From b515483137b86b82ed6acf1f2d24e3e57a5d9a45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 14 Feb 2024 20:18:06 +0100 Subject: [PATCH] AADUser: Ensure: Absent logic seems wrong Fixes #4265 --- CHANGELOG.md | 3 ++ .../MSFT_AADUser/MSFT_AADUser.psm1 | 49 ++++++++++--------- 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b04ca09a5d..8b60b1e459 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ * AADRoleEligibilityScheduleRequest * Fixed an issue where an error was thrown if no requests were found instead of simply returning the Null object. +* AADUser + * Fixed and issue where an user would be created even if the resrouce was set to absent. + FIXES [[#4265](https://github.com/microsoft/Microsoft365DSC/issues/4265)] * EXOMobileDeviceMailboxPolicy * Fixes an issue where an empty MinPasswordLength value was always passed down to the update logic flow. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index e5756268a4..7f278519cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -180,8 +180,8 @@ function Get-TargetResource } else { - Write-Verbose -Message "Retrieving user from the exported instances" - $user = $Script:M365DSCExportInstances | Where-Object -FilterScript {$_.UserPrincipalName -eq $UserPrincipalName} + Write-Verbose -Message 'Retrieving user from the exported instances' + $user = $Script:M365DSCExportInstances | Where-Object -FilterScript { $_.UserPrincipalName -eq $UserPrincipalName } } Write-Verbose -Message "Found User $($UserPrincipalName)" @@ -193,7 +193,7 @@ function Get-TargetResource } # return membership of static groups only - [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript {$_.GroupTypes -notcontains 'DynamicMembership'}).DisplayName + [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript { $_.GroupTypes -notcontains 'DynamicMembership' }).DisplayName $userPasswordPolicyInfo = $user | Select-Object UserprincipalName, @{ N = 'PasswordNeverExpires'; E = { $_.PasswordPolicies -contains 'DisablePasswordExpiration' } @@ -204,7 +204,7 @@ function Get-TargetResource { $Script:allDirectoryRoleAssignment = Get-MgBetaRoleManagementDirectoryRoleAssignment -All } - $assignedRoles = $Script:allDirectoryRoleAssignment | Where-Object -FilterScript {$_.PrincipalId -eq $user.Id} + $assignedRoles = $Script:allDirectoryRoleAssignment | Where-Object -FilterScript { $_.PrincipalId -eq $user.Id } $rolesValue = @() if ($null -eq $Script:allAssignedRoles -and $assignedRoles.Length -gt 0) @@ -213,7 +213,7 @@ function Get-TargetResource } foreach ($assignedRole in $assignedRoles) { - $currentRoleInfo = $Script:allAssignedRoles | Where-Object -FilterScript {$_.Id -eq $assignedRole.RoleDefinitionId} + $currentRoleInfo = $Script:allAssignedRoles | Where-Object -FilterScript { $_.Id -eq $assignedRole.RoleDefinitionId } $rolesValue += $currentRoleInfo.DisplayName } @@ -418,7 +418,7 @@ function Set-TargetResource Write-Verbose -Message "Removing User {$UserPrincipalName}" Remove-MgUser -UserId $UserPrincipalName } - else + elseif ($Ensure -eq 'Present') { $PasswordPolicies = $null if ($PasswordNeverExpires) @@ -498,7 +498,7 @@ function Set-TargetResource if ($null -ne $Password) { - Write-Verbose -Message "PasswordProfile property will not be updated" + Write-Verbose -Message 'PasswordProfile property will not be updated' } $CreationParams.Add('UserId', $UserPrincipalName) @@ -584,20 +584,20 @@ function Set-TargetResource if ($null -eq $group) { New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception "Attempting to add a user to a group that doesn't exist" ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + -Exception "Attempting to add a user to a group that doesn't exist" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential throw "Group '$memberOfGroup' does not exist in tenant" } if ($group.GroupTypes -contains 'DynamicMembership') { New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception "Attempting to add a user to a dynamic group" ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + -Exception 'Attempting to add a user to a dynamic group' ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential throw "Cannot add user $UserPrincipalName to group '$memberOfGroup' because it is a dynamic group" } @@ -615,20 +615,20 @@ function Set-TargetResource if ($null -eq $group) { New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception "Attempting to add a user to a group that doesn't exist" ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + -Exception "Attempting to add a user to a group that doesn't exist" ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential throw "Group '$($_.InputObject)' does not exist in tenant" } if ($group.GroupTypes -contains 'DynamicMembership') { New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception "Attempting to add a user to a dynamic group" ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential + -Exception 'Attempting to add a user to a dynamic group' ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential throw "Cannot add user $UserPrincipalName to group '$($_.InputObject)' because it is a dynamic group" } @@ -914,7 +914,8 @@ function Export-TargetResource Property = $propertiesToRetrieve ErrorAction = 'Stop' } - if ($Filter -like "*endsWith*") { + if ($Filter -like '*endsWith*') + { $ExportParameters.Add('CountVariable', 'count') $ExportParameters.Add('ConsistencyLevel', 'eventual') }