From e26d26599588c84b73f2c4c8d01aac5954936c12 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Mon, 9 Sep 2024 18:38:27 +0530 Subject: [PATCH 01/23] AI generated commit --- .../MSFT_ActiveSyncMailboxPolicy.psm1 | 1328 +++++++++++++++++ .../MSFT_ActiveSyncMailboxPolicy.schema.mof | 92 ++ .../MSFT_ActiveSyncMailboxPolicy/readme.md | 7 + 3 files changed, 1427 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 new file mode 100644 index 0000000000..da9ae6f95f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 @@ -0,0 +1,1328 @@ +#NewFile +```powershell +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.Object] + $Identity, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + Confirm-M365DSCDependencies + + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + else + { + $instance = Get-ActiveSyncMailboxPolicy -Name $Name -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Ensure = 'Present' + Name = [System.String]$instance.Name + AllowBluetooth = [System.String]$instance.AllowBluetooth + AllowBrowser = [System.Boolean]$instance.AllowBrowser + AllowCamera = [System.Boolean]$instance.AllowCamera + AllowConsumerEmail = [System.Boolean]$instance.AllowConsumerEmail + AllowDesktopSync = [System.Boolean]$instance.AllowDesktopSync + AllowExternalDeviceManagement = [System.Boolean]$instance.AllowExternalDeviceManagement + AllowHTMLEmail = [System.Boolean]$instance.AllowHTMLEmail + AllowInternetSharing = [System.Boolean]$instance.AllowInternetSharing + AllowIrDA = [System.Boolean]$instance.AllowIrDA + AllowMobileOTAUpdate = [System.Boolean]$instance.AllowMobileOTAUpdate + AllowNonProvisionableDevices = [System.Boolean]$instance.AllowNonProvisionableDevices + AllowPOPIMAPEmail = [System.Boolean]$instance.AllowPOPIMAPEmail + AllowRemoteDesktop = [System.Boolean]$instance.AllowRemoteDesktop + AllowSimpleDevicePassword = [System.Boolean]$instance.AllowSimpleDevicePassword + AllowSMIMEEncryptionAlgorithmNegotiation = $instance.AllowSMIMEEncryptionAlgorithmNegotiation + AllowSMIMESoftCerts = [System.Boolean]$instance.AllowSMIMESoftCerts + AllowStorageCard = [System.Boolean]$instance.AllowStorageCard + AllowTextMessaging = [System.Boolean]$instance.AllowTextMessaging + AllowUnsignedApplications = [System.Boolean]$instance.AllowUnsignedApplications + AllowUnsignedInstallationPackages = [System.Boolean]$instance.AllowUnsignedInstallationPackages + AllowWiFi = [System.Boolean]$instance.AllowWiFi + AlphanumericDevicePasswordRequired = [System.Boolean]$instance.AlphanumericDevicePasswordRequired + AttachmentsEnabled = [System.Boolean]$instance.AttachmentsEnabled + DeviceEncryptionEnabled = [System.Boolean]$instance.DeviceEncryptionEnabled + DevicePasswordEnabled = [System.Boolean]$instance.DevicePasswordEnabled + DevicePasswordExpiration = $instance.DevicePasswordExpiration + DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory + DevicePolicyRefreshInterval = $instance.DevicePolicyRefreshInterval + IrmEnabled = [System.Boolean]$instance.IrmEnabled + IsDefault = [System.Boolean]$instance.IsDefault + MaxAttachmentSize = $instance.MaxAttachmentSize + MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter + MaxDevicePasswordFailedAttempts = $instance.MaxDevicePasswordFailedAttempts + MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter + MaxEmailBodyTruncationSize = $instance.MaxEmailBodyTruncationSize + MaxEmailHTMLBodyTruncationSize = $instance.MaxEmailHTMLBodyTruncationSize + MaxInactivityTimeDeviceLock = $instance.MaxInactivityTimeDeviceLock + MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters + MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength + PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled + RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption + RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages + RequireEncryptionSMIMEAlgorithm = $instance.RequireEncryptionSMIMEAlgorithm + RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming + RequireSignedSMIMEAlgorithm = $instance.RequireSignedSMIMEAlgorithm + RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages + RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption + UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled + WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled + Identity = $instance.Identity + AllowApplePushNotifications = [System.Boolean]$instance.AllowApplePushNotifications + AllowSMIMEEncryptionAlgorithmNegotiation = $instance.AllowSMIMEEncryptionAlgorithmNegotiation + ApprovedApplicationList = $instance.ApprovedApplicationList + DevicePasswordExpiration = $instance.DevicePasswordExpiration + DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory + DevicePolicyRefreshInterval = $instance.DevicePolicyRefreshInterval + IsDefaultPolicy = [System.Boolean]$instance.IsDefaultPolicy + MaxAttachmentSize = $instance.MaxAttachmentSize + MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter + MaxDevicePasswordFailedAttempts = $instance.MaxDevicePasswordFailedAttempts + MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter + MaxEmailBodyTruncationSize = $instance.MaxEmailBodyTruncationSize + MaxEmailHTMLBodyTruncationSize = $instance.MaxEmailHTMLBodyTruncationSize + MaxInactivityTimeDeviceLock = $instance.MaxInactivityTimeDeviceLock + MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters + MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength + PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled + RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption + RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages + RequireEncryptionSMIMEAlgorithm = $instance.RequireEncryptionSMIMEAlgorithm + RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming + RequireSignedSMIMEAlgorithm = $instance.RequireSignedSMIMEAlgorithm + RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages + RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption + UnapprovedInROMApplicationList = [System.String[]]$instance.UnapprovedInROMApplicationList + UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled + WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} +``` +``` +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + ##PrimaryKey + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + ##Parameters + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory=$true)] + [System.Object] + $Identity, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-ActiveSyncMailboxPolicy @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Set-ActiveSyncMailboxPolicy @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-ActiveSyncMailboxPolicy -Identity $Name + } +} +``` + +``` +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory=$true)] + [System.Object] + $Identity, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} +``` +```powershell +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ActiveSyncMailboxPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} +``` +In the updated script, the 'Workload' value in New-M365DSCConnection cmdlet has been replaced with 'ExchangeOnline'. The Get-cmdlet has been updated with the corresponding Get cmdlet from the cmdlets list of the resource template, which is 'Get-ActiveSyncMailboxPolicy'. The PrimaryKey has been selected as 'Name' from the argument list provided in the resource template. The $primaryKey has been updated with the actual primaryKey 'Name'. All the TODO comments have been removed as per the instructions. \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof new file mode 100644 index 0000000000..b71bb461c0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof @@ -0,0 +1,92 @@ +``` +[ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] +class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource +{ + [Key, Description("Specifies the name of the policy.")] String Name; + [Write, Description("Specifies whether the Bluetooth capabilities of the mobile phone are allowed."), ValueMap{"Disable", "HandsfreeOnly", "Allow"}, Values{"Disable", "HandsfreeOnly", "Allow"}] String AllowBluetooth; + [Write, Description("Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone.")] Boolean AllowBrowser; + [Write, Description("Specifies whether the mobile phone's camera is allowed.")] Boolean AllowCamera; + [Write, Description("Specifies whether the mobile phone user can configure a personal email account on the device.")] Boolean AllowConsumerEmail; + [Write, Description("Specifies whether the mobile phone can synchronize with a desktop computer through a cable.")] Boolean AllowDesktopSync; + [Write, Description("Specifies whether an external device management program is allowed to manage the device.")] Boolean AllowExternalDeviceManagement; + [Write, Description("Specifies whether HTML email is enabled on the device.")] Boolean AllowHTMLEmail; + [Write, Description("Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet.")] Boolean AllowInternetSharing; + [Write, Description("Specifies whether infrared connections are allowed to the mobile phone.")] Boolean AllowIrDA; + [Write, Description("Specifies whether certain updates are seen by devices that implemented support for this restricting functionality.")] Boolean AllowMobileOTAUpdate; + [Write, Description("Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy.")] Boolean AllowNonProvisionableDevices; + [Write, Description("Specifies whether the user can configure a POP3 or IMAP4 email account on the device.")] Boolean AllowPOPIMAPEmail; + [Write, Description("Specifies whether the mobile phone can initiate a remote desktop connection.")] Boolean AllowRemoteDesktop; + [Write, Description("Specifies whether a simple device password is allowed.")] Boolean AllowSimpleDevicePassword; + [Write, Description("Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm.")] String AllowSMIMEEncryptionAlgorithmNegotiation; + [Write, Description("Specifies whether S/MIME software certificates are allowed.")] Boolean AllowSMIMESoftCerts; + [Write, Description("Specifies whether the device can access information stored on a storage card.")] Boolean AllowStorageCard; + [Write, Description("Specifies whether text messaging is allowed from the device.")] Boolean AllowTextMessaging; + [Write, Description("Specifies whether unsigned applications can be installed on the device.")] Boolean AllowUnsignedApplications; + [Write, Description("Specifies whether unsigned installation packages can be run on the device.")] Boolean AllowUnsignedInstallationPackages; + [Write, Description("Specifies whether wireless Internet access is allowed on the device.")] Boolean AllowWiFi; + [Write, Description("Specifies whether the device password must be alphanumeric.")] Boolean AlphanumericDevicePasswordRequired; + [Write, Description("Specifies whether the user can download attachments.")] Boolean AttachmentsEnabled; + [Write, Description("Enables device encryption on the mobile phone.")] Boolean DeviceEncryptionEnabled; + [Write, Description("Specifies that the user set a password for the device.")] Boolean DevicePasswordEnabled; + [Write, Description("Specifies the length of time, in days, that a password can be used.")] String DevicePasswordExpiration; + [Write, Description("Specifies the number of previously used passwords to store.")] Sint32 DevicePasswordHistory; + [Write, Description("Specifies how often the policy is sent from the server to the mobile phone")] String DevicePolicyRefreshInterval; + [Write, Description("Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy.")] Boolean IrmEnabled; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefault; + [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; + [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxCalendarAgeFilter; + [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the device.")] String MaxDevicePasswordFailedAttempts; + [Write, Description("Specifies the maximum number of days of email items to synchronize to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxEmailAgeFilter; + [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the mobile phone.")] String MaxEmailBodyTruncationSize; + [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the mobile phone.")] String MaxEmailHTMLBodyTruncationSize; + [Write, Description("Specifies the length of time that the device can be inactive before the password is required to reactivate the device.")] String MaxInactivityTimeDeviceLock; + [Write, Description("Specifies the minimum number of complex characters required in a device password.")] Sint32 MinDevicePasswordComplexCharacters; + [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; + [Write, Description("Specifies whether you can store the recovery password for the device on an Exchange server.")] Boolean PasswordRecoveryEnabled; + [Write, Description("Specifies whether encryption is required on the device.")] Boolean RequireDeviceEncryption; + [Write, Description("Specifies whether you must encrypt S/MIME messages.")] Boolean RequireEncryptedSMIMEMessages; + [Write, Description("Specifies what required algorithm must be used when encrypting a message.")] String RequireEncryptionSMIMEAlgorithm; + [Write, Description("Specifies whether the device must synchronize manually while roaming.")] Boolean RequireManualSyncWhenRoaming; + [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; + [Write, Description("Specifies whether the device must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; + [Write, Description("Specifies whether encryption of a storage card is required.")] Boolean RequireStorageCardEncryption; + [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; + [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; + [Key, Description("Specifies the Mobile Device mailbox policy.")] String Identity; + [Write, Description("Specifies whether push notifications are allowed to Apple mobile devices.")] Boolean AllowApplePushNotifications; + [Write, Description("Specifies whether the messaging application on the mobile phone can negotiate the encryption algorithm if a recipient's certificate doesn't support the specified encryption algorithm.")] String AllowSMIMEEncryptionAlgorithmNegotiation; + [Write, Description("Specifies a list of approved applications for the mobile phone.")] String ApprovedApplicationList; + [Write, Description("Specifies the length of time, in days, that a password can be used.")] String DevicePasswordExpiration; + [Write, Description("Specifies the number of previously used passwords to store.")] Sint32 DevicePasswordHistory; + [Write, Description("Specifies how often the policy is sent from the server to the mobile phone.")] String DevicePolicyRefreshInterval; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefaultPolicy; + [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; + [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}] String MaxCalendarAgeFilter; + [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the mobile phone.")] String MaxDevicePasswordFailedAttempts; + [Write, Description("Specifies the maximum number of days of email items to synchronize to the mobile phone."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}] String MaxEmailAgeFilter; + [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the mobile phone.")] String MaxEmailBodyTruncationSize; + [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the mobile phone.")] String MaxEmailHTMLBodyTruncationSize; + [Write, Description("Specifies the length of time that the mobile phone can be inactive before the password is required to reactivate it.")] String MaxInactivityTimeDeviceLock; + [Write, Description("Specifies the minimum number of complex characters required in a mobile phone password.")] Sint32 MinDevicePasswordComplexCharacters; + [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; + [Write, Description("Specifies whether the recovery password for the mobile phone is stored on an Exchange server.")] Boolean PasswordRecoveryEnabled; + [Write, Description("Specifies whether encryption is required on the device.")] Boolean RequireDeviceEncryption; + [Write, Description("Specifies whether you must encrypt S/MIME messages.")] Boolean RequireEncryptedSMIMEMessages; + [Write, Description("Specifies what required algorithm must be used when encrypting a message.")] String RequireEncryptionSMIMEAlgorithm; + [Write, Description("Specifies whether the mobile phone must synchronize manually while roaming.")] Boolean RequireManualSyncWhenRoaming; + [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; + [Write, Description("Specifies whether the mobile phone must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; + [Write, Description("Specifies whether storage card encryption is enabled for the mailbox policy.")] Boolean RequireStorageCardEncryption; + [Write, Description("Contains a list of applications that can't be run in ROM.")] String UnapprovedInROMApplicationList; + [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; + [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; + + # Don't touch the fields below + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; +``` \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md new file mode 100644 index 0000000000..c02c6d1d5c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md @@ -0,0 +1,7 @@ +``` +# EXOActiveSyncMailboxPolicy + +## Description + +This resource is used to manage a Microsoft Mobile Device mailbox policy object. +``` \ No newline at end of file From 38509acb764f05fe6e87839581109ac7a0c05083 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 8 Oct 2024 00:03:03 +0530 Subject: [PATCH 02/23] Fixes to the AI generated content --- .../MSFT_ActiveSyncMailboxPolicy/readme.md | 7 - .../MSFT_EXOActiveSyncMailboxPolicy.psm1} | 812 ++++++------------ ...SFT_EXOActiveSyncMailboxPolicy.schema.mof} | 42 +- .../MSFT_EXOActiveSyncMailboxPolicy/readme.md | 5 + 4 files changed, 281 insertions(+), 585 deletions(-) delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md rename Modules/Microsoft365DSC/DSCResources/{MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 => MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1} (63%) rename Modules/Microsoft365DSC/DSCResources/{MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof => MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof} (65%) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md deleted file mode 100644 index c02c6d1d5c..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/readme.md +++ /dev/null @@ -1,7 +0,0 @@ -``` -# EXOActiveSyncMailboxPolicy - -## Description - -This resource is used to manage a Microsoft Mobile Device mailbox policy object. -``` \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 similarity index 63% rename from Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 rename to Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 index da9ae6f95f..70596c034d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 @@ -1,15 +1,16 @@ -#NewFile -```powershell -function Get-TargetResource +function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( - [Parameter(Mandatory = $true)] [System.String] $Name, + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + [Parameter()] [System.String] [ValidateSet("Disable", "HandsfreeOnly", "Allow")] @@ -68,7 +69,7 @@ function Get-TargetResource $AllowSimpleDevicePassword, [Parameter()] - [System.Object] + [System.String] $AllowSMIMEEncryptionAlgorithmNegotiation, [Parameter()] @@ -99,6 +100,10 @@ function Get-TargetResource [System.Boolean] $AlphanumericDevicePasswordRequired, + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + [Parameter()] [System.Boolean] $AttachmentsEnabled, @@ -112,7 +117,7 @@ function Get-TargetResource $DevicePasswordEnabled, [Parameter()] - [System.Object] + [System.String] $DevicePasswordExpiration, [Parameter()] @@ -120,7 +125,7 @@ function Get-TargetResource $DevicePasswordHistory, [Parameter()] - [System.Object] + [System.String] $DevicePolicyRefreshInterval, [Parameter()] @@ -131,144 +136,38 @@ function Get-TargetResource [System.Boolean] $IsDefault, - [Parameter()] - [System.Object] - $MaxAttachmentSize, - - [Parameter()] - [System.String] - [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxCalendarAgeFilter, - - [Parameter()] - [System.Object] - $MaxDevicePasswordFailedAttempts, - - [Parameter()] - [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxEmailAgeFilter, - - [Parameter()] - [System.Object] - $MaxEmailBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxEmailHTMLBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxInactivityTimeDeviceLock, - - [Parameter()] - [System.Int32] - $MinDevicePasswordComplexCharacters, - - [Parameter()] - [System.Int32] - $MinDevicePasswordLength, - - [Parameter()] - [System.Boolean] - $PasswordRecoveryEnabled, - - [Parameter()] - [System.Boolean] - $RequireDeviceEncryption, - - [Parameter()] - [System.Boolean] - $RequireEncryptedSMIMEMessages, - - [Parameter()] - [System.Object] - $RequireEncryptionSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireManualSyncWhenRoaming, - - [Parameter()] - [System.Object] - $RequireSignedSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireSignedSMIMEMessages, - - [Parameter()] - [System.Boolean] - $RequireStorageCardEncryption, - - [Parameter()] - [System.Boolean] - $UNCAccessEnabled, - - [Parameter()] - [System.Boolean] - $WSSAccessEnabled, - - [Parameter(Mandatory = $true)] - [System.Object] - $Identity, - - [Parameter()] - [System.Boolean] - $AllowApplePushNotifications, - - [Parameter()] - [System.Object] - $AllowSMIMEEncryptionAlgorithmNegotiation, - - [Parameter()] - [System.Object] - $ApprovedApplicationList, - - [Parameter()] - [System.Object] - $DevicePasswordExpiration, - - [Parameter()] - [System.Int32] - $DevicePasswordHistory, - - [Parameter()] - [System.Object] - $DevicePolicyRefreshInterval, - [Parameter()] [System.Boolean] $IsDefaultPolicy, [Parameter()] - [System.Object] + [System.String] $MaxAttachmentSize, [Parameter()] [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] $MaxCalendarAgeFilter, [Parameter()] - [System.Object] + [System.String] $MaxDevicePasswordFailedAttempts, [Parameter()] [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] $MaxEmailAgeFilter, [Parameter()] - [System.Object] + [System.String] $MaxEmailBodyTruncationSize, [Parameter()] - [System.Object] + [System.String] $MaxEmailHTMLBodyTruncationSize, [Parameter()] - [System.Object] + [System.String] $MaxInactivityTimeDeviceLock, [Parameter()] @@ -292,7 +191,7 @@ function Get-TargetResource $RequireEncryptedSMIMEMessages, [Parameter()] - [System.Object] + [System.String] $RequireEncryptionSMIMEAlgorithm, [Parameter()] @@ -300,7 +199,7 @@ function Get-TargetResource $RequireManualSyncWhenRoaming, [Parameter()] - [System.Object] + [System.String] $RequireSignedSMIMEAlgorithm, [Parameter()] @@ -323,6 +222,15 @@ function Get-TargetResource [System.Boolean] $WSSAccessEnabled, + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -366,11 +274,11 @@ function Get-TargetResource { if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} } else { - $instance = Get-ActiveSyncMailboxPolicy -Name $Name -ErrorAction Stop + $instance = Get-ActiveSyncMailboxPolicy -Identity $Identity -ErrorAction Stop } if ($null -eq $instance) { @@ -380,6 +288,7 @@ function Get-TargetResource $results = @{ Ensure = 'Present' Name = [System.String]$instance.Name + AllowApplePushNotifications = [System.Boolean]$instance.AllowApplePushNotifications AllowBluetooth = [System.String]$instance.AllowBluetooth AllowBrowser = [System.Boolean]$instance.AllowBrowser AllowCamera = [System.Boolean]$instance.AllowCamera @@ -394,7 +303,7 @@ function Get-TargetResource AllowPOPIMAPEmail = [System.Boolean]$instance.AllowPOPIMAPEmail AllowRemoteDesktop = [System.Boolean]$instance.AllowRemoteDesktop AllowSimpleDevicePassword = [System.Boolean]$instance.AllowSimpleDevicePassword - AllowSMIMEEncryptionAlgorithmNegotiation = $instance.AllowSMIMEEncryptionAlgorithmNegotiation + AllowSMIMEEncryptionAlgorithmNegotiation = [System.String]$instance.AllowSMIMEEncryptionAlgorithmNegotiation AllowSMIMESoftCerts = [System.Boolean]$instance.AllowSMIMESoftCerts AllowStorageCard = [System.Boolean]$instance.AllowStorageCard AllowTextMessaging = [System.Boolean]$instance.AllowTextMessaging @@ -402,61 +311,37 @@ function Get-TargetResource AllowUnsignedInstallationPackages = [System.Boolean]$instance.AllowUnsignedInstallationPackages AllowWiFi = [System.Boolean]$instance.AllowWiFi AlphanumericDevicePasswordRequired = [System.Boolean]$instance.AlphanumericDevicePasswordRequired + ApprovedApplicationList = [System.String[]]$instance.ApprovedApplicationList AttachmentsEnabled = [System.Boolean]$instance.AttachmentsEnabled DeviceEncryptionEnabled = [System.Boolean]$instance.DeviceEncryptionEnabled DevicePasswordEnabled = [System.Boolean]$instance.DevicePasswordEnabled - DevicePasswordExpiration = $instance.DevicePasswordExpiration + DevicePasswordExpiration = [System.String]$instance.DevicePasswordExpiration DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory - DevicePolicyRefreshInterval = $instance.DevicePolicyRefreshInterval + DevicePolicyRefreshInterval = [System.String]$instance.DevicePolicyRefreshInterval IrmEnabled = [System.Boolean]$instance.IrmEnabled IsDefault = [System.Boolean]$instance.IsDefault - MaxAttachmentSize = $instance.MaxAttachmentSize - MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter - MaxDevicePasswordFailedAttempts = $instance.MaxDevicePasswordFailedAttempts - MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter - MaxEmailBodyTruncationSize = $instance.MaxEmailBodyTruncationSize - MaxEmailHTMLBodyTruncationSize = $instance.MaxEmailHTMLBodyTruncationSize - MaxInactivityTimeDeviceLock = $instance.MaxInactivityTimeDeviceLock - MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters - MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength - PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled - RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption - RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages - RequireEncryptionSMIMEAlgorithm = $instance.RequireEncryptionSMIMEAlgorithm - RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming - RequireSignedSMIMEAlgorithm = $instance.RequireSignedSMIMEAlgorithm - RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages - RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption - UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled - WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled - Identity = $instance.Identity - AllowApplePushNotifications = [System.Boolean]$instance.AllowApplePushNotifications - AllowSMIMEEncryptionAlgorithmNegotiation = $instance.AllowSMIMEEncryptionAlgorithmNegotiation - ApprovedApplicationList = $instance.ApprovedApplicationList - DevicePasswordExpiration = $instance.DevicePasswordExpiration - DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory - DevicePolicyRefreshInterval = $instance.DevicePolicyRefreshInterval IsDefaultPolicy = [System.Boolean]$instance.IsDefaultPolicy - MaxAttachmentSize = $instance.MaxAttachmentSize + MaxAttachmentSize = [System.String]$instance.MaxAttachmentSize MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter - MaxDevicePasswordFailedAttempts = $instance.MaxDevicePasswordFailedAttempts + MaxDevicePasswordFailedAttempts = [System.String]$instance.MaxDevicePasswordFailedAttempts MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter - MaxEmailBodyTruncationSize = $instance.MaxEmailBodyTruncationSize - MaxEmailHTMLBodyTruncationSize = $instance.MaxEmailHTMLBodyTruncationSize - MaxInactivityTimeDeviceLock = $instance.MaxInactivityTimeDeviceLock + MaxEmailBodyTruncationSize = [System.String]$instance.MaxEmailBodyTruncationSize + MaxEmailHTMLBodyTruncationSize = [System.String]$instance.MaxEmailHTMLBodyTruncationSize + MaxInactivityTimeDeviceLock = [System.String]$instance.MaxInactivityTimeDeviceLock MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages - RequireEncryptionSMIMEAlgorithm = $instance.RequireEncryptionSMIMEAlgorithm + RequireEncryptionSMIMEAlgorithm = [System.String]$instance.RequireEncryptionSMIMEAlgorithm RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming - RequireSignedSMIMEAlgorithm = $instance.RequireSignedSMIMEAlgorithm + RequireSignedSMIMEAlgorithm = [System.String]$instance.RequireSignedSMIMEAlgorithm RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption UnapprovedInROMApplicationList = [System.String[]]$instance.UnapprovedInROMApplicationList UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled + Identity = [System.String]$Identity Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -477,331 +362,263 @@ function Get-TargetResource return $nullResult } } -``` -``` + function Set-TargetResource { [CmdletBinding()] param ( - ##PrimaryKey - [Parameter(Mandatory = $true)] [System.String] $Name, - ##Parameters - [Parameter()] - [System.String] + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] [ValidateSet("Disable", "HandsfreeOnly", "Allow")] - $AllowBluetooth, + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, - [Parameter()] - [System.Boolean] - $AllowBrowser, + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, - [Parameter()] - [System.Boolean] - $AllowCamera, + [Parameter()] + [System.Boolean] + $AllowDesktopSync, - [Parameter()] - [System.Boolean] - $AllowConsumerEmail, + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, - [Parameter()] - [System.Boolean] - $AllowDesktopSync, + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, - [Parameter()] - [System.Boolean] - $AllowExternalDeviceManagement, + [Parameter()] + [System.Boolean] + $AllowInternetSharing, - [Parameter()] - [System.Boolean] - $AllowHTMLEmail, + [Parameter()] + [System.Boolean] + $AllowIrDA, - [Parameter()] - [System.Boolean] - $AllowInternetSharing, + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, - [Parameter()] - [System.Boolean] - $AllowIrDA, + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, - [Parameter()] - [System.Boolean] - $AllowMobileOTAUpdate, + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, - [Parameter()] - [System.Boolean] - $AllowNonProvisionableDevices, + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, - [Parameter()] - [System.Boolean] - $AllowPOPIMAPEmail, + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, - [Parameter()] - [System.Boolean] - $AllowRemoteDesktop, + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, - [Parameter()] - [System.Boolean] - $AllowSimpleDevicePassword, + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, - [Parameter()] - [System.Object] - $AllowSMIMEEncryptionAlgorithmNegotiation, + [Parameter()] + [System.Boolean] + $AllowStorageCard, - [Parameter()] - [System.Boolean] - $AllowSMIMESoftCerts, + [Parameter()] + [System.Boolean] + $AllowTextMessaging, - [Parameter()] - [System.Boolean] - $AllowStorageCard, + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, - [Parameter()] - [System.Boolean] - $AllowTextMessaging, + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, - [Parameter()] - [System.Boolean] - $AllowUnsignedApplications, + [Parameter()] + [System.Boolean] + $AllowWiFi, - [Parameter()] - [System.Boolean] - $AllowUnsignedInstallationPackages, + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, - [Parameter()] - [System.Boolean] - $AllowWiFi, + [Parameter()] + [System.String[]] + $ApprovedApplicationList, - [Parameter()] - [System.Boolean] - $AlphanumericDevicePasswordRequired, + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, - [Parameter()] - [System.Boolean] - $AttachmentsEnabled, + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, - [Parameter()] - [System.Boolean] - $DeviceEncryptionEnabled, + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, - [Parameter()] - [System.Boolean] - $DevicePasswordEnabled, + [Parameter()] + [System.String] + $DevicePasswordExpiration, - [Parameter()] - [System.Object] - $DevicePasswordExpiration, + [Parameter()] + [System.Int32] + $DevicePasswordHistory, - [Parameter()] - [System.Int32] - $DevicePasswordHistory, + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, - [Parameter()] - [System.Object] - $DevicePolicyRefreshInterval, + [Parameter()] + [System.Boolean] + $IrmEnabled, - [Parameter()] - [System.Boolean] - $IrmEnabled, + [Parameter()] + [System.Boolean] + $IsDefault, - [Parameter()] - [System.Boolean] - $IsDefault, + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, - [Parameter()] - [System.Object] - $MaxAttachmentSize, + [Parameter()] + [System.String] + $MaxAttachmentSize, - [Parameter()] - [System.String] + [Parameter()] + [System.String] [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxCalendarAgeFilter, + $MaxCalendarAgeFilter, - [Parameter()] - [System.Object] - $MaxDevicePasswordFailedAttempts, + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, - [Parameter()] - [System.String] + [Parameter()] + [System.String] [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxEmailAgeFilter, + $MaxEmailAgeFilter, - [Parameter()] - [System.Object] - $MaxEmailBodyTruncationSize, + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, - [Parameter()] - [System.Object] - $MaxEmailHTMLBodyTruncationSize, + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, - [Parameter()] - [System.Object] - $MaxInactivityTimeDeviceLock, + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, - [Parameter()] - [System.Int32] - $MinDevicePasswordComplexCharacters, + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, - [Parameter()] - [System.Int32] - $MinDevicePasswordLength, + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, - [Parameter()] - [System.Boolean] - $PasswordRecoveryEnabled, + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, - [Parameter()] - [System.Boolean] - $RequireDeviceEncryption, + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, - [Parameter()] - [System.Boolean] - $RequireEncryptedSMIMEMessages, + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, - [Parameter()] - [System.Object] - $RequireEncryptionSMIMEAlgorithm, + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, - [Parameter()] - [System.Boolean] - $RequireManualSyncWhenRoaming, + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, - [Parameter()] - [System.Object] - $RequireSignedSMIMEAlgorithm, + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, - [Parameter()] - [System.Boolean] - $RequireSignedSMIMEMessages, + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, - [Parameter()] - [System.Boolean] - $RequireStorageCardEncryption, + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, - [Parameter()] - [System.Boolean] - $UNCAccessEnabled, + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, - [Parameter()] - [System.Boolean] - $WSSAccessEnabled, + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, - [Parameter(Mandatory=$true)] - [System.Object] - $Identity, + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, - [Parameter()] - [System.Boolean] - $AllowApplePushNotifications, + [Parameter(Mandatory = $true)] + [System.String] + $Identity, - [Parameter()] - [System.Object] - $AllowSMIMEEncryptionAlgorithmNegotiation, + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', - [Parameter()] - [System.Object] - $ApprovedApplicationList, + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, - [Parameter()] - [System.Object] - $DevicePasswordExpiration, + [Parameter()] + [System.String] + $ApplicationId, - [Parameter()] - [System.Int32] - $DevicePasswordHistory, + [Parameter()] + [System.String] + $TenantId, - [Parameter()] - [System.Object] - $DevicePolicyRefreshInterval, + [Parameter()] + [System.String] + $CertificateThumbprint, - [Parameter()] - [System.Boolean] - $IsDefaultPolicy, + [Parameter()] + [Switch] + $ManagedIdentity, - [Parameter()] - [System.Object] - $MaxAttachmentSize, + [Parameter()] + [System.String[]] + $AccessTokens - [Parameter()] - [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] - $MaxCalendarAgeFilter, - - [Parameter()] - [System.Object] - $MaxDevicePasswordFailedAttempts, - - [Parameter()] - [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] - $MaxEmailAgeFilter, - - [Parameter()] - [System.Object] - $MaxEmailBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxEmailHTMLBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxInactivityTimeDeviceLock, - - [Parameter()] - [System.Int32] - $MinDevicePasswordComplexCharacters, - - [Parameter()] - [System.Int32] - $MinDevicePasswordLength, - - [Parameter()] - [System.Boolean] - $PasswordRecoveryEnabled, - - [Parameter()] - [System.Boolean] - $RequireDeviceEncryption, - - [Parameter()] - [System.Boolean] - $RequireEncryptedSMIMEMessages, - - [Parameter()] - [System.Object] - $RequireEncryptionSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireManualSyncWhenRoaming, - - [Parameter()] - [System.Object] - $RequireSignedSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireSignedSMIMEMessages, - - [Parameter()] - [System.Boolean] - $RequireStorageCardEncryption, - - [Parameter()] - [System.String[]] - $UnapprovedInROMApplicationList, - - [Parameter()] - [System.Boolean] - $UNCAccessEnabled, - - [Parameter()] - [System.Boolean] - $WSSAccessEnabled ) #Ensure the proper dependencies are installed in the current environment. @@ -823,6 +640,7 @@ function Set-TargetResource # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + $setParameters.Remove("Identity") New-ActiveSyncMailboxPolicy @SetParameters } # UPDATE @@ -833,22 +651,23 @@ function Set-TargetResource # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Remove-ActiveSyncMailboxPolicy -Identity $Name + Remove-ActiveSyncMailboxPolicy -Identity $Identity } } -``` -``` function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param - ( - [Parameter(Mandatory = $true)] + ( [System.String] $Name, + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + [Parameter()] [System.String] [ValidateSet("Disable", "HandsfreeOnly", "Allow")] @@ -907,7 +726,7 @@ function Test-TargetResource $AllowSimpleDevicePassword, [Parameter()] - [System.Object] + [System.String] $AllowSMIMEEncryptionAlgorithmNegotiation, [Parameter()] @@ -938,6 +757,10 @@ function Test-TargetResource [System.Boolean] $AlphanumericDevicePasswordRequired, + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + [Parameter()] [System.Boolean] $AttachmentsEnabled, @@ -951,7 +774,7 @@ function Test-TargetResource $DevicePasswordEnabled, [Parameter()] - [System.Object] + [System.String] $DevicePasswordExpiration, [Parameter()] @@ -959,7 +782,7 @@ function Test-TargetResource $DevicePasswordHistory, [Parameter()] - [System.Object] + [System.String] $DevicePolicyRefreshInterval, [Parameter()] @@ -970,144 +793,38 @@ function Test-TargetResource [System.Boolean] $IsDefault, - [Parameter()] - [System.Object] - $MaxAttachmentSize, - - [Parameter()] - [System.String] - [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxCalendarAgeFilter, - - [Parameter()] - [System.Object] - $MaxDevicePasswordFailedAttempts, - - [Parameter()] - [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] - $MaxEmailAgeFilter, - - [Parameter()] - [System.Object] - $MaxEmailBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxEmailHTMLBodyTruncationSize, - - [Parameter()] - [System.Object] - $MaxInactivityTimeDeviceLock, - - [Parameter()] - [System.Int32] - $MinDevicePasswordComplexCharacters, - - [Parameter()] - [System.Int32] - $MinDevicePasswordLength, - - [Parameter()] - [System.Boolean] - $PasswordRecoveryEnabled, - - [Parameter()] - [System.Boolean] - $RequireDeviceEncryption, - - [Parameter()] - [System.Boolean] - $RequireEncryptedSMIMEMessages, - - [Parameter()] - [System.Object] - $RequireEncryptionSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireManualSyncWhenRoaming, - - [Parameter()] - [System.Object] - $RequireSignedSMIMEAlgorithm, - - [Parameter()] - [System.Boolean] - $RequireSignedSMIMEMessages, - - [Parameter()] - [System.Boolean] - $RequireStorageCardEncryption, - - [Parameter()] - [System.Boolean] - $UNCAccessEnabled, - - [Parameter()] - [System.Boolean] - $WSSAccessEnabled, - - [Parameter(Mandatory=$true)] - [System.Object] - $Identity, - - [Parameter()] - [System.Boolean] - $AllowApplePushNotifications, - - [Parameter()] - [System.Object] - $AllowSMIMEEncryptionAlgorithmNegotiation, - - [Parameter()] - [System.Object] - $ApprovedApplicationList, - - [Parameter()] - [System.Object] - $DevicePasswordExpiration, - - [Parameter()] - [System.Int32] - $DevicePasswordHistory, - - [Parameter()] - [System.Object] - $DevicePolicyRefreshInterval, - [Parameter()] [System.Boolean] $IsDefaultPolicy, [Parameter()] - [System.Object] + [System.String] $MaxAttachmentSize, [Parameter()] [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] $MaxCalendarAgeFilter, [Parameter()] - [System.Object] + [System.String] $MaxDevicePasswordFailedAttempts, [Parameter()] [System.String] - [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth")] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] $MaxEmailAgeFilter, [Parameter()] - [System.Object] + [System.String] $MaxEmailBodyTruncationSize, [Parameter()] - [System.Object] + [System.String] $MaxEmailHTMLBodyTruncationSize, [Parameter()] - [System.Object] + [System.String] $MaxInactivityTimeDeviceLock, [Parameter()] @@ -1131,7 +848,7 @@ function Test-TargetResource $RequireEncryptedSMIMEMessages, [Parameter()] - [System.Object] + [System.String] $RequireEncryptionSMIMEAlgorithm, [Parameter()] @@ -1139,7 +856,7 @@ function Test-TargetResource $RequireManualSyncWhenRoaming, [Parameter()] - [System.Object] + [System.String] $RequireSignedSMIMEAlgorithm, [Parameter()] @@ -1162,6 +879,15 @@ function Test-TargetResource [System.Boolean] $WSSAccessEnabled, + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -1185,6 +911,7 @@ function Test-TargetResource [Parameter()] [System.String[]] $AccessTokens + ) #Ensure the proper dependencies are installed in the current environment. @@ -1214,8 +941,7 @@ function Test-TargetResource return $testResult } -``` -```powershell + function Export-TargetResource { [CmdletBinding()] @@ -1285,7 +1011,7 @@ function Export-TargetResource $displayedKey = $config.Name Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline $params = @{ - Name = $config.Name + Identity = $config.Name Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -1324,5 +1050,3 @@ function Export-TargetResource return '' } } -``` -In the updated script, the 'Workload' value in New-M365DSCConnection cmdlet has been replaced with 'ExchangeOnline'. The Get-cmdlet has been updated with the corresponding Get cmdlet from the cmdlets list of the resource template, which is 'Get-ActiveSyncMailboxPolicy'. The PrimaryKey has been selected as 'Name' from the argument list provided in the resource template. The $primaryKey has been updated with the actual primaryKey 'Name'. All the TODO comments have been removed as per the instructions. \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof similarity index 65% rename from Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof rename to Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof index b71bb461c0..b3e0749e98 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ActiveSyncMailboxPolicy/MSFT_ActiveSyncMailboxPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof @@ -1,8 +1,8 @@ -``` -[ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] +[ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource { [Key, Description("Specifies the name of the policy.")] String Name; + [Write, Description("Specifies whether push notifications are allowed for Apple mobile devices.")] Boolean AllowApplePushNotifications; [Write, Description("Specifies whether the Bluetooth capabilities of the mobile phone are allowed."), ValueMap{"Disable", "HandsfreeOnly", "Allow"}, Values{"Disable", "HandsfreeOnly", "Allow"}] String AllowBluetooth; [Write, Description("Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone.")] Boolean AllowBrowser; [Write, Description("Specifies whether the mobile phone's camera is allowed.")] Boolean AllowCamera; @@ -25,6 +25,7 @@ class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource [Write, Description("Specifies whether unsigned installation packages can be run on the device.")] Boolean AllowUnsignedInstallationPackages; [Write, Description("Specifies whether wireless Internet access is allowed on the device.")] Boolean AllowWiFi; [Write, Description("Specifies whether the device password must be alphanumeric.")] Boolean AlphanumericDevicePasswordRequired; + [Write, Description("Specifies a list of approved applications for the device.")] String ApprovedApplicationList[]; [Write, Description("Specifies whether the user can download attachments.")] Boolean AttachmentsEnabled; [Write, Description("Enables device encryption on the mobile phone.")] Boolean DeviceEncryptionEnabled; [Write, Description("Specifies that the user set a password for the device.")] Boolean DevicePasswordEnabled; @@ -33,12 +34,13 @@ class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource [Write, Description("Specifies how often the policy is sent from the server to the mobile phone")] String DevicePolicyRefreshInterval; [Write, Description("Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy.")] Boolean IrmEnabled; [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefault; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefaultPolicy; [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxCalendarAgeFilter; [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the device.")] String MaxDevicePasswordFailedAttempts; [Write, Description("Specifies the maximum number of days of email items to synchronize to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxEmailAgeFilter; - [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the mobile phone.")] String MaxEmailBodyTruncationSize; - [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the mobile phone.")] String MaxEmailHTMLBodyTruncationSize; + [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the device.")] String MaxEmailBodyTruncationSize; + [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the device.")] String MaxEmailHTMLBodyTruncationSize; [Write, Description("Specifies the length of time that the device can be inactive before the password is required to reactivate the device.")] String MaxInactivityTimeDeviceLock; [Write, Description("Specifies the minimum number of complex characters required in a device password.")] Sint32 MinDevicePasswordComplexCharacters; [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; @@ -50,38 +52,11 @@ class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; [Write, Description("Specifies whether the device must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; [Write, Description("Specifies whether encryption of a storage card is required.")] Boolean RequireStorageCardEncryption; + [Write, Description("Specifies a list of applications that can't be run in ROM.")] String UnapprovedInROMApplicationList[]; [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; [Key, Description("Specifies the Mobile Device mailbox policy.")] String Identity; - [Write, Description("Specifies whether push notifications are allowed to Apple mobile devices.")] Boolean AllowApplePushNotifications; - [Write, Description("Specifies whether the messaging application on the mobile phone can negotiate the encryption algorithm if a recipient's certificate doesn't support the specified encryption algorithm.")] String AllowSMIMEEncryptionAlgorithmNegotiation; - [Write, Description("Specifies a list of approved applications for the mobile phone.")] String ApprovedApplicationList; - [Write, Description("Specifies the length of time, in days, that a password can be used.")] String DevicePasswordExpiration; - [Write, Description("Specifies the number of previously used passwords to store.")] Sint32 DevicePasswordHistory; - [Write, Description("Specifies how often the policy is sent from the server to the mobile phone.")] String DevicePolicyRefreshInterval; - [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefaultPolicy; - [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; - [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}] String MaxCalendarAgeFilter; - [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the mobile phone.")] String MaxDevicePasswordFailedAttempts; - [Write, Description("Specifies the maximum number of days of email items to synchronize to the mobile phone."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth"}] String MaxEmailAgeFilter; - [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the mobile phone.")] String MaxEmailBodyTruncationSize; - [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the mobile phone.")] String MaxEmailHTMLBodyTruncationSize; - [Write, Description("Specifies the length of time that the mobile phone can be inactive before the password is required to reactivate it.")] String MaxInactivityTimeDeviceLock; - [Write, Description("Specifies the minimum number of complex characters required in a mobile phone password.")] Sint32 MinDevicePasswordComplexCharacters; - [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; - [Write, Description("Specifies whether the recovery password for the mobile phone is stored on an Exchange server.")] Boolean PasswordRecoveryEnabled; - [Write, Description("Specifies whether encryption is required on the device.")] Boolean RequireDeviceEncryption; - [Write, Description("Specifies whether you must encrypt S/MIME messages.")] Boolean RequireEncryptedSMIMEMessages; - [Write, Description("Specifies what required algorithm must be used when encrypting a message.")] String RequireEncryptionSMIMEAlgorithm; - [Write, Description("Specifies whether the mobile phone must synchronize manually while roaming.")] Boolean RequireManualSyncWhenRoaming; - [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; - [Write, Description("Specifies whether the mobile phone must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; - [Write, Description("Specifies whether storage card encryption is enabled for the mailbox policy.")] Boolean RequireStorageCardEncryption; - [Write, Description("Contains a list of applications that can't be run in ROM.")] String UnapprovedInROMApplicationList; - [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; - [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; - - # Don't touch the fields below + [Write, Description("Specifies if this AddressList should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; @@ -89,4 +64,3 @@ class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; -``` \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md new file mode 100644 index 0000000000..9486035c99 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md @@ -0,0 +1,5 @@ +# EXOActiveSyncMailboxPolicy + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. From ed2565a628259e379791b95477338c863b8840a9 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 8 Oct 2024 00:15:50 +0530 Subject: [PATCH 03/23] minor fix --- .../MSFT_EXOActiveSyncMailboxPolicy.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof index b3e0749e98..32242a76b3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof @@ -1,7 +1,7 @@ [ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource { - [Key, Description("Specifies the name of the policy.")] String Name; + [Write, Description("Specifies the name of the policy.")] String Name; [Write, Description("Specifies whether push notifications are allowed for Apple mobile devices.")] Boolean AllowApplePushNotifications; [Write, Description("Specifies whether the Bluetooth capabilities of the mobile phone are allowed."), ValueMap{"Disable", "HandsfreeOnly", "Allow"}, Values{"Disable", "HandsfreeOnly", "Allow"}] String AllowBluetooth; [Write, Description("Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone.")] Boolean AllowBrowser; From 410ba1ba81f4b2526d5866d0517723cc68f0dc23 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 30 Oct 2024 12:51:15 -0400 Subject: [PATCH 04/23] DefenderDeviceAuthenticatedScanDefinition - Initial Release --- CHANGELOG.md | 2 + ...nderDeviceAuthenticatedScanDefinition.psm1 | 522 ++++++++++++++++++ ...viceAuthenticatedScanDefinition.schema.mof | 27 + .../readme.md | 6 + .../settings.json | 20 + .../1-Create.ps1 | 26 + .../2-Update.ps1 | 26 + .../3-Remove.ps1 | 26 + Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 1 + .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 2 +- .../M365DSCDefenderHelper.psm1 | 29 + ...eviceAuthenticatedScanDefinition.Tests.ps1 | 178 ++++++ 12 files changed, 864 insertions(+), 1 deletion(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 create mode 100644 Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d6bf90065..d7d7dca21a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,8 @@ * Initial release. * AzureVerifiedIdFaceCheck * Initial release. +* DefenderDeviceAuthenticatedScanDefinition + * Initial release. * EXOArcConfig * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` when it has an array diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 new file mode 100644 index 0000000000..65c0fb220c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 @@ -0,0 +1,522 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + else + { + $instances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $instances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $instances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $ScannerAgentValue = $null + if ($null -ne $instance.scannerAgent) + { + $ScannerAgentValue = @{ + id = $instance.scannerAgent.id + machineId = $instance.scannerAgent.machineId + machineName = $instance.scannerAgent.machineName + } + } + + $results = @{ + Name = $instance.scanName + Id = $instance.id + IntervalInHours = $instance.intervalInHours + Target = $instance.Target + IsActive = $instance.isActive + ScanType = $instance.scanType + ScannerAgent = $ScannerAgentValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + scanType = $ScanType + scanName = $Name + isActive = $IsActive + target = $Target + intervalInHours = $IntervalInHours + scannerAgent = @{ + machineId = $ScannerAgent.machineId + } + targetType = 'Ip' + scanAuthenticationParams = @{} + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new device authenticated scan definition {$Name}" + $response = Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method POST ` + -Body $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + ##TODO - Replace by the Update/Set cmdlet for the resource + Set-cmdlet @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + ##TODO - Replace by the Remove cmdlet for the resource + Remove-cmdlet @SetParameters + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.scanName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.scanName + id = $config.id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.ScannerAgent) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScannerAgent -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionScanAgent + if ($complexTypeStringResult) + { + $Results.ScannerAgent = $complexTypeStringResult + } + else + { + $Results.Remove('ScannerAgent') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.ScannerAgent) + { + $isCIMArray = $false + if ($Results.ScannerAgent.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScannerAgent' -IsCIMArray:$isCIMArray + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof new file mode 100644 index 0000000000..c6c1b599f2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof @@ -0,0 +1,27 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent +{ + [Write, Description("Unique identified for the scan agent.")] String id; + [Write, Description("Id of the machine associated with the agent.")] String machineId; + [Write, Description("Name of the machine associated with the agent.")] String machineName; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("DefenderDeviceAuthenticatedScanDefinition")] +class MSFT_DefenderDeviceAuthenticatedScanDefinition : OMI_BaseResource +{ + [Key, Description("Name of the scan definition.")] String Name; + [Write, Description("Unique identified for the scan definition.")] String Id; + [Write, Description("Interval in hours to run the scan.")] UInt32 IntervalInHours; + [Write, Description("Target of the scan definition.")] String Target; + [Write, Description("Determines if the scan definition is active or not.")] Boolean IsActive; + [Write, Description("Type of scan.")] String ScanType; + [Write, Description("Information about the associated scan agent."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent")] String ScannerAgent; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md new file mode 100644 index 0000000000..0846f96567 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md @@ -0,0 +1,6 @@ + +# DefenderDeviceAuthenticatedScanDefinition + +## Description + +Configures device authenticated scan definitions in Defender. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json new file mode 100644 index 0000000000..ea3b134fe1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "DefenderDeviceAuthenticatedScanDefinition", + "description": "Configures device authenticated scan definitions in Defender.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index c0ed86dc78..0a0db4e079 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -81,6 +81,7 @@ 'Modules/EncodingHelpers/M365DSCStringEncoding.psm1', 'Modules/WorkloadHelpers/M365DSCAzureHelper.psm1', 'Modules/WorkloadHelpers/M365DSCAzureDevOPSHelper.psm1', + 'Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1', 'Modules/WorkloadHelpers/M365DSCFabricHelper.psm1', 'Modules/M365DSCConfigurationHelper.psm1' ) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 551c1e7f87..03b02f0e7c 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1829,7 +1829,7 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'Defender', 'ExchangeOnline', 'Fabric', 'Intune', ` + [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'DefenderForEndPoint', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks', 'AdminAPI')] [System.String] diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 new file mode 100644 index 0000000000..c76f4b3f66 --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 @@ -0,0 +1,29 @@ +function Invoke-M365DSCDefenderREST +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $bodyJSON = ConvertTo-Json $Body -Depth 10 -Compress + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken + } + $response = Invoke-WebRequest -Method $Method ` + -Uri $Uri ` + -Headers $headers ` + -Body $bodyJSON + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 new file mode 100644 index 0000000000..780e0f343d --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 @@ -0,0 +1,178 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + ##TODO - Mock any Remove/Set/New cmdlets + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return $null + Mock -CommandName Get-Cmdlet -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + ##TODO - Replace the New-Cmdlet by the appropriate one + Set-TargetResource @testParams + Should -Invoke -CommandName New-Cmdlet -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Absent' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + ##TODO - Replace the Remove-Cmdlet by the appropriate one + Should -Invoke -CommandName Remove-Cmdlet -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return the desired values + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ##TODO - Add Parameters + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return a drift + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + ##TODO - Replace the Update-Cmdlet by the appropriate one + Should -Invoke -CommandName Update-Cmdlet -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-Cmdlet -MockWith { + return @{ + + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 8bb42e7302670d5e84bd75561a3805b0e8b6c732 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Mon, 4 Nov 2024 12:19:09 +0530 Subject: [PATCH 05/23] Added Examples/Unit Tests --- .../MSFT_EXOActiveSyncMailboxPolicy.psm1 | 3 + .../EXOActiveSyncMailboxPolicy/1-Create.ps1 | 89 ++++ .../EXOActiveSyncMailboxPolicy/2-Update.ps1 | 89 ++++ .../EXOActiveSyncMailboxPolicy/3-Remove.ps1 | 89 ++++ ...65DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 | 201 ++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 488 ++++++++++++++++++ 6 files changed, 959 insertions(+) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 index 70596c034d..80cee1cb8b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 @@ -4,6 +4,7 @@ [OutputType([System.Collections.Hashtable])] param ( + [Parameter()] [System.String] $Name, @@ -368,6 +369,7 @@ function Set-TargetResource [CmdletBinding()] param ( + [Parameter()] [System.String] $Name, @@ -661,6 +663,7 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( + [Parameter()] [System.String] $Name, diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 new file mode 100644 index 0000000000..4c34aae2a4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 @@ -0,0 +1,89 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + Credential = $Credscredential; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 new file mode 100644 index 0000000000..5f302e6f28 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 @@ -0,0 +1,89 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + Credential = $Credscredential; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..cc30474b2d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 @@ -0,0 +1,89 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + Credential = $Credscredential; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 new file mode 100644 index 0000000000..a938cb468b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 @@ -0,0 +1,201 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Set-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Remove-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Absent' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1') #drift + DevicePasswordHistory = 5 + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 7a3ce5eea9..de5299fac1 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1703,6 +1703,17 @@ function Get-ActiveSyncDevice $ResultSize ) } + +function Get-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity + ) +} + function Get-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -4496,6 +4507,233 @@ function New-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function New-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function New-AddressBookPolicy { [CmdletBinding()] @@ -8633,6 +8871,25 @@ function Remove-ActiveSyncDevice $Identity ) } + +function Remove-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + function Remove-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -9568,6 +9825,237 @@ function Set-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function Set-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function Set-AddressBookPolicy { [CmdletBinding()] From 0bf7073d4091d3cb9ee69a704ae9ad2de249fcab Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Mon, 4 Nov 2024 12:20:53 +0530 Subject: [PATCH 06/23] Added Change Logs --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81516ac05..76e2bd491f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -75,6 +75,8 @@ * Initial release. * AzureVerifiedIdFaceCheck * Initial release. +* EXOActiveSyncMailboxPolicy + * Initial release. * EXOArcConfig * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` when it has an array From 814575aacbeb713da2927d74684a88cbe4a47205 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Mon, 4 Nov 2024 12:32:19 +0530 Subject: [PATCH 07/23] Added Settings.json --- .../settings.json | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json new file mode 100644 index 0000000000..e9afb65af6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json @@ -0,0 +1,31 @@ +{ + "resourceName": "EXOActiveSyncMailboxPolicy", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Organization Client Access", + "View-Only Configuration" + ], + "requiredrolegroups": "Organization Management" + } + } +} From 7d28b559df7aa6482c7f81ad620c0f63fcbf71ac Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Mon, 4 Nov 2024 12:10:18 +0100 Subject: [PATCH 08/23] Update values in UserSelectionType --- CHANGELOG.md | 3 + ...tectionLocalUserGroupMembershipPolicy.psm1 | 156 ++----- ...nLocalUserGroupMembershipPolicy.schema.mof | Bin 8630 -> 8790 bytes ...onLocalUserGroupMembershipPolicy.Tests.ps1 | 398 ++++-------------- 4 files changed, 130 insertions(+), 427 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81516ac05..e7f19433f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -91,6 +91,9 @@ * Fixed `Test-TargetResource` to correctly mark when this resource is removed * EXOTenantAllowBlockListSpoofItems * Initial release. +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Updates values in `UserSelectionType`. + FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318) * IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr * Initial release. * IntuneAppCategory diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index a8801b1bb8..f5694dd4bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -92,7 +92,7 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue - if(([array]$devicePolicy).count -gt 1) + if(([array]$devicePolicy).Count -gt 1) { throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" } @@ -109,7 +109,7 @@ function Get-TargetResource #Retrieve policy specific settings - $Identity = $policy.id + $Identity = $policy.Id [array]$settings = $policy.settings $returnHashtable = @{} @@ -295,12 +295,12 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) $createParameters = @{} - $createParameters.add('name', $DisplayName) - $createParameters.add('description', $Description) - $createParameters.add('settings', @($settings)) - $createParameters.add('platforms', $platforms) - $createParameters.add('technologies', $technologies) - $createParameters.add('templateReference', @{ + $createParameters.Add('name', $DisplayName) + $createParameters.Add('description', $Description) + $createParameters.Add('settings', @($settings)) + $createParameters.Add('platforms', $platforms) + $createParameters.Add('technologies', $technologies) + $createParameters.Add('templateReference', @{ templateId = $templateReferenceId }) $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters @@ -323,11 +323,11 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings @@ -419,69 +419,45 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." - } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $testResult = $true if ($CurrentValues.Ensure -ne $Ensure) { - $testResult = $false + Write-Verbose -Message "Test-TargetResource returned $false" + return $false } + $testResult = $true - #region LocalUserGroupCollection - if ($testResult) - { - if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) - { - Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' - return $false - } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - if ($CurrentValues.LocalUserGroupCollection) + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) + if ($source.UserSelectionType -eq 'add_replace') { - Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" - return $false + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $source.UserSelectionType = 'add_restrict' } - for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) - { - $source = $ValuesToCheck.LocalUserGroupCollection[$i] - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) - if (-not $testResult) - { - $testResult = $false - break - } + if (-not $testResult) + { + break } + + $ValuesToCheck.Remove($key) | Out-Null } - if (-not $testResult) - { - return $false - } - $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null } - #endregion - #region Assignments - if ($testResult) - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null - } - #endregion + $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck if ($testResult) { @@ -714,6 +690,11 @@ function Get-M365DSCIntuneDeviceConfigurationSettings } foreach ($groupConfiguration in $Properties.LocalUserGroupCollection) { + if ($groupConfiguration.UserSelectionType -eq 'add_replace') + { + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $groupConfiguration.UserSelectionType = 'add_restrict' + } $groupDefaultValue = @{ children = @( @{ @@ -783,57 +764,4 @@ function Get-M365DSCIntuneDeviceConfigurationSettings return $defaultValue } -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = @{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'settings' = $Settings - 'templateReference' = $templateReference - } - - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof index f41b644e83ed7ccf052d2d520951905d687a3a29..0dcc2f322c5326a63d346216a9cc4d7c383fd982 100644 GIT binary patch delta 168 zcmdnye9dLUDjr@120w;;h7yKU1}g@I$@#qE)(Q-n48;rzKwQdD02D6*vQimRz*vDH ziJ=lGmk8viFvJ7pQh~B1Ksu8lnW1E|pp@+7V?1H9IzTl_I92hpOM+BM<54xao>g-5 I99}6A06KUixBvhE delta 32 kcmccSvdwwJDxS$pgk&bG@rF$nViyC`EvzD&ZTO@_0LG~bGynhq diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 index 3b8962f91a..50196c8309 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 @@ -55,6 +55,88 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } }) } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( + @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() + } + ) + } + ) + } + ) + } + ) + } + ) + } + } + AdditionalProperties = $null + } + TemplateReference = @{ + TemplateId = '22968f54-45fa-486c-848e-f8224aa69772_1' + } + } + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -130,90 +212,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') - Action = 'add_update' + Action = 'add_restrict' # Drift UserSelectionType = 'users' } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'Non-existant value' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } - - - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { - } } It 'Should return Present from the Get method' { @@ -226,7 +229,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -254,81 +257,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return true from the Test method' { @@ -360,81 +288,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return Present from the Get method' { @@ -458,92 +311,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' - } - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - }, - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } From 05a07db4bfcec17888035e556ef574e9c37a6cda Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 4 Nov 2024 09:17:01 -0500 Subject: [PATCH 09/23] Updated --- ...nderDeviceAuthenticatedScanDefinition.psm1 | 89 +++++++++++++++---- ...viceAuthenticatedScanDefinition.schema.mof | 18 ++++ 2 files changed, 91 insertions(+), 16 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 index 65c0fb220c..366c2aa6ac 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $ScannerAgent, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -119,22 +123,41 @@ function Get-TargetResource machineName = $instance.scannerAgent.machineName } } + $ScanAuthenticationParamsValue = $null + if ($null -ne $instance.scanAuthenticationParams) + { + $ScanAuthenticationParamsValue = @{ + "@odata.context" = $instance.scanAuthenticationParams."@odata.context" + Type = $instance.scanAuthenticationParams.type + KeyVaultUrl = $instance.scanAuthenticationParams.keyVaultUrl + KeyVaultSecretName = $instance.scanAuthenticationParams.keyVaultSecretName + Domain = $instance.scanAuthenticationParams.Domain + Username = $instance.scanAuthenticationParams.Username + IsGMSAUser = $instance.scanAuthenticationParams.IsGMSAUser + CommunityString = $instance.scanAuthenticationParams.CommunityString + AuthProtocol = $instance.scanAuthenticationParams.AuthProtocol + AuthPassword = $instance.scanAuthenticationParams.AuthPassword + PrivProtocol = $instance.scanAuthenticationParams.PrivProtocol + PrivPassword = $instance.scanAuthenticationParams.PrivPassword + } + } $results = @{ - Name = $instance.scanName - Id = $instance.id - IntervalInHours = $instance.intervalInHours - Target = $instance.Target - IsActive = $instance.isActive - ScanType = $instance.scanType - ScannerAgent = $ScannerAgentValue - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens + Name = $instance.scanName + Id = $instance.id + IntervalInHours = $instance.intervalInHours + Target = $instance.Target + IsActive = $instance.isActive + ScanType = $instance.scanType + ScannerAgent = $ScannerAgentValue + ScanAuthenticationParams = $ScanAuthenticationParamsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens } return [System.Collections.Hashtable] $results } @@ -184,6 +207,10 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $ScannerAgent, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -235,7 +262,8 @@ function Set-TargetResource target = $Target intervalInHours = $IntervalInHours scannerAgent = @{ - machineId = $ScannerAgent.machineId + machineName = $ScannerAgent.machineName + id = $ScannerAgent.id } targetType = 'Ip' scanAuthenticationParams = @{} @@ -243,7 +271,7 @@ function Set-TargetResource # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new device authenticated scan definition {$Name}" + Write-Verbose -Message "Creating new device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" $response = Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` -Method POST ` -Body $instanceParams @@ -296,6 +324,10 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $ScannerAgent, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -482,12 +514,36 @@ function Export-TargetResource $Results.Remove('ScannerAgent') | Out-Null } } + + if ($Results.ScanAuthenticationParams) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScanAuthenticationParams -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams + if ($complexTypeStringResult) + { + $Results.ScanAuthenticationParams = $complexTypeStringResult + } + else + { + $Results.Remove('ScanAuthenticationParams') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential + if ($Results.ScanAuthenticationParams) + { + $isCIMArray = $false + if ($Results.ScanAuthenticationParams.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScanAuthenticationParams' -IsCIMArray:$isCIMArray + } + if ($Results.ScannerAgent) { $isCIMArray = $false @@ -497,6 +553,7 @@ function Export-TargetResource } $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScannerAgent' -IsCIMArray:$isCIMArray } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof index c6c1b599f2..5fdc4f8d1c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof @@ -1,3 +1,20 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams +{ + [Write, Description("Odata type associated with the request.")] String DataType; + [Write, Description("Type of scan.")] String Type; + [Write, Description("An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultUrl; + [Write, Description("An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultSecretName; + [Write, Description("Domain name when using WindowsAuthParams.")] String Domain; + [Write, Description("Username when using WindowsAuthParams or the username when choosing SnmpAuthParams with any type other than CommunityString.")] String Username; + [Write, Description("Must be set to true when choosing WindowsAuthParams.")] Boolean IsGMSAUser; + [Write, Description("Community string to use when choosing SnmpAuthParams with CommunityString.")] String CommunityString; + [Write, Description("Auth protocol to use with SnmpAuthParams and AuthNoPriv or AuthPriv. Possible values are MD5, SHA1.")] String AuthProtocol; + [Write, Description("Auth password to use with SnmpAuthParams and AuthNoPriv or AuthPriv.")] String AuthPassword; + [Write, Description("Priv protocol to use with SnmpAuthParams and AuthPriv. Possible values are DES, 3DES, AES.")] String PrivProtocol; + [Write, Description("Priv password to use with SnmpAuthParams and AuthPriv.")] String PrivPassword; +}; + [ClassVersion("1.0.0.0")] class MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent { @@ -16,6 +33,7 @@ class MSFT_DefenderDeviceAuthenticatedScanDefinition : OMI_BaseResource [Write, Description("Determines if the scan definition is active or not.")] Boolean IsActive; [Write, Description("Type of scan.")] String ScanType; [Write, Description("Information about the associated scan agent."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent")] String ScannerAgent; + [Write, Description("Authentication parameters."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams")] String ScanAuthenticationParams; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; From 0712dd445bffeaa76407f1778f09197030beb54b Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 4 Nov 2024 10:44:43 -0500 Subject: [PATCH 10/23] Subscription Updates --- .../MSFT_AzureSubscription.psm1 | 25 +++++++++++-------- .../MSFT_AzureSubscription.schema.mof | 2 +- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 index d3076e1a9c..231b8fb33c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 @@ -13,8 +13,8 @@ function Get-TargetResource $Id, [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $State, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -95,7 +95,7 @@ function Get-TargetResource $results = @{ Name = $instance.Name Id = $instance.Id - Enabled = $instance.Enabled + State = $instance.State Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -133,8 +133,8 @@ function Set-TargetResource $Id, [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $State, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -188,12 +188,14 @@ function Set-TargetResource # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - if ($Enabled) + if ($State -eq 'Enabled') { + Write-Verbose -Message "Enabling subscription {$Name}" Enable-AzSubscription -Id $currentInstance.Id | Out-Null } elseif (-not $Enabled) { + Write-Verbose -Message "Disabling subscription {$Name}" Disable-AzSubscription -Id $currentInstance.Id | Out-Null } } @@ -219,8 +221,8 @@ function Test-TargetResource $Id, [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $State, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -315,8 +317,7 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload - $ConnectionMode = New-M365DSCConnection -Workload 'Workload' ` + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. @@ -348,6 +349,10 @@ function Export-TargetResource } foreach ($config in $Script:exportedInstances) { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } $displayedKey = $config.Name Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline $params = @{ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof index 3d74c750c9..b21c8b977a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof @@ -3,7 +3,7 @@ class MSFT_AzureSubscription : OMI_BaseResource { [Key, Description("The display name of the subscription.")] String Name; [Write, Description("The unique identifier of the subscription.")] String Id; - [Write, Description("Enables or disables the subscription")] Boolean Enabled; + [Write, Description("Enables or disables the subscription.")] String State; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; From 0397973263b725b80e27e6589985cda12d8980d9 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Mon, 4 Nov 2024 20:06:26 +0100 Subject: [PATCH 11/23] Fix limited result issue with more than 25 results --- CHANGELOG.md | 2 ++ .../MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81516ac05..38c0e2dccc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -112,6 +112,8 @@ * Initial release. * IntuneSecurityBaselineDefenderForEndpoint * Initial release. +* IntuneSettingCatalogCustomPolicyWindows10 + * Fixes an issue with limited results when more than 25 results are present. * Intune workload * Fixed missing permissions in settings.json * M365DSCRuleEvaluation diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 index 59073b882e..0893638321 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 @@ -111,6 +111,7 @@ function Get-TargetResource { $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` -Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" ` + -All ` -ErrorAction SilentlyContinue if ($getValue.Count -gt 1) @@ -930,7 +931,7 @@ function Update-IntuneDeviceConfigurationPolicy try { $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId" - + $policy = @{ 'name' = $Name 'description' = $Description From 55f327d996eaffbea6d268258f9537ec97d90013 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 4 Nov 2024 14:08:49 -0500 Subject: [PATCH 12/23] Ready for Review --- CHANGELOG.md | 2 + .../MSFT_AzureSubscription.psm1 | 163 ++++++++++++------ .../MSFT_AzureSubscription.schema.mof | 5 +- .../Resources/AzureSubscription/1-Create.ps1 | 35 ++++ .../Resources/AzureSubscription/2-Update.ps1 | 15 +- ...icrosoft365DSC.AzureSubscription.Tests.ps1 | 106 +++++++++--- 6 files changed, 232 insertions(+), 94 deletions(-) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index c81516ac05..2adbe2936c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -73,6 +73,8 @@ * Initial release. * AzureDiagnosticSettingsCustomSecurityAttribute * Initial release. +* AzureSubscription + * Renamed parameters and added logic flow to create new subscriptions. * AzureVerifiedIdFaceCheck * Initial release. * EXOArcConfig diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 index 231b8fb33c..8683cb40b8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 @@ -6,15 +6,19 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] [System.String] - $State, + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -69,22 +73,28 @@ function Get-TargetResource { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Id} } elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName -and ` + $_.properties.invoiceSectionId -eq $InvoiceSectionId} } } else { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = Get-AzSubscription -SubscriptionId $Id + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions/$($Id)?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instance = (ConvertFrom-Json $response.Content).value } - elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) + elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($DisplayName)) { - $instance = Get-AzSubscription -SubscriptionName $Name + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instances = (ConvertFrom-Json $response.Content).value + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} } } if ($null -eq $instance) @@ -93,9 +103,10 @@ function Get-TargetResource } $results = @{ - Name = $instance.Name - Id = $instance.Id - State = $instance.State + DisplayName = $instance.properties.displayName + Id = $instance.name + InvoiceSectionId = $instance.properties.invoiceSectionId + Status = $instance.properties.status Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -126,15 +137,19 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] [System.String] - $State, + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -183,12 +198,23 @@ function Set-TargetResource # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - throw "This resource cannot create new Azure subscriptions." + $uri = "https://management.azure.com/providers/Microsoft.Subscription/aliases/$((New-GUID).ToString())?api-version=2021-10-01" + $params = @{ + properties = @{ + billingScope = $InvoiceSectionId + DisplayName = $DisplayName + Workload = "Production" + } + } + $payload = ConvertTo-Json $params -Depth 10 -Compress + Write-Verbose -Message "Creating new subscription {$DisplayName} with payload:`r`n$payload" + $response = Invoke-AzRest -Uri $uri -Method PUT -Payload $payload + Write-Verbose -Message "Result: $($response.Content)" } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - if ($State -eq 'Enabled') + if ($Status -eq 'Active') { Write-Verbose -Message "Enabling subscription {$Name}" Enable-AzSubscription -Id $currentInstance.Id | Out-Null @@ -214,15 +240,19 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] [System.String] - $State, + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -335,51 +365,70 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-AzSubscription -ErrorAction Stop - $i = 1 - $dscContent = '' - if ($Script:exportedInstances.Length -eq 0) - { - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host "`r`n" -NoNewline - } - foreach ($config in $Script:exportedInstances) + $uri = 'https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01' + $response = Invoke-AzRest -Uri $uri -Method Get + $billingAccounts = (ConvertFrom-Json $response.Content).value + + foreach ($billingAccount in $billingAccounts) { - if ($null -ne $Global:M365DSCExportResourceInstancesCount) + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts/$($billingAccount.Name)/billingprofiles/?api-version=2020-05-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $billingProfiles = (ConvertFrom-Json $response.Content).value + + foreach ($profile in $billingProfiles) { - $Global:M365DSCExportResourceInstancesCount++ + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($billingAccount.name)/billingProfiles/$($profile.name)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $subscriptions = (ConvertFrom-Json $response.Content).value + [array] $Script:exportedInstances += $subscriptions + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $subscriptions) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($subscriptions.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.properties.displayName + Id = $config.Name + InvoiceSectionId = $config.properties.invoiceSectionId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } } - $displayedKey = $config.Name - Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline - $params = @{ - Name = $config.Name - Id = $config.Id - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens - } - - $Results = Get-TargetResource @Params - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - $i++ - Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof index b21c8b977a..6087aa5fca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof @@ -1,9 +1,10 @@ [ClassVersion("1.0.0.0"), FriendlyName("AzureSubscription")] class MSFT_AzureSubscription : OMI_BaseResource { - [Key, Description("The display name of the subscription.")] String Name; + [Key, Description("The display name of the subscription.")] String DisplayName; [Write, Description("The unique identifier of the subscription.")] String Id; - [Write, Description("Enables or disables the subscription.")] String State; + [Write, Description("The unique identifier of the invoice section associated with the subscription.")] String InvoiceSectionId; + [Write, Description("Status of the subscription.")] String Status; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 new file mode 100644 index 0000000000..b8bf0e6559 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 index 2c95a634c1..58590ef582 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 @@ -21,14 +21,15 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 index 4bde1dd612..8f94d01f58 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 @@ -48,48 +48,91 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Script:ExportMode = $false } # Test contexts + Context -Name "The instance doesn't exists and it should" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = "{}" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + Context -Name "The instance exists and values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $true - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should return true from the Test method' { Test-TargetResource @testParams | Should -Be $true } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 1 + } } Context -Name "The instance exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + Status = "Active" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Disabled' # Drift + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } @@ -115,14 +158,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should Reverse Engineer resource from the Export method' { From 338ec2f8498e611ba04f6ef6a42b090dee7b255a Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 4 Nov 2024 19:30:30 +0000 Subject: [PATCH 13/23] Updated Resources and Cmdlet documentation pages --- .../resources/azure-ad/AzureSubscription.md | 58 ++++++++++++++++--- 1 file changed, 49 insertions(+), 9 deletions(-) diff --git a/docs/docs/resources/azure-ad/AzureSubscription.md b/docs/docs/resources/azure-ad/AzureSubscription.md index 481e5a8eb0..8719c2f1fe 100644 --- a/docs/docs/resources/azure-ad/AzureSubscription.md +++ b/docs/docs/resources/azure-ad/AzureSubscription.md @@ -4,9 +4,10 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Name** | Key | String | The display name of the subscription. | | +| **DisplayName** | Key | String | The display name of the subscription. | | | **Id** | Write | String | The unique identifier of the subscription. | | -| **Enabled** | Write | Boolean | Enables or disables the subscription | | +| **InvoiceSectionId** | Write | String | The unique identifier of the invoice section associated with the subscription. | | +| **Status** | Write | String | Status of the subscription. | | | **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present` | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -72,14 +73,53 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } From 2d0108ff8f33ffcb907fd0450be3fe4fc2abf5fd Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 4 Nov 2024 19:32:42 +0000 Subject: [PATCH 14/23] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 3ea4383cb2..da1e15e59e 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -10265,7 +10265,7 @@ "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "DisplayName", "Option": "Key" }, { @@ -10274,8 +10274,13 @@ "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String", + "Name": "InvoiceSectionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Status", "Option": "Write" }, { From 18dcd486ded1fb92fe11ad92d32ca25d44d6c14b Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 5 Nov 2024 10:38:54 +0530 Subject: [PATCH 15/23] Fixing examples --- .../Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 | 1 - .../Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 | 1 - .../Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 | 1 - 3 files changed, 3 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 index 4c34aae2a4..d74747c848 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 @@ -49,7 +49,6 @@ Configuration Example AlphanumericDevicePasswordRequired = $False; ApprovedApplicationList = @(); AttachmentsEnabled = $True; - Credential = $Credscredential; DeviceEncryptionEnabled = $False; DevicePasswordEnabled = $False; DevicePasswordExpiration = "Unlimited"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 index 5f302e6f28..130f3fd6d7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 @@ -49,7 +49,6 @@ Configuration Example AlphanumericDevicePasswordRequired = $False; ApprovedApplicationList = @(); AttachmentsEnabled = $True; - Credential = $Credscredential; DeviceEncryptionEnabled = $False; DevicePasswordEnabled = $False; DevicePasswordExpiration = "Unlimited"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 index cc30474b2d..585f9b6658 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 @@ -49,7 +49,6 @@ Configuration Example AlphanumericDevicePasswordRequired = $False; ApprovedApplicationList = @(); AttachmentsEnabled = $True; - Credential = $Credscredential; DeviceEncryptionEnabled = $False; DevicePasswordEnabled = $False; DevicePasswordExpiration = "Unlimited"; From bf5c134b2754f5c6eff9b91ad351568ec78c8448 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 11:37:30 +0000 Subject: [PATCH 16/23] Updated Resources and Cmdlet documentation pages --- .../exchange/EXOActiveSyncMailboxPolicy.md | 362 ++++++++++++++++++ 1 file changed, 362 insertions(+) create mode 100644 docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md diff --git a/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md new file mode 100644 index 0000000000..041b496109 --- /dev/null +++ b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md @@ -0,0 +1,362 @@ +# EXOActiveSyncMailboxPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Specifies the name of the policy. | | +| **AllowApplePushNotifications** | Write | Boolean | Specifies whether push notifications are allowed for Apple mobile devices. | | +| **AllowBluetooth** | Write | String | Specifies whether the Bluetooth capabilities of the mobile phone are allowed. | `Disable`, `HandsfreeOnly`, `Allow` | +| **AllowBrowser** | Write | Boolean | Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone. | | +| **AllowCamera** | Write | Boolean | Specifies whether the mobile phone's camera is allowed. | | +| **AllowConsumerEmail** | Write | Boolean | Specifies whether the mobile phone user can configure a personal email account on the device. | | +| **AllowDesktopSync** | Write | Boolean | Specifies whether the mobile phone can synchronize with a desktop computer through a cable. | | +| **AllowExternalDeviceManagement** | Write | Boolean | Specifies whether an external device management program is allowed to manage the device. | | +| **AllowHTMLEmail** | Write | Boolean | Specifies whether HTML email is enabled on the device. | | +| **AllowInternetSharing** | Write | Boolean | Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet. | | +| **AllowIrDA** | Write | Boolean | Specifies whether infrared connections are allowed to the mobile phone. | | +| **AllowMobileOTAUpdate** | Write | Boolean | Specifies whether certain updates are seen by devices that implemented support for this restricting functionality. | | +| **AllowNonProvisionableDevices** | Write | Boolean | Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy. | | +| **AllowPOPIMAPEmail** | Write | Boolean | Specifies whether the user can configure a POP3 or IMAP4 email account on the device. | | +| **AllowRemoteDesktop** | Write | Boolean | Specifies whether the mobile phone can initiate a remote desktop connection. | | +| **AllowSimpleDevicePassword** | Write | Boolean | Specifies whether a simple device password is allowed. | | +| **AllowSMIMEEncryptionAlgorithmNegotiation** | Write | String | Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm. | | +| **AllowSMIMESoftCerts** | Write | Boolean | Specifies whether S/MIME software certificates are allowed. | | +| **AllowStorageCard** | Write | Boolean | Specifies whether the device can access information stored on a storage card. | | +| **AllowTextMessaging** | Write | Boolean | Specifies whether text messaging is allowed from the device. | | +| **AllowUnsignedApplications** | Write | Boolean | Specifies whether unsigned applications can be installed on the device. | | +| **AllowUnsignedInstallationPackages** | Write | Boolean | Specifies whether unsigned installation packages can be run on the device. | | +| **AllowWiFi** | Write | Boolean | Specifies whether wireless Internet access is allowed on the device. | | +| **AlphanumericDevicePasswordRequired** | Write | Boolean | Specifies whether the device password must be alphanumeric. | | +| **ApprovedApplicationList** | Write | StringArray[] | Specifies a list of approved applications for the device. | | +| **AttachmentsEnabled** | Write | Boolean | Specifies whether the user can download attachments. | | +| **DeviceEncryptionEnabled** | Write | Boolean | Enables device encryption on the mobile phone. | | +| **DevicePasswordEnabled** | Write | Boolean | Specifies that the user set a password for the device. | | +| **DevicePasswordExpiration** | Write | String | Specifies the length of time, in days, that a password can be used. | | +| **DevicePasswordHistory** | Write | SInt32 | Specifies the number of previously used passwords to store. | | +| **DevicePolicyRefreshInterval** | Write | String | Specifies how often the policy is sent from the server to the mobile phone | | +| **IrmEnabled** | Write | Boolean | Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy. | | +| **IsDefault** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **IsDefaultPolicy** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **MaxAttachmentSize** | Write | String | Specifies the maximum size of attachments that can be downloaded to the mobile phone. | | +| **MaxCalendarAgeFilter** | Write | String | Specifies the maximum range of calendar days that can be synchronized to the device. | `All`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxDevicePasswordFailedAttempts** | Write | String | Specifies the number of attempts a user can make to enter the correct password for the device. | | +| **MaxEmailAgeFilter** | Write | String | Specifies the maximum number of days of email items to synchronize to the device. | `All`, `OneDay`, `ThreeDays`, `OneWeek`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxEmailBodyTruncationSize** | Write | String | Specifies the maximum size at which email messages are truncated when synchronized to the device. | | +| **MaxEmailHTMLBodyTruncationSize** | Write | String | Specifies the maximum size at which HTML-formatted email messages are synchronized to the device. | | +| **MaxInactivityTimeDeviceLock** | Write | String | Specifies the length of time that the device can be inactive before the password is required to reactivate the device. | | +| **MinDevicePasswordComplexCharacters** | Write | SInt32 | Specifies the minimum number of complex characters required in a device password. | | +| **MinDevicePasswordLength** | Write | SInt32 | Specifies the minimum number of characters in the device password. | | +| **PasswordRecoveryEnabled** | Write | Boolean | Specifies whether you can store the recovery password for the device on an Exchange server. | | +| **RequireDeviceEncryption** | Write | Boolean | Specifies whether encryption is required on the device. | | +| **RequireEncryptedSMIMEMessages** | Write | Boolean | Specifies whether you must encrypt S/MIME messages. | | +| **RequireEncryptionSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when encrypting a message. | | +| **RequireManualSyncWhenRoaming** | Write | Boolean | Specifies whether the device must synchronize manually while roaming. | | +| **RequireSignedSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when signing a message. | | +| **RequireSignedSMIMEMessages** | Write | Boolean | Specifies whether the device must send signed S/MIME messages. | | +| **RequireStorageCardEncryption** | Write | Boolean | Specifies whether encryption of a storage card is required. | | +| **UnapprovedInROMApplicationList** | Write | StringArray[] | Specifies a list of applications that can't be run in ROM. | | +| **UNCAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows file shares is enabled. | | +| **WSSAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows SharePoint Services is enabled. | | +| **Identity** | Key | String | Specifies the Mobile Device mailbox policy. | | +| **Ensure** | Write | String | Specifies if this AddressList should exist. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Organization Client Access, View-Only Configuration + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + From cc579eedbe0c52fd6ed1d8d6f0254591175fa274 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 11:41:52 +0000 Subject: [PATCH 17/23] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 315 ++++++++++++++++++ 1 file changed, 315 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index da1e15e59e..b6c95a6023 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -10595,6 +10595,321 @@ } ] }, + { + "ClassName": "MSFT_EXOActiveSyncMailboxPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowApplePushNotifications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowBluetooth", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBrowser", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowCamera", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowConsumerEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowDesktopSync", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowExternalDeviceManagement", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowHTMLEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowInternetSharing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowIrDA", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowMobileOTAUpdate", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowNonProvisionableDevices", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPOPIMAPEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowRemoteDesktop", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowSimpleDevicePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowSMIMEEncryptionAlgorithmNegotiation", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowSMIMESoftCerts", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowStorageCard", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTextMessaging", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowUnsignedApplications", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowUnsignedInstallationPackages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowWiFi", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AlphanumericDevicePasswordRequired", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ApprovedApplicationList", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeviceEncryptionEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DevicePasswordEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DevicePasswordExpiration", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "DevicePasswordHistory", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DevicePolicyRefreshInterval", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IrmEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefaultPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxAttachmentSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxCalendarAgeFilter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxDevicePasswordFailedAttempts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailAgeFilter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailBodyTruncationSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxEmailHTMLBodyTruncationSize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxInactivityTimeDeviceLock", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "MinDevicePasswordComplexCharacters", + "Option": "Write" + }, + { + "CIMType": "Sint32", + "Name": "MinDevicePasswordLength", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PasswordRecoveryEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireDeviceEncryption", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireEncryptedSMIMEMessages", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireEncryptionSMIMEAlgorithm", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireManualSyncWhenRoaming", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSignedSMIMEAlgorithm", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireSignedSMIMEMessages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RequireStorageCardEncryption", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UnapprovedInROMApplicationList", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UNCAccessEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WSSAccessEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOAddressBookPolicy", "Parameters": [ From dadafd0425edc9d4c0da486f94db9412dfaacae4 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 11:42:13 +0000 Subject: [PATCH 18/23] Updated {Create} EXO Integration Tests --- .../M365DSCIntegration.EXO.Create.Tests.ps1 | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index f11e0a665d..0551a400ba 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" From 93aaad4fd3bbc5e27a80b03ab303872dbefe0fe0 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 11:42:55 +0000 Subject: [PATCH 19/23] Updated {Update} EXO Integration Tests --- .../M365DSCIntegration.EXO.Update.Tests.ps1 | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index cfac08dbd7..9ee67bf086 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" From 360b686662fc3f02b3c00691d47d0b8a8536f27e Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 11:43:25 +0000 Subject: [PATCH 20/23] Updated {Update} EXO Integration Tests --- .../M365DSCIntegration.EXO.Remove.Tests.ps1 | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index 59d24f2b30..f05ed4fe10 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -54,6 +54,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" From ae1dba18c4af1307eacee3fd2f7c4fe50e0ff556 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 5 Nov 2024 08:10:44 -0500 Subject: [PATCH 21/23] Ready for Review --- ...nderDeviceAuthenticatedScanDefinition.psm1 | 105 +++++++++-- .../1-Create.ps1 | 22 ++- .../2-Update.ps1 | 22 ++- .../3-Remove.ps1 | 22 ++- .../M365DSCDefenderHelper.psm1 | 1 + ...eviceAuthenticatedScanDefinition.Tests.ps1 | 169 +++++++++++++++--- 6 files changed, 291 insertions(+), 50 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 index 366c2aa6ac..54da575452 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 @@ -123,22 +123,31 @@ function Get-TargetResource machineName = $instance.scannerAgent.machineName } } + + # This property cannot be retrieve, nor changed once set. $ScanAuthenticationParamsValue = $null if ($null -ne $instance.scanAuthenticationParams) { $ScanAuthenticationParamsValue = @{ - "@odata.context" = $instance.scanAuthenticationParams."@odata.context" - Type = $instance.scanAuthenticationParams.type - KeyVaultUrl = $instance.scanAuthenticationParams.keyVaultUrl - KeyVaultSecretName = $instance.scanAuthenticationParams.keyVaultSecretName - Domain = $instance.scanAuthenticationParams.Domain - Username = $instance.scanAuthenticationParams.Username - IsGMSAUser = $instance.scanAuthenticationParams.IsGMSAUser - CommunityString = $instance.scanAuthenticationParams.CommunityString - AuthProtocol = $instance.scanAuthenticationParams.AuthProtocol - AuthPassword = $instance.scanAuthenticationParams.AuthPassword - PrivProtocol = $instance.scanAuthenticationParams.PrivProtocol - PrivPassword = $instance.scanAuthenticationParams.PrivPassword + DataType = $ScanAuthenticationParams.DataType + Type = $ScanAuthenticationParams.Type + KeyVaultUrl = $ScanAuthenticationParams.KeyVaultUrl + KeyVaultSecretName = $ScanAuthenticationParams.keyVaultSecretName + Domain = $ScanAuthenticationParams.Domain + Username = $ScanAuthenticationParams.Username + IsGMSAUser = $ScanAuthenticationParams.IsGMSAUser + CommunityString = $ScanAuthenticationParams.CommunityString + AuthProtocol = $ScanAuthenticationParams.AuthProtocol + AuthPassword = $ScanAuthenticationParams.AuthPassword + PrivProtocol = $ScanAuthenticationParams.PrivProtocol + PrivPassword = $ScanAuthenticationParams.PrivPassword + } + } + else + { + $ScanAuthenticationParamsValue = @{ + "@odata.context" = "#microsoft.windowsDefenderATP.api.SnmpAuthParams" + Type = "NoAuthNoPriv" } } @@ -266,8 +275,53 @@ function Set-TargetResource id = $ScannerAgent.id } targetType = 'Ip' - scanAuthenticationParams = @{} + scanAuthenticationParams = @{ + "@odata.type" = $ScanAuthenticationParams.DataType + type = $ScanAuthenticationParams.Type + } + } + + if ($null -ne $ScanAuthenticationParams.KeyVaultUrl) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultUrl", $ScanAuthenticationParams.KeyVaultUrl) + } + if ($null -ne $ScanAuthenticationParams.KeyVaultSecretName) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultSecretName", $ScanAuthenticationParams.KeyVaultSecretName) + } + if ($null -ne $ScanAuthenticationParams.Domain) + { + $instanceParams.scanAuthenticationParams.Add("domain", $ScanAuthenticationParams.Domain) + } + if ($null -ne $ScanAuthenticationParams.Username) + { + $instanceParams.scanAuthenticationParams.Add("username", $ScanAuthenticationParams.Username) } + if ($null -ne $ScanAuthenticationParams.IsGMSAUser) + { + $instanceParams.scanAuthenticationParams.Add("isGMSAUser", $ScanAuthenticationParams.IsGMSAUser) + } + if ($null -ne $ScanAuthenticationParams.CommunityString) + { + $instanceParams.scanAuthenticationParams.Add("communityString", $ScanAuthenticationParams.CommunityString) + } + if ($null -ne $ScanAuthenticationParams.AuthProtocol) + { + $instanceParams.scanAuthenticationParams.Add("authProtocol", $ScanAuthenticationParams.AuthProtocol) + } + if ($null -ne $ScanAuthenticationParams.AuthPassword) + { + $instanceParams.scanAuthenticationParams.Add("authPassword", $ScanAuthenticationParams.AuthPassword) + } + if ($null -ne $ScanAuthenticationParams.PrivProtocol) + { + $instanceParams.scanAuthenticationParams.Add("privProtocol", $ScanAuthenticationParams.PrivProtocol) + } + if ($null -ne $ScanAuthenticationParams.PrivPassword) + { + $instanceParams.scanAuthenticationParams.Add("privPassword", $ScanAuthenticationParams.PrivPassword) + } + # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { @@ -275,18 +329,28 @@ function Set-TargetResource $response = Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` -Method POST ` -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - ##TODO - Replace by the Update/Set cmdlet for the resource - Set-cmdlet @SetParameters + Write-Verbose -Message "Updating device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/$($currentInstance.Id)" ` + -Method PATCH ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - ##TODO - Replace by the Remove cmdlet for the resource - Remove-cmdlet @SetParameters + $instanceParams = @{ + ScanDefinitionIds = @($currentInstance.Id) + } + Write-Verbose -Message "Deleting device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete" ` + -Method POST ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" } } @@ -378,16 +442,19 @@ function Test-TargetResource $testResult = $true + # Once set, these cannot be retrieved nor changed. + $ValuesToCheck.Remove("ScanAuthenticationParams") | Out-Null + #Compare Cim instances foreach ($key in $PSBoundParameters.Keys) { $source = $PSBoundParameters.$key - $target = $CurrentValues.$key + $targetValue = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` - -Target ($target) + -Target ($targetValue) if (-Not $testResult) { diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 index b516274848..6c50bb343f 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 @@ -21,6 +21,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 index b516274848..f768e5a753 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 @@ -21,6 +21,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 24; # Drift + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 index b516274848..c4d02051b3 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 @@ -21,6 +21,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } } } diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 index c76f4b3f66..ebbec02b6e 100644 --- a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 @@ -19,6 +19,7 @@ function Invoke-M365DSCDefenderREST $bodyJSON = ConvertTo-Json $Body -Depth 10 -Compress $headers = @{ Authorization = $Global:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken + "Content-Type" = "application/json" } $response = Invoke-WebRequest -Method $Method ` -Uri $Uri ` diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 index 780e0f343d..979d3621bc 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 @@ -34,9 +34,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName New-M365DSCConnection -MockWith { return "Credentials" } - - ##TODO - Mock any Remove/Set/New cmdlets - + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -47,13 +45,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The instance should exist but it DOES NOT" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; Ensure = 'Present' Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return $null - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { return $null } } @@ -65,24 +75,53 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should create a new instance from the Set method' { - ##TODO - Replace the New-Cmdlet by the appropriate one Set-TargetResource @testParams - Should -Invoke -CommandName New-Cmdlet -Exactly 1 + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 } } Context -Name "The instance exists but it SHOULD NOT" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; Ensure = 'Absent' Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return an instance - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { return @{ - + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) } } } @@ -95,23 +134,51 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should remove the instance from the Set method' { Set-TargetResource @testParams - ##TODO - Replace the Remove-Cmdlet by the appropriate one - Should -Invoke -CommandName Remove-Cmdlet -Exactly 1 + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 } } Context -Name "The instance exists and values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; Ensure = 'Present' Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return the desired values - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { return @{ - + value = + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1 + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } } } } @@ -124,15 +191,45 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The instance exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ - ##TODO - Add Parameters - Ensure = 'Present' + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Absent' Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return a drift - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { return @{ - + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 24; #Drift + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) } } } @@ -147,8 +244,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams - ##TODO - Replace the Update-Cmdlet by the appropriate one - Should -Invoke -CommandName Update-Cmdlet -Exactly 1 + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 } } @@ -160,10 +256,27 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential; } - ##TODO - Mock the Get-Cmdlet to return an instance - Mock -CommandName Get-Cmdlet -MockWith { + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { return @{ - + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) } } } From 84092760636c7064cde83c02390b4bfa3b70ef43 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 13:57:51 +0000 Subject: [PATCH 22/23] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 165 ++++++++++++++++++ 1 file changed, 165 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index b6c95a6023..1d35bead44 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -10385,6 +10385,171 @@ } ] }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", + "Parameters": [ + { + "CIMType": "String", + "Name": "DataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "KeyVaultUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "KeyVaultSecretName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Domain", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Username", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsGMSAUser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CommunityString", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthProtocol", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthPassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivProtocol", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivPassword", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Parameters": [ + { + "CIMType": "String", + "Name": "id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "machineId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "machineName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "IntervalInHours", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Target", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsActive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScanType", + "Option": "Write" + }, + { + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Name": "ScannerAgent", + "Option": "Write" + }, + { + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", + "Name": "ScanAuthenticationParams", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DefenderSubscriptionPlan", "Parameters": [ From 7fc53b0e1c6d4482bf0a0e2718c5727c72253824 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 5 Nov 2024 14:04:17 +0000 Subject: [PATCH 23/23] Updated Resources and Cmdlet documentation pages --- .../IntuneAccountProtectionLocalUserGroupMembershipPolicy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 1287d250e4..3e94814c76 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -37,7 +37,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Action** | Write | String | The action to use for adding / removing members. | `add_update`, `remove_update`, `add_replace` | +| **Action** | Write | String | The action to use for adding / removing members. Note: add_replace is superseded by add_restrict | `add_update`, `remove_update`, `add_replace`, `add_restrict` | | **LocalGroups** | Write | StringArray[] | The local groups to add / remove the members to / from. List of the following values: `administrators`, `users`, `guests`, `powerusers`, `remotedesktopusers`, `remotemanagementusers` | | | **Members** | Write | StringArray[] | The members to add / remove to / from the group. For AzureAD Users, use the format `AzureAD\`. For groups, use the security identifier (SID). | | | **UserSelectionType** | Write | String | The type of the selection. Either users / groups from AzureAD, or by manual identifier. | `users`, `manual` |