCResourceGenerator
* Fixes an issue with nested object creation.
* MISC
* Migrate `MSCloudLoginAssistant` authentication context access to cmdlets.
* DEPENDENCIES
* Updated MSCloudLoginAssistant to version 1.1.29.

# 1.24.1204.1

* All resources
Expand Down Expand Up @@ -29,8 +52,14 @@
FIXES [#5296](https://github.com/microsoft/Microsoft365DSC/issues/5296)
* EXOTransportRule
* Fixed conditional logic for creation and update.
* PPPowerAppsEnvironmant
* Fixed [[#5508](https://github.com/microsoft/Microsoft365DSC/issues/5508)]
* IntuneTrustedRootCertificateIOS
* Initial release
* IntuneVPNConfigurationPolicyAndroidDeviceOwner
* Initial release
* IntuneVPNConfigurationPolicyAndroidEnterprise
* Initial release
* IntuneVPNConfigurationPolicyIOS
* Initial release.
* M365DSCRuleEvaluation
Expand All @@ -40,7 +69,8 @@
* MISC
* M365DSCDRGUtil
* Add separate check for strings with ordinal comparison and standardized line breaks.

* M365DSCReport
* Add support for creating report in CSV-format

# 1.24.1127.1

Expand Down Expand Up @@ -379,7 +409,7 @@
selected
* Fixed retrieval of resource when it cannot be found by `Id`
* Added a few verbose messages
* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile
* IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile
* Initial release.
* IntuneEndpointDetectionAndResponsePolicyWindows10
* Fixes an issue with `AutoFromConnector` as the Configuration package type.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ function Set-TargetResource

$updateJSON = ConvertTo-Json $updateParameters
Write-Verbose -Message "Updating the Entra Id Admin Consent Request Policy with values: $updateJSON"
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/adminConsentRequestPolicy'
$Uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'beta/policies/adminConsentRequestPolicy'
Invoke-MgGraphRequest -Method 'PUT' `
-Uri $Uri `
-Body $updateJSON | Out-Null
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ function Get-TargetResource
foreach ($auMember in $auMembers)
{
$member = @{}
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryobjects/$($auMember.Id)"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/directoryobjects/$($auMember.Id)"
$memberObject = Invoke-MgGraphRequest -Uri $url
if ($memberObject.'@odata.type' -match 'user')
{
Expand Down Expand Up @@ -233,7 +233,7 @@ function Get-TargetResource
}
}
Write-Verbose -Message "AU {$DisplayName} verify RoleMemberInfo.Id {$($auScopedRoleMember.RoleMemberInfo.Id)}"
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryobjects/$($auScopedRoleMember.RoleMemberInfo.Id)"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/directoryobjects/$($auScopedRoleMember.RoleMemberInfo.Id)"
$memberObject = Invoke-MgGraphRequest -Uri $url
Write-Verbose -Message "AU {$DisplayName} @odata.Type={$($memberObject.'@odata.type')}"
if (($memberObject.'@odata.type') -match 'user')
Expand Down Expand Up @@ -563,7 +563,7 @@ function Set-TargetResource
foreach ($member in $memberSpecification)
{
Write-Verbose -Message "Adding new dynamic member {$($member.Id)}"
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($member.Type)/$($member.Id)"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/$($member.Type)/$($member.Id)"
$memberBodyParam = @{
'@odata.id' = $url
}
Expand Down Expand Up @@ -657,7 +657,7 @@ function Set-TargetResource
{
Write-Verbose -Message "AdministrativeUnit {$DisplayName} Adding member {$($diff.Identity)}, type {$($diff.Type)}"

$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$memberType/$($memberObject.Id)"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/$memberType/$($memberObject.Id)"
$memberBodyParam = @{
'@odata.id' = $url
}
Expand Down Expand Up @@ -789,7 +789,7 @@ function Set-TargetResource
Write-Verbose -Message "Removing AU {$DisplayName}"
# Workaround since Remove-MgBetaDirectoryAdministrativeUnit is not working with 2.11.1
# https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2529
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/administrativeUnits/$($currentInstance.Id)"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/administrativeUnits/$($currentInstance.Id)"
Invoke-MgGraphRequest -Method DELETE -Uri $url | Out-Null
#Remove-MgBetaDirectoryAdministrativeUnit -AdministrativeUnitId $currentInstance.Id
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@ function Get-TargetResource

try
{
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($AADBetaApp.Id)/onPremisesPublishing"
$Uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/applications/$($AADBetaApp.Id)/onPremisesPublishing"
$oppInfo = Invoke-MgGraphRequest -Method GET `
-Uri $Uri `
-ErrorAction SilentlyContinue
Expand Down Expand Up @@ -931,7 +931,7 @@ function Set-TargetResource
{
$Type = 'directoryObjects'
}
$ObjectUri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'v1.0/{0}/{1}' -f $Type, $diff.InputObject
$ObjectUri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'v1.0/{0}/{1}' -f $Type, $diff.InputObject
$ownerObject = @{
'@odata.id' = $ObjectUri
}
Expand Down Expand Up @@ -975,72 +975,81 @@ function Set-TargetResource
}
}

if ($needToUpdatePermissions -and -not [System.String]::IsNullOrEmpty($Permissions) -and $Permissions.Length -gt 0)
if ($needToUpdatePermissions -and $null -ne $Permissions)
{
Write-Verbose -Message "Will update permissions for Azure AD Application {$($currentAADApp.DisplayName)}"
$allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
$allRequiredAccess = @()

foreach ($sourceAPI in $allSourceAPIs)
if ($Permissions.Length -eq 0)
{
Write-Verbose -Message "Adding permissions for API {$($sourceAPI)}"
$permissionsForcurrentAPI = $Permissions | Where-Object -FilterScript { $_.SourceAPI -eq $sourceAPI }
$apiPrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($sourceAPI)'"
$currentAPIAccess = @{
ResourceAppId = $apiPrincipal.AppId
ResourceAccess = @()
}
foreach ($permission in $permissionsForcurrentAPI)
Write-Verbose -Message "Desired set of permissions is empty, removing all permissions on the app."
$allRequiredAccess = @()
}
else
{
$allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
$allRequiredAccess = @()

foreach ($sourceAPI in $allSourceAPIs)
{
if ($permission.Type -eq 'Delegated')
Write-Verbose -Message "Adding permissions for API {$($sourceAPI)}"
$permissionsForcurrentAPI = $Permissions | Where-Object -FilterScript { $_.SourceAPI -eq $sourceAPI }
$apiPrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($sourceAPI)'"
$currentAPIAccess = @{
ResourceAppId = $apiPrincipal.AppId
ResourceAccess = @()
}
foreach ($permission in $permissionsForcurrentAPI)
{
$scope = $apiPrincipal.Oauth2PermissionScopes | Where-Object -FilterScript { $_.Value -eq $permission.Name }
$scopeId = $null
if ($null -eq $scope)
if ($permission.Type -eq 'Delegated')
{
$ObjectGuid = [System.Guid]::empty
if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
$scope = $apiPrincipal.Oauth2PermissionScopes | Where-Object -FilterScript { $_.Value -eq $permission.Name }
$scopeId = $null
if ($null -eq $scope)
{
$scopeId = $permission.Name
$ObjectGuid = [System.Guid]::empty
if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
{
$scopeId = $permission.Name
}
}
}
else
{
$scopeId = $scope.Id
}
Write-Verbose -Message "Adding Delegated Permission {$($scopeId)}"
$delPermission = @{
Id = $scopeId
Type = 'Scope'
}
$currentAPIAccess.ResourceAccess += $delPermission
}
elseif ($permission.Type -eq 'AppOnly')
{
$role = $apiPrincipal.AppRoles | Where-Object -FilterScript { $_.Value -eq $permission.Name }
$roleId = $null
if ($null -eq $role)
{
$ObjectGuid = [System.Guid]::empty
if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
else
{
$roleId = $permission.Name
$scopeId = $scope.Id
}
Write-Verbose -Message "Adding Delegated Permission {$($scopeId)}"
$delPermission = @{
Id = $scopeId
Type = 'Scope'
}
$currentAPIAccess.ResourceAccess += $delPermission
}
else
elseif ($permission.Type -eq 'AppOnly')
{
$roleId = $role.Id
}
$appPermission = @{
Id = $roleId
Type = 'Role'
$role = $apiPrincipal.AppRoles | Where-Object -FilterScript { $_.Value -eq $permission.Name }
$roleId = $null
if ($null -eq $role)
{
$ObjectGuid = [System.Guid]::empty
if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
{
$roleId = $permission.Name
}
}
else
{
$roleId = $role.Id
}
$appPermission = @{
Id = $roleId
Type = 'Role'
}
$currentAPIAccess.ResourceAccess += $appPermission
}
$currentAPIAccess.ResourceAccess += $appPermission
}
}
if ($null -ne $currentAPIAccess)
{
$allRequiredAccess += $currentAPIAccess
if ($null -ne $currentAPIAccess)
{
$allRequiredAccess += $currentAPIAccess
}
}
}

Expand Down Expand Up @@ -1143,7 +1152,7 @@ function Set-TargetResource
$onPremisesPayload = ConvertTo-Json $onPremisesPublishingValue -Depth 10 -Compress
Write-Verbose -Message "Updating the OnPremisesPublishing settings for application {$($currentAADApp.DisplayName)} with payload: $onPremisesPayload"

$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($currentAADApp.Id)/onPremisesPublishing"
$Uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/applications/$($currentAADApp.Id)/onPremisesPublishing"
Invoke-MgGraphRequest -Method 'PATCH' `
-Uri $Uri `
-Body $onPremisesPayload
Expand Down Expand Up @@ -1298,9 +1307,15 @@ function Test-TargetResource

$CurrentValues = Get-TargetResource @PSBoundParameters

if ($CurrentValues.Permissions.Length -gt 0 -and $null -ne $CurrentValues.Permissions.Name -and $Permissions.Name.Length -gt 0)
if ($CurrentValues.Permissions.Length -gt 0 -and `
$null -ne $CurrentValues.Permissions.Name)
{
$permissionsDiff = Compare-Object -ReferenceObject ($CurrentValues.Permissions.Name) -DifferenceObject ($Permissions.Name)
$differenceObject = $Permissions.Name
if ($null -eq $differenceObject)
{
$differenceObject = @()
}
$permissionsDiff = Compare-Object -ReferenceObject ($CurrentValues.Permissions.Name) -DifferenceObject $differenceObject
$driftedParams = @{}
if ($null -ne $permissionsDiff)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ function Get-TargetResource
}
else
{
$response = Invoke-MgGraphRequest -Method Get -Uri ($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$response = Invoke-MgGraphRequest -Method Get -Uri ((Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
}
}
Expand Down Expand Up @@ -334,7 +334,7 @@ function Set-TargetResource
{
Write-Verbose -Message "Updating the Azure AD Authentication Method Policy External with name {$($currentInstance.displayName)}"

$response = Invoke-MgGraphRequest -Method Get -Uri ($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$response = Invoke-MgGraphRequest -Method Get -Uri ((Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript { $_.displayName -eq $currentInstance.displayName }

$params.Remove('displayName') | Out-Null
Expand All @@ -347,7 +347,7 @@ function Set-TargetResource
{
Write-Verbose -Message "Removing the Azure AD Authentication Method Policy External with Id {$($currentInstance.displayName)}"

$response = Invoke-MgGraphRequest -Method Get -Uri ($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$response = Invoke-MgGraphRequest -Method Get -Uri ((Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript { $_.displayName -eq $currentInstance.displayName }

Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $getValue.Id
Expand Down Expand Up @@ -539,7 +539,7 @@ function Export-TargetResource
{
#region resource generator code
$desiredType = '#microsoft.graph.externalAuthenticationMethodConfiguration'
$getPolicy = Invoke-MgGraphRequest -Method Get -Uri ($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$getPolicy = Invoke-MgGraphRequest -Method Get -Uri ((Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'beta/policies/authenticationMethodsPolicy/')
$getValue = $getPolicy.AuthenticationMethodConfigurations | Where-Object -FilterScript { $_.'@odata.type' -eq $desiredType }
#endregion

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ function Get-TargetResource
$nullResult = $PSBoundParameters

$getValue = $null
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements"
$getValue = Invoke-MgGraphRequest -Method Get -Uri $url

if ($null -eq $getValue)
Expand Down Expand Up @@ -155,7 +155,7 @@ function Set-TargetResource
#endregion

$currentInstance = Get-TargetResource @PSBoundParameters
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements"
$url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements"

$params = @{}
if ($PerUserMfaState -eq 'enabled' -and $currentInstance.PerUserMfaState -eq 'disabled')
Expand Down
Loading

0 comments on commit 2130ad3

Please sign in to comment.