diff --git a/CHANGELOG.md b/CHANGELOG.md index fe5dd7e7b4..058484508c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -73,8 +73,14 @@ * Initial release. * AzureDiagnosticSettingsCustomSecurityAttribute * Initial release. +* AzureSubscription + * Renamed parameters and added logic flow to create new subscriptions. * AzureVerifiedIdFaceCheck * Initial release. +* DefenderDeviceAuthenticatedScanDefinition + * Initial release. +* EXOActiveSyncMailboxPolicy + * Initial release. * EXOArcConfig * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` when it has an array @@ -91,6 +97,9 @@ * Fixed `Test-TargetResource` to correctly mark when this resource is removed * EXOTenantAllowBlockListSpoofItems * Initial release. +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Updates values in `UserSelectionType`. + FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318) * IntuneAntivirusPolicyLinux * Initial release. * IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr @@ -114,6 +123,8 @@ * Initial release. * IntuneSecurityBaselineDefenderForEndpoint * Initial release. +* IntuneSettingCatalogCustomPolicyWindows10 + * Fixes an issue with limited results when more than 25 results are present. * Intune workload * Fixed missing permissions in settings.json * M365DSCRuleEvaluation diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 index d3076e1a9c..8683cb40b8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 @@ -6,15 +6,19 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -69,22 +73,28 @@ function Get-TargetResource { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Id} } elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName -and ` + $_.properties.invoiceSectionId -eq $InvoiceSectionId} } } else { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = Get-AzSubscription -SubscriptionId $Id + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions/$($Id)?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instance = (ConvertFrom-Json $response.Content).value } - elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) + elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($DisplayName)) { - $instance = Get-AzSubscription -SubscriptionName $Name + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instances = (ConvertFrom-Json $response.Content).value + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} } } if ($null -eq $instance) @@ -93,9 +103,10 @@ function Get-TargetResource } $results = @{ - Name = $instance.Name - Id = $instance.Id - Enabled = $instance.Enabled + DisplayName = $instance.properties.displayName + Id = $instance.name + InvoiceSectionId = $instance.properties.invoiceSectionId + Status = $instance.properties.status Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -126,15 +137,19 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -183,17 +198,30 @@ function Set-TargetResource # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - throw "This resource cannot create new Azure subscriptions." + $uri = "https://management.azure.com/providers/Microsoft.Subscription/aliases/$((New-GUID).ToString())?api-version=2021-10-01" + $params = @{ + properties = @{ + billingScope = $InvoiceSectionId + DisplayName = $DisplayName + Workload = "Production" + } + } + $payload = ConvertTo-Json $params -Depth 10 -Compress + Write-Verbose -Message "Creating new subscription {$DisplayName} with payload:`r`n$payload" + $response = Invoke-AzRest -Uri $uri -Method PUT -Payload $payload + Write-Verbose -Message "Result: $($response.Content)" } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - if ($Enabled) + if ($Status -eq 'Active') { + Write-Verbose -Message "Enabling subscription {$Name}" Enable-AzSubscription -Id $currentInstance.Id | Out-Null } elseif (-not $Enabled) { + Write-Verbose -Message "Disabling subscription {$Name}" Disable-AzSubscription -Id $currentInstance.Id | Out-Null } } @@ -212,15 +240,19 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -315,8 +347,7 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload - $ConnectionMode = New-M365DSCConnection -Workload 'Workload' ` + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. @@ -334,47 +365,70 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-AzSubscription -ErrorAction Stop - $i = 1 - $dscContent = '' - if ($Script:exportedInstances.Length -eq 0) - { - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host "`r`n" -NoNewline - } - foreach ($config in $Script:exportedInstances) + $uri = 'https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01' + $response = Invoke-AzRest -Uri $uri -Method Get + $billingAccounts = (ConvertFrom-Json $response.Content).value + + foreach ($billingAccount in $billingAccounts) { - $displayedKey = $config.Name - Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline - $params = @{ - Name = $config.Name - Id = $config.Id - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens - } + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts/$($billingAccount.Name)/billingprofiles/?api-version=2020-05-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $billingProfiles = (ConvertFrom-Json $response.Content).value - $Results = Get-TargetResource @Params - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - $i++ - Write-Host $Global:M365DSCEmojiGreenCheckMark + foreach ($profile in $billingProfiles) + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($billingAccount.name)/billingProfiles/$($profile.name)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $subscriptions = (ConvertFrom-Json $response.Content).value + [array] $Script:exportedInstances += $subscriptions + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $subscriptions) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($subscriptions.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.properties.displayName + Id = $config.Name + InvoiceSectionId = $config.properties.invoiceSectionId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } } return $dscContent } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof index 3d74c750c9..6087aa5fca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof @@ -1,9 +1,10 @@ [ClassVersion("1.0.0.0"), FriendlyName("AzureSubscription")] class MSFT_AzureSubscription : OMI_BaseResource { - [Key, Description("The display name of the subscription.")] String Name; + [Key, Description("The display name of the subscription.")] String DisplayName; [Write, Description("The unique identifier of the subscription.")] String Id; - [Write, Description("Enables or disables the subscription")] Boolean Enabled; + [Write, Description("The unique identifier of the invoice section associated with the subscription.")] String InvoiceSectionId; + [Write, Description("Status of the subscription.")] String Status; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 new file mode 100644 index 0000000000..54da575452 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 @@ -0,0 +1,646 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + else + { + $instances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $instances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $instances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $ScannerAgentValue = $null + if ($null -ne $instance.scannerAgent) + { + $ScannerAgentValue = @{ + id = $instance.scannerAgent.id + machineId = $instance.scannerAgent.machineId + machineName = $instance.scannerAgent.machineName + } + } + + # This property cannot be retrieve, nor changed once set. + $ScanAuthenticationParamsValue = $null + if ($null -ne $instance.scanAuthenticationParams) + { + $ScanAuthenticationParamsValue = @{ + DataType = $ScanAuthenticationParams.DataType + Type = $ScanAuthenticationParams.Type + KeyVaultUrl = $ScanAuthenticationParams.KeyVaultUrl + KeyVaultSecretName = $ScanAuthenticationParams.keyVaultSecretName + Domain = $ScanAuthenticationParams.Domain + Username = $ScanAuthenticationParams.Username + IsGMSAUser = $ScanAuthenticationParams.IsGMSAUser + CommunityString = $ScanAuthenticationParams.CommunityString + AuthProtocol = $ScanAuthenticationParams.AuthProtocol + AuthPassword = $ScanAuthenticationParams.AuthPassword + PrivProtocol = $ScanAuthenticationParams.PrivProtocol + PrivPassword = $ScanAuthenticationParams.PrivPassword + } + } + else + { + $ScanAuthenticationParamsValue = @{ + "@odata.context" = "#microsoft.windowsDefenderATP.api.SnmpAuthParams" + Type = "NoAuthNoPriv" + } + } + + $results = @{ + Name = $instance.scanName + Id = $instance.id + IntervalInHours = $instance.intervalInHours + Target = $instance.Target + IsActive = $instance.isActive + ScanType = $instance.scanType + ScannerAgent = $ScannerAgentValue + ScanAuthenticationParams = $ScanAuthenticationParamsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + scanType = $ScanType + scanName = $Name + isActive = $IsActive + target = $Target + intervalInHours = $IntervalInHours + scannerAgent = @{ + machineName = $ScannerAgent.machineName + id = $ScannerAgent.id + } + targetType = 'Ip' + scanAuthenticationParams = @{ + "@odata.type" = $ScanAuthenticationParams.DataType + type = $ScanAuthenticationParams.Type + } + } + + if ($null -ne $ScanAuthenticationParams.KeyVaultUrl) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultUrl", $ScanAuthenticationParams.KeyVaultUrl) + } + if ($null -ne $ScanAuthenticationParams.KeyVaultSecretName) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultSecretName", $ScanAuthenticationParams.KeyVaultSecretName) + } + if ($null -ne $ScanAuthenticationParams.Domain) + { + $instanceParams.scanAuthenticationParams.Add("domain", $ScanAuthenticationParams.Domain) + } + if ($null -ne $ScanAuthenticationParams.Username) + { + $instanceParams.scanAuthenticationParams.Add("username", $ScanAuthenticationParams.Username) + } + if ($null -ne $ScanAuthenticationParams.IsGMSAUser) + { + $instanceParams.scanAuthenticationParams.Add("isGMSAUser", $ScanAuthenticationParams.IsGMSAUser) + } + if ($null -ne $ScanAuthenticationParams.CommunityString) + { + $instanceParams.scanAuthenticationParams.Add("communityString", $ScanAuthenticationParams.CommunityString) + } + if ($null -ne $ScanAuthenticationParams.AuthProtocol) + { + $instanceParams.scanAuthenticationParams.Add("authProtocol", $ScanAuthenticationParams.AuthProtocol) + } + if ($null -ne $ScanAuthenticationParams.AuthPassword) + { + $instanceParams.scanAuthenticationParams.Add("authPassword", $ScanAuthenticationParams.AuthPassword) + } + if ($null -ne $ScanAuthenticationParams.PrivProtocol) + { + $instanceParams.scanAuthenticationParams.Add("privProtocol", $ScanAuthenticationParams.PrivProtocol) + } + if ($null -ne $ScanAuthenticationParams.PrivPassword) + { + $instanceParams.scanAuthenticationParams.Add("privPassword", $ScanAuthenticationParams.PrivPassword) + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method POST ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/$($currentInstance.Id)" ` + -Method PATCH ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $instanceParams = @{ + ScanDefinitionIds = @($currentInstance.Id) + } + Write-Verbose -Message "Deleting device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete" ` + -Method POST ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + # Once set, these cannot be retrieved nor changed. + $ValuesToCheck.Remove("ScanAuthenticationParams") | Out-Null + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $targetValue = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($targetValue) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.scanName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.scanName + id = $config.id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.ScannerAgent) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScannerAgent -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionScanAgent + if ($complexTypeStringResult) + { + $Results.ScannerAgent = $complexTypeStringResult + } + else + { + $Results.Remove('ScannerAgent') | Out-Null + } + } + + if ($Results.ScanAuthenticationParams) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScanAuthenticationParams -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams + if ($complexTypeStringResult) + { + $Results.ScanAuthenticationParams = $complexTypeStringResult + } + else + { + $Results.Remove('ScanAuthenticationParams') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.ScanAuthenticationParams) + { + $isCIMArray = $false + if ($Results.ScanAuthenticationParams.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScanAuthenticationParams' -IsCIMArray:$isCIMArray + } + + if ($Results.ScannerAgent) + { + $isCIMArray = $false + if ($Results.ScannerAgent.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScannerAgent' -IsCIMArray:$isCIMArray + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof new file mode 100644 index 0000000000..5fdc4f8d1c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof @@ -0,0 +1,45 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams +{ + [Write, Description("Odata type associated with the request.")] String DataType; + [Write, Description("Type of scan.")] String Type; + [Write, Description("An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultUrl; + [Write, Description("An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultSecretName; + [Write, Description("Domain name when using WindowsAuthParams.")] String Domain; + [Write, Description("Username when using WindowsAuthParams or the username when choosing SnmpAuthParams with any type other than CommunityString.")] String Username; + [Write, Description("Must be set to true when choosing WindowsAuthParams.")] Boolean IsGMSAUser; + [Write, Description("Community string to use when choosing SnmpAuthParams with CommunityString.")] String CommunityString; + [Write, Description("Auth protocol to use with SnmpAuthParams and AuthNoPriv or AuthPriv. Possible values are MD5, SHA1.")] String AuthProtocol; + [Write, Description("Auth password to use with SnmpAuthParams and AuthNoPriv or AuthPriv.")] String AuthPassword; + [Write, Description("Priv protocol to use with SnmpAuthParams and AuthPriv. Possible values are DES, 3DES, AES.")] String PrivProtocol; + [Write, Description("Priv password to use with SnmpAuthParams and AuthPriv.")] String PrivPassword; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent +{ + [Write, Description("Unique identified for the scan agent.")] String id; + [Write, Description("Id of the machine associated with the agent.")] String machineId; + [Write, Description("Name of the machine associated with the agent.")] String machineName; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("DefenderDeviceAuthenticatedScanDefinition")] +class MSFT_DefenderDeviceAuthenticatedScanDefinition : OMI_BaseResource +{ + [Key, Description("Name of the scan definition.")] String Name; + [Write, Description("Unique identified for the scan definition.")] String Id; + [Write, Description("Interval in hours to run the scan.")] UInt32 IntervalInHours; + [Write, Description("Target of the scan definition.")] String Target; + [Write, Description("Determines if the scan definition is active or not.")] Boolean IsActive; + [Write, Description("Type of scan.")] String ScanType; + [Write, Description("Information about the associated scan agent."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent")] String ScannerAgent; + [Write, Description("Authentication parameters."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams")] String ScanAuthenticationParams; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md new file mode 100644 index 0000000000..0846f96567 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md @@ -0,0 +1,6 @@ + +# DefenderDeviceAuthenticatedScanDefinition + +## Description + +Configures device authenticated scan definitions in Defender. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json new file mode 100644 index 0000000000..ea3b134fe1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "DefenderDeviceAuthenticatedScanDefinition", + "description": "Configures device authenticated scan definitions in Defender.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 new file mode 100644 index 0000000000..80cee1cb8b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 @@ -0,0 +1,1055 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + Confirm-M365DSCDependencies + + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $instance = Get-ActiveSyncMailboxPolicy -Identity $Identity -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Ensure = 'Present' + Name = [System.String]$instance.Name + AllowApplePushNotifications = [System.Boolean]$instance.AllowApplePushNotifications + AllowBluetooth = [System.String]$instance.AllowBluetooth + AllowBrowser = [System.Boolean]$instance.AllowBrowser + AllowCamera = [System.Boolean]$instance.AllowCamera + AllowConsumerEmail = [System.Boolean]$instance.AllowConsumerEmail + AllowDesktopSync = [System.Boolean]$instance.AllowDesktopSync + AllowExternalDeviceManagement = [System.Boolean]$instance.AllowExternalDeviceManagement + AllowHTMLEmail = [System.Boolean]$instance.AllowHTMLEmail + AllowInternetSharing = [System.Boolean]$instance.AllowInternetSharing + AllowIrDA = [System.Boolean]$instance.AllowIrDA + AllowMobileOTAUpdate = [System.Boolean]$instance.AllowMobileOTAUpdate + AllowNonProvisionableDevices = [System.Boolean]$instance.AllowNonProvisionableDevices + AllowPOPIMAPEmail = [System.Boolean]$instance.AllowPOPIMAPEmail + AllowRemoteDesktop = [System.Boolean]$instance.AllowRemoteDesktop + AllowSimpleDevicePassword = [System.Boolean]$instance.AllowSimpleDevicePassword + AllowSMIMEEncryptionAlgorithmNegotiation = [System.String]$instance.AllowSMIMEEncryptionAlgorithmNegotiation + AllowSMIMESoftCerts = [System.Boolean]$instance.AllowSMIMESoftCerts + AllowStorageCard = [System.Boolean]$instance.AllowStorageCard + AllowTextMessaging = [System.Boolean]$instance.AllowTextMessaging + AllowUnsignedApplications = [System.Boolean]$instance.AllowUnsignedApplications + AllowUnsignedInstallationPackages = [System.Boolean]$instance.AllowUnsignedInstallationPackages + AllowWiFi = [System.Boolean]$instance.AllowWiFi + AlphanumericDevicePasswordRequired = [System.Boolean]$instance.AlphanumericDevicePasswordRequired + ApprovedApplicationList = [System.String[]]$instance.ApprovedApplicationList + AttachmentsEnabled = [System.Boolean]$instance.AttachmentsEnabled + DeviceEncryptionEnabled = [System.Boolean]$instance.DeviceEncryptionEnabled + DevicePasswordEnabled = [System.Boolean]$instance.DevicePasswordEnabled + DevicePasswordExpiration = [System.String]$instance.DevicePasswordExpiration + DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory + DevicePolicyRefreshInterval = [System.String]$instance.DevicePolicyRefreshInterval + IrmEnabled = [System.Boolean]$instance.IrmEnabled + IsDefault = [System.Boolean]$instance.IsDefault + IsDefaultPolicy = [System.Boolean]$instance.IsDefaultPolicy + MaxAttachmentSize = [System.String]$instance.MaxAttachmentSize + MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter + MaxDevicePasswordFailedAttempts = [System.String]$instance.MaxDevicePasswordFailedAttempts + MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter + MaxEmailBodyTruncationSize = [System.String]$instance.MaxEmailBodyTruncationSize + MaxEmailHTMLBodyTruncationSize = [System.String]$instance.MaxEmailHTMLBodyTruncationSize + MaxInactivityTimeDeviceLock = [System.String]$instance.MaxInactivityTimeDeviceLock + MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters + MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength + PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled + RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption + RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages + RequireEncryptionSMIMEAlgorithm = [System.String]$instance.RequireEncryptionSMIMEAlgorithm + RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming + RequireSignedSMIMEAlgorithm = [System.String]$instance.RequireSignedSMIMEAlgorithm + RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages + RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption + UnapprovedInROMApplicationList = [System.String[]]$instance.UnapprovedInROMApplicationList + UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled + WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled + Identity = [System.String]$Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $setParameters.Remove("Identity") + New-ActiveSyncMailboxPolicy @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Set-ActiveSyncMailboxPolicy @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-ActiveSyncMailboxPolicy -Identity $Identity + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ActiveSyncMailboxPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof new file mode 100644 index 0000000000..32242a76b3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof @@ -0,0 +1,66 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] +class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource +{ + [Write, Description("Specifies the name of the policy.")] String Name; + [Write, Description("Specifies whether push notifications are allowed for Apple mobile devices.")] Boolean AllowApplePushNotifications; + [Write, Description("Specifies whether the Bluetooth capabilities of the mobile phone are allowed."), ValueMap{"Disable", "HandsfreeOnly", "Allow"}, Values{"Disable", "HandsfreeOnly", "Allow"}] String AllowBluetooth; + [Write, Description("Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone.")] Boolean AllowBrowser; + [Write, Description("Specifies whether the mobile phone's camera is allowed.")] Boolean AllowCamera; + [Write, Description("Specifies whether the mobile phone user can configure a personal email account on the device.")] Boolean AllowConsumerEmail; + [Write, Description("Specifies whether the mobile phone can synchronize with a desktop computer through a cable.")] Boolean AllowDesktopSync; + [Write, Description("Specifies whether an external device management program is allowed to manage the device.")] Boolean AllowExternalDeviceManagement; + [Write, Description("Specifies whether HTML email is enabled on the device.")] Boolean AllowHTMLEmail; + [Write, Description("Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet.")] Boolean AllowInternetSharing; + [Write, Description("Specifies whether infrared connections are allowed to the mobile phone.")] Boolean AllowIrDA; + [Write, Description("Specifies whether certain updates are seen by devices that implemented support for this restricting functionality.")] Boolean AllowMobileOTAUpdate; + [Write, Description("Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy.")] Boolean AllowNonProvisionableDevices; + [Write, Description("Specifies whether the user can configure a POP3 or IMAP4 email account on the device.")] Boolean AllowPOPIMAPEmail; + [Write, Description("Specifies whether the mobile phone can initiate a remote desktop connection.")] Boolean AllowRemoteDesktop; + [Write, Description("Specifies whether a simple device password is allowed.")] Boolean AllowSimpleDevicePassword; + [Write, Description("Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm.")] String AllowSMIMEEncryptionAlgorithmNegotiation; + [Write, Description("Specifies whether S/MIME software certificates are allowed.")] Boolean AllowSMIMESoftCerts; + [Write, Description("Specifies whether the device can access information stored on a storage card.")] Boolean AllowStorageCard; + [Write, Description("Specifies whether text messaging is allowed from the device.")] Boolean AllowTextMessaging; + [Write, Description("Specifies whether unsigned applications can be installed on the device.")] Boolean AllowUnsignedApplications; + [Write, Description("Specifies whether unsigned installation packages can be run on the device.")] Boolean AllowUnsignedInstallationPackages; + [Write, Description("Specifies whether wireless Internet access is allowed on the device.")] Boolean AllowWiFi; + [Write, Description("Specifies whether the device password must be alphanumeric.")] Boolean AlphanumericDevicePasswordRequired; + [Write, Description("Specifies a list of approved applications for the device.")] String ApprovedApplicationList[]; + [Write, Description("Specifies whether the user can download attachments.")] Boolean AttachmentsEnabled; + [Write, Description("Enables device encryption on the mobile phone.")] Boolean DeviceEncryptionEnabled; + [Write, Description("Specifies that the user set a password for the device.")] Boolean DevicePasswordEnabled; + [Write, Description("Specifies the length of time, in days, that a password can be used.")] String DevicePasswordExpiration; + [Write, Description("Specifies the number of previously used passwords to store.")] Sint32 DevicePasswordHistory; + [Write, Description("Specifies how often the policy is sent from the server to the mobile phone")] String DevicePolicyRefreshInterval; + [Write, Description("Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy.")] Boolean IrmEnabled; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefault; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefaultPolicy; + [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; + [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxCalendarAgeFilter; + [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the device.")] String MaxDevicePasswordFailedAttempts; + [Write, Description("Specifies the maximum number of days of email items to synchronize to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxEmailAgeFilter; + [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the device.")] String MaxEmailBodyTruncationSize; + [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the device.")] String MaxEmailHTMLBodyTruncationSize; + [Write, Description("Specifies the length of time that the device can be inactive before the password is required to reactivate the device.")] String MaxInactivityTimeDeviceLock; + [Write, Description("Specifies the minimum number of complex characters required in a device password.")] Sint32 MinDevicePasswordComplexCharacters; + [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; + [Write, Description("Specifies whether you can store the recovery password for the device on an Exchange server.")] Boolean PasswordRecoveryEnabled; + [Write, Description("Specifies whether encryption is required on the device.")] Boolean RequireDeviceEncryption; + [Write, Description("Specifies whether you must encrypt S/MIME messages.")] Boolean RequireEncryptedSMIMEMessages; + [Write, Description("Specifies what required algorithm must be used when encrypting a message.")] String RequireEncryptionSMIMEAlgorithm; + [Write, Description("Specifies whether the device must synchronize manually while roaming.")] Boolean RequireManualSyncWhenRoaming; + [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; + [Write, Description("Specifies whether the device must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; + [Write, Description("Specifies whether encryption of a storage card is required.")] Boolean RequireStorageCardEncryption; + [Write, Description("Specifies a list of applications that can't be run in ROM.")] String UnapprovedInROMApplicationList[]; + [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; + [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; + [Key, Description("Specifies the Mobile Device mailbox policy.")] String Identity; + [Write, Description("Specifies if this AddressList should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md new file mode 100644 index 0000000000..9486035c99 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md @@ -0,0 +1,5 @@ +# EXOActiveSyncMailboxPolicy + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json new file mode 100644 index 0000000000..e9afb65af6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json @@ -0,0 +1,31 @@ +{ + "resourceName": "EXOActiveSyncMailboxPolicy", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Organization Client Access", + "View-Only Configuration" + ], + "requiredrolegroups": "Organization Management" + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index a8801b1bb8..f5694dd4bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -92,7 +92,7 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue - if(([array]$devicePolicy).count -gt 1) + if(([array]$devicePolicy).Count -gt 1) { throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" } @@ -109,7 +109,7 @@ function Get-TargetResource #Retrieve policy specific settings - $Identity = $policy.id + $Identity = $policy.Id [array]$settings = $policy.settings $returnHashtable = @{} @@ -295,12 +295,12 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) $createParameters = @{} - $createParameters.add('name', $DisplayName) - $createParameters.add('description', $Description) - $createParameters.add('settings', @($settings)) - $createParameters.add('platforms', $platforms) - $createParameters.add('technologies', $technologies) - $createParameters.add('templateReference', @{ + $createParameters.Add('name', $DisplayName) + $createParameters.Add('description', $Description) + $createParameters.Add('settings', @($settings)) + $createParameters.Add('platforms', $platforms) + $createParameters.Add('technologies', $technologies) + $createParameters.Add('templateReference', @{ templateId = $templateReferenceId }) $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters @@ -323,11 +323,11 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings @@ -419,69 +419,45 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." - } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $testResult = $true if ($CurrentValues.Ensure -ne $Ensure) { - $testResult = $false + Write-Verbose -Message "Test-TargetResource returned $false" + return $false } + $testResult = $true - #region LocalUserGroupCollection - if ($testResult) - { - if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) - { - Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' - return $false - } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - if ($CurrentValues.LocalUserGroupCollection) + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) + if ($source.UserSelectionType -eq 'add_replace') { - Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" - return $false + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $source.UserSelectionType = 'add_restrict' } - for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) - { - $source = $ValuesToCheck.LocalUserGroupCollection[$i] - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) - if (-not $testResult) - { - $testResult = $false - break - } + if (-not $testResult) + { + break } + + $ValuesToCheck.Remove($key) | Out-Null } - if (-not $testResult) - { - return $false - } - $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null } - #endregion - #region Assignments - if ($testResult) - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null - } - #endregion + $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck if ($testResult) { @@ -714,6 +690,11 @@ function Get-M365DSCIntuneDeviceConfigurationSettings } foreach ($groupConfiguration in $Properties.LocalUserGroupCollection) { + if ($groupConfiguration.UserSelectionType -eq 'add_replace') + { + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $groupConfiguration.UserSelectionType = 'add_restrict' + } $groupDefaultValue = @{ children = @( @{ @@ -783,57 +764,4 @@ function Get-M365DSCIntuneDeviceConfigurationSettings return $defaultValue } -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = @{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'settings' = $Settings - 'templateReference' = $templateReference - } - - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof index f41b644e83..0dcc2f322c 100644 Binary files a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof and b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof differ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 index 59073b882e..0893638321 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 @@ -111,6 +111,7 @@ function Get-TargetResource { $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` -Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" ` + -All ` -ErrorAction SilentlyContinue if ($getValue.Count -gt 1) @@ -930,7 +931,7 @@ function Update-IntuneDeviceConfigurationPolicy try { $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId" - + $policy = @{ 'name' = $Name 'description' = $Description diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 new file mode 100644 index 0000000000..b8bf0e6559 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 index 2c95a634c1..58590ef582 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 @@ -21,14 +21,15 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 new file mode 100644 index 0000000000..6c50bb343f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 new file mode 100644 index 0000000000..f768e5a753 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 24; # Drift + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 new file mode 100644 index 0000000000..c4d02051b3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 new file mode 100644 index 0000000000..d74747c848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 new file mode 100644 index 0000000000..130f3fd6d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..585f9b6658 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index c8996cbe4d..36037d2674 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -82,6 +82,7 @@ 'Modules/EncodingHelpers/M365DSCStringEncoding.psm1', 'Modules/WorkloadHelpers/M365DSCAzureHelper.psm1', 'Modules/WorkloadHelpers/M365DSCAzureDevOPSHelper.psm1', + 'Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1', 'Modules/WorkloadHelpers/M365DSCFabricHelper.psm1', 'Modules/M365DSCConfigurationHelper.psm1' ) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index bfb58a5278..0eae31dd77 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1829,7 +1829,7 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'Defender', 'ExchangeOnline', 'Fabric', 'Intune', ` + [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'DefenderForEndPoint', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks', 'AdminAPI')] [System.String] diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 new file mode 100644 index 0000000000..ebbec02b6e --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 @@ -0,0 +1,30 @@ +function Invoke-M365DSCDefenderREST +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $bodyJSON = ConvertTo-Json $Body -Depth 10 -Compress + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken + "Content-Type" = "application/json" + } + $response = Invoke-WebRequest -Method $Method ` + -Uri $Uri ` + -Headers $headers ` + -Body $bodyJSON + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 3ea4383cb2..1d35bead44 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -10265,7 +10265,7 @@ "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "DisplayName", "Option": "Key" }, { @@ -10274,8 +10274,13 @@ "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String", + "Name": "InvoiceSectionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Status", "Option": "Write" }, { @@ -10380,6 +10385,171 @@ } ] }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", + "Parameters": [ + { + "CIMType": "String", + "Name": "DataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "KeyVaultUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "KeyVaultSecretName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Domain", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Username", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsGMSAUser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CommunityString", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthProtocol", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthPassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivProtocol", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivPassword", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Parameters": [ + { + "CIMType": "String", + "Name": "id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "machineId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "machineName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "IntervalInHours", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Target", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsActive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScanType", + "Option": "Write" + }, + { + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Name": "ScannerAgent", + "Option": "Write" + }, + { + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", + "Name": "ScanAuthenticationParams", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DefenderSubscriptionPlan", "Parameters": [ @@ -10590,6 +10760,321 @@ } ] }, + { + "ClassName": "MSFT_EXOActiveSyncMailboxPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowApplePushNotifications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowBluetooth", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBrowser", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowCamera", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowConsumerEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowDesktopSync", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowExternalDeviceManagement", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowHTMLEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowInternetSharing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowIrDA", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowMobileOTAUpdate", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowNonProvisionableDevices", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPOPIMAPEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowRemoteDesktop", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowSimpleDevicePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowSMIMEEncryptionAlgorithmNegotiation", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowSMIMESoftCerts", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowStorageCard", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTextMessaging", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowUnsignedApplications", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowUnsignedInstallationPackages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowWiFi", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AlphanumericDevicePasswordRequired", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ApprovedApplicationList", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeviceEncryptionEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DevicePasswordEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DevicePasswordExpiration", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "DevicePasswordHistory", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DevicePolicyRefreshInterval", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IrmEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefaultPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxAttachmentSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxCalendarAgeFilter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxDevicePasswordFailedAttempts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailAgeFilter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailBodyTruncationSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailHTMLBodyTruncationSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxInactivityTimeDeviceLock", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "MinDevicePasswordComplexCharacters", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "MinDevicePasswordLength", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PasswordRecoveryEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireDeviceEncryption", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireEncryptedSMIMEMessages", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireEncryptionSMIMEAlgorithm", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireManualSyncWhenRoaming", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSignedSMIMEAlgorithm", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireSignedSMIMEMessages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireStorageCardEncryption", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UnapprovedInROMApplicationList", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UNCAccessEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WSSAccessEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOAddressBookPolicy", "Parameters": [ diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index f11e0a665d..0551a400ba 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index 59d24f2b30..f05ed4fe10 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -54,6 +54,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index cfac08dbd7..9ee67bf086 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 index 4bde1dd612..8f94d01f58 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 @@ -48,48 +48,91 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Script:ExportMode = $false } # Test contexts + Context -Name "The instance doesn't exists and it should" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = "{}" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + Context -Name "The instance exists and values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $true - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should return true from the Test method' { Test-TargetResource @testParams | Should -Be $true } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 1 + } } Context -Name "The instance exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + Status = "Active" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Disabled' # Drift + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } @@ -115,14 +158,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 new file mode 100644 index 0000000000..979d3621bc --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 @@ -0,0 +1,291 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1 + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 24; #Drift + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 new file mode 100644 index 0000000000..a938cb468b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 @@ -0,0 +1,201 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Set-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Remove-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Absent' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1') #drift + DevicePasswordHistory = 5 + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 index 3b8962f91a..50196c8309 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 @@ -55,6 +55,88 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } }) } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( + @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() + } + ) + } + ) + } + ) + } + ) + } + ) + } + } + AdditionalProperties = $null + } + TemplateReference = @{ + TemplateId = '22968f54-45fa-486c-848e-f8224aa69772_1' + } + } + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -130,90 +212,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') - Action = 'add_update' + Action = 'add_restrict' # Drift UserSelectionType = 'users' } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'Non-existant value' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } - - - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { - } } It 'Should return Present from the Get method' { @@ -226,7 +229,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -254,81 +257,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return true from the Test method' { @@ -360,81 +288,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return Present from the Get method' { @@ -458,92 +311,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' - } - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - }, - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 7a3ce5eea9..de5299fac1 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1703,6 +1703,17 @@ function Get-ActiveSyncDevice $ResultSize ) } + +function Get-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity + ) +} + function Get-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -4496,6 +4507,233 @@ function New-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function New-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function New-AddressBookPolicy { [CmdletBinding()] @@ -8633,6 +8871,25 @@ function Remove-ActiveSyncDevice $Identity ) } + +function Remove-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + function Remove-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -9568,6 +9825,237 @@ function Set-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function Set-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function Set-AddressBookPolicy { [CmdletBinding()] diff --git a/docs/docs/resources/azure-ad/AzureSubscription.md b/docs/docs/resources/azure-ad/AzureSubscription.md index 481e5a8eb0..8719c2f1fe 100644 --- a/docs/docs/resources/azure-ad/AzureSubscription.md +++ b/docs/docs/resources/azure-ad/AzureSubscription.md @@ -4,9 +4,10 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Name** | Key | String | The display name of the subscription. | | +| **DisplayName** | Key | String | The display name of the subscription. | | | **Id** | Write | String | The unique identifier of the subscription. | | -| **Enabled** | Write | Boolean | Enables or disables the subscription | | +| **InvoiceSectionId** | Write | String | The unique identifier of the invoice section associated with the subscription. | | +| **Status** | Write | String | Status of the subscription. | | | **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present` | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -72,14 +73,53 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } diff --git a/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md new file mode 100644 index 0000000000..041b496109 --- /dev/null +++ b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md @@ -0,0 +1,362 @@ +# EXOActiveSyncMailboxPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Specifies the name of the policy. | | +| **AllowApplePushNotifications** | Write | Boolean | Specifies whether push notifications are allowed for Apple mobile devices. | | +| **AllowBluetooth** | Write | String | Specifies whether the Bluetooth capabilities of the mobile phone are allowed. | `Disable`, `HandsfreeOnly`, `Allow` | +| **AllowBrowser** | Write | Boolean | Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone. | | +| **AllowCamera** | Write | Boolean | Specifies whether the mobile phone's camera is allowed. | | +| **AllowConsumerEmail** | Write | Boolean | Specifies whether the mobile phone user can configure a personal email account on the device. | | +| **AllowDesktopSync** | Write | Boolean | Specifies whether the mobile phone can synchronize with a desktop computer through a cable. | | +| **AllowExternalDeviceManagement** | Write | Boolean | Specifies whether an external device management program is allowed to manage the device. | | +| **AllowHTMLEmail** | Write | Boolean | Specifies whether HTML email is enabled on the device. | | +| **AllowInternetSharing** | Write | Boolean | Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet. | | +| **AllowIrDA** | Write | Boolean | Specifies whether infrared connections are allowed to the mobile phone. | | +| **AllowMobileOTAUpdate** | Write | Boolean | Specifies whether certain updates are seen by devices that implemented support for this restricting functionality. | | +| **AllowNonProvisionableDevices** | Write | Boolean | Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy. | | +| **AllowPOPIMAPEmail** | Write | Boolean | Specifies whether the user can configure a POP3 or IMAP4 email account on the device. | | +| **AllowRemoteDesktop** | Write | Boolean | Specifies whether the mobile phone can initiate a remote desktop connection. | | +| **AllowSimpleDevicePassword** | Write | Boolean | Specifies whether a simple device password is allowed. | | +| **AllowSMIMEEncryptionAlgorithmNegotiation** | Write | String | Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm. | | +| **AllowSMIMESoftCerts** | Write | Boolean | Specifies whether S/MIME software certificates are allowed. | | +| **AllowStorageCard** | Write | Boolean | Specifies whether the device can access information stored on a storage card. | | +| **AllowTextMessaging** | Write | Boolean | Specifies whether text messaging is allowed from the device. | | +| **AllowUnsignedApplications** | Write | Boolean | Specifies whether unsigned applications can be installed on the device. | | +| **AllowUnsignedInstallationPackages** | Write | Boolean | Specifies whether unsigned installation packages can be run on the device. | | +| **AllowWiFi** | Write | Boolean | Specifies whether wireless Internet access is allowed on the device. | | +| **AlphanumericDevicePasswordRequired** | Write | Boolean | Specifies whether the device password must be alphanumeric. | | +| **ApprovedApplicationList** | Write | StringArray[] | Specifies a list of approved applications for the device. | | +| **AttachmentsEnabled** | Write | Boolean | Specifies whether the user can download attachments. | | +| **DeviceEncryptionEnabled** | Write | Boolean | Enables device encryption on the mobile phone. | | +| **DevicePasswordEnabled** | Write | Boolean | Specifies that the user set a password for the device. | | +| **DevicePasswordExpiration** | Write | String | Specifies the length of time, in days, that a password can be used. | | +| **DevicePasswordHistory** | Write | SInt32 | Specifies the number of previously used passwords to store. | | +| **DevicePolicyRefreshInterval** | Write | String | Specifies how often the policy is sent from the server to the mobile phone | | +| **IrmEnabled** | Write | Boolean | Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy. | | +| **IsDefault** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **IsDefaultPolicy** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **MaxAttachmentSize** | Write | String | Specifies the maximum size of attachments that can be downloaded to the mobile phone. | | +| **MaxCalendarAgeFilter** | Write | String | Specifies the maximum range of calendar days that can be synchronized to the device. | `All`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxDevicePasswordFailedAttempts** | Write | String | Specifies the number of attempts a user can make to enter the correct password for the device. | | +| **MaxEmailAgeFilter** | Write | String | Specifies the maximum number of days of email items to synchronize to the device. | `All`, `OneDay`, `ThreeDays`, `OneWeek`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxEmailBodyTruncationSize** | Write | String | Specifies the maximum size at which email messages are truncated when synchronized to the device. | | +| **MaxEmailHTMLBodyTruncationSize** | Write | String | Specifies the maximum size at which HTML-formatted email messages are synchronized to the device. | | +| **MaxInactivityTimeDeviceLock** | Write | String | Specifies the length of time that the device can be inactive before the password is required to reactivate the device. | | +| **MinDevicePasswordComplexCharacters** | Write | SInt32 | Specifies the minimum number of complex characters required in a device password. | | +| **MinDevicePasswordLength** | Write | SInt32 | Specifies the minimum number of characters in the device password. | | +| **PasswordRecoveryEnabled** | Write | Boolean | Specifies whether you can store the recovery password for the device on an Exchange server. | | +| **RequireDeviceEncryption** | Write | Boolean | Specifies whether encryption is required on the device. | | +| **RequireEncryptedSMIMEMessages** | Write | Boolean | Specifies whether you must encrypt S/MIME messages. | | +| **RequireEncryptionSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when encrypting a message. | | +| **RequireManualSyncWhenRoaming** | Write | Boolean | Specifies whether the device must synchronize manually while roaming. | | +| **RequireSignedSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when signing a message. | | +| **RequireSignedSMIMEMessages** | Write | Boolean | Specifies whether the device must send signed S/MIME messages. | | +| **RequireStorageCardEncryption** | Write | Boolean | Specifies whether encryption of a storage card is required. | | +| **UnapprovedInROMApplicationList** | Write | StringArray[] | Specifies a list of applications that can't be run in ROM. | | +| **UNCAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows file shares is enabled. | | +| **WSSAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows SharePoint Services is enabled. | | +| **Identity** | Key | String | Specifies the Mobile Device mailbox policy. | | +| **Ensure** | Write | String | Specifies if this AddressList should exist. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Organization Client Access, View-Only Configuration + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 1287d250e4..3e94814c76 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -37,7 +37,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Action** | Write | String | The action to use for adding / removing members. | `add_update`, `remove_update`, `add_replace` | +| **Action** | Write | String | The action to use for adding / removing members. Note: add_replace is superseded by add_restrict | `add_update`, `remove_update`, `add_replace`, `add_restrict` | | **LocalGroups** | Write | StringArray[] | The local groups to add / remove the members to / from. List of the following values: `administrators`, `users`, `guests`, `powerusers`, `remotedesktopusers`, `remotemanagementusers` | | | **Members** | Write | StringArray[] | The members to add / remove to / from the group. For AzureAD Users, use the format `AzureAD\`. For groups, use the security identifier (SID). | | | **UserSelectionType** | Write | String | The type of the selection. Either users / groups from AzureAD, or by manual identifier. | `users`, `manual` |