From f15cd11b0eecbf2dd8f4eb97e548f75f112e7a75 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 12 Sep 2022 12:59:00 -0400 Subject: [PATCH 1/2] Fixes #2190 --- CHANGELOG.md | 4 + .../MSFT_AADGroup/MSFT_AADGroup.psm1 | 77 +++++++++++-------- 2 files changed, 48 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22b5c574ce..3c7db05ed2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ # UNRELEASED +* AADGroup + * Changed behavior where if a group has a dynamic membership rule that is active, + we no longer process members from the export, Get and Set functions. + FIXES [#2190](https://github.com/microsoft/Microsoft365DSC/issues/2190) * AADRoleSetting * Fixed an issue where the export wasn't properly passing credential to the Get function. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 2ee78f8294..939c920392 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -156,14 +156,18 @@ function Get-TargetResource } } - # Members - [Array]$members = Get-MgGroupMember -GroupId $Group.Id -All:$true - $MembersValues = @() - foreach ($member in $members) + $MembersValues = $null + if ($Group.MembershipRuleProcessingState -ne 'On') { - if ($member.AdditionalProperties.userPrincipalName -ne $null) + # Members + [Array]$members = Get-MgGroupMember -GroupId $Group.Id -All:$true + $MembersValues = @() + foreach ($member in $members) { - $MembersValues += $member.AdditionalProperties.userPrincipalName + if ($member.AdditionalProperties.userPrincipalName -ne $null) + { + $MembersValues += $member.AdditionalProperties.userPrincipalName + } } } @@ -553,38 +557,45 @@ function Set-TargetResource } #Members - $currentMembersValue = @() - if ($currentParameters.Members.Length -ne 0) - { - $currentMembersValue = $backCurrentMembers - } - $desiredMembersValue = @() - if ($Members.Length -ne 0) - { - $desiredMembersValue = $Members - } - if ($backCurrentMembers -eq $null) - { - $backCurrentMembers = @() - } - $membersDiff = Compare-Object -ReferenceObject $backCurrentMembers -DifferenceObject $desiredMembersValue - foreach ($diff in $membersDiff) + if ($MembershipRuleProcessingState -ne 'On') { - $user = Get-MgUser -UserId $diff.InputObject - - if ($diff.SideIndicator -eq '=>') + $currentMembersValue = @() + if ($currentParameters.Members.Length -ne 0) { - Write-Verbose -Message "Adding new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" - $memberObject = @{ - "@odata.id"= "https://graph.microsoft.com/v1.0/users/{$($user.Id)}" - } - New-MgGroupMemberByRef -GroupId ($currentGroup.Id) -BodyParameter $memberObject | Out-Null + $currentMembersValue = $backCurrentMembers } - elseif ($diff.SideIndicator -eq '<=') + $desiredMembersValue = @() + if ($Members.Length -ne 0) { - Write-Verbose -Message "Removing new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" - Remove-MgGroupMemberByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($user.Id) | Out-Null + $desiredMembersValue = $Members } + if ($backCurrentMembers -eq $null) + { + $backCurrentMembers = @() + } + $membersDiff = Compare-Object -ReferenceObject $backCurrentMembers -DifferenceObject $desiredMembersValue + foreach ($diff in $membersDiff) + { + $user = Get-MgUser -UserId $diff.InputObject + + if ($diff.SideIndicator -eq '=>') + { + Write-Verbose -Message "Adding new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" + $memberObject = @{ + "@odata.id"= "https://graph.microsoft.com/v1.0/users/{$($user.Id)}" + } + New-MgGroupMemberByRef -GroupId ($currentGroup.Id) -BodyParameter $memberObject | Out-Null + } + elseif ($diff.SideIndicator -eq '<=') + { + Write-Verbose -Message "Removing new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" + Remove-MgGroupMemberByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($user.Id) | Out-Null + } + } + } + else + { + Write-Verbose -Message "Ignoring membership since this is a dynamic group." } } } From aebc14c6b2d448733f25510319df74e3b91df1d6 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 12 Sep 2022 13:23:40 -0400 Subject: [PATCH 2/2] Additional Fix --- CHANGELOG.md | 3 +++ .../DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c7db05ed2..8279f7106b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ * Changed behavior where if a group has a dynamic membership rule that is active, we no longer process members from the export, Get and Set functions. FIXES [#2190](https://github.com/microsoft/Microsoft365DSC/issues/2190) + * Fixed an issue where if the licenses parameter was omitted and another parameter caused + a drift, that the licenses would get stripped from the group. + FIXES [#2191](https://github.com/microsoft/Microsoft365DSC/issues/2191) * AADRoleSetting * Fixed an issue where the export wasn't properly passing credential to the Get function. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 939c920392..6e913ab4e7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -464,7 +464,7 @@ function Set-TargetResource Update-MgGroup @currentParameters | Out-Null } - if ($licensesToAdd.Length -gt 0 -or $licensesToRemove.Length -gt 0) + if (($licensesToAdd.Length -gt 0 -or $licensesToRemove.Length -gt 0) -and $AssignedLicenses -ne $null) { try {