Merge pull request #3816 from NikCharlebois/AADConditionalAccessPolic…

…y-adds-support-for-Auth-Context

Aad conditional access policy adds support for auth context

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change log for Microsoft365DSC
 
+# UNRELEASED
+
+* AADConditionalAccessPolicy
+  * Adds support for Authentication Context.
+    FIXES [#3813](https://github.com/microsoft/Microsoft365DSC/issues/3813)
+
 # 1.23.1018.1
 
 * AADAuthenticationMethodPolicyAuthenticator

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -185,6 +185,10 @@ function Get-TargetResource
         [System.String]
         $AuthenticationStrength,
 
+        [Parameter()]
+        [System.String[]]
+        $AuthenticationContexts,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -575,6 +579,21 @@ function Get-TargetResource
             }
         }
 
+        $AuthenticationContextsValues = @()
+        if ($null -ne $Policy.Conditions.Applications.IncludeAuthenticationContextClassReferences)
+        {
+            foreach ($class in $Policy.Conditions.Applications.IncludeAuthenticationContextClassReferences)
+            {
+                $classReference = Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference `
+                                      -AuthenticationContextClassReferenceId $class `
+                                      -ErrorAction SilentlyContinue
+                if ($null -ne $classReference)
+                {
+                    $AuthenticationContextsValues += $classReference.DisplayName
+                }
+            }
+        }
+
         $result = @{
             DisplayName                              = $Policy.DisplayName
             Id                                       = $Policy.Id
@@ -640,6 +659,7 @@ function Get-TargetResource
             PersistentBrowserMode                    = [System.String]$Policy.SessionControls.PersistentBrowser.Mode
             #no translation needed
             AuthenticationStrength                   = $AuthenticationStrengthValue
+            AuthenticationContexts                   = $AuthenticationContextsValues
             #Standard part
             TermsOfUse                               = $termOfUseName
             Ensure                                   = 'Present'
@@ -841,6 +861,10 @@ function Set-TargetResource
         [System.String]
         $AuthenticationStrength,
 
+        [Parameter()]
+        [System.String[]]
+        $AuthenticationContexts,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -925,6 +949,21 @@ function Set-TargetResource
         {
             $conditions.Applications.Add('IncludeUserActions', $IncludeUserActions)
         }
+        if ($AuthenticationContexts)
+        {
+            # Retrieve the class reference based on display name.
+            $AuthenticationContextsValues = @()
+            $classReferences = Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference -ErrorAction SilentlyContinue
+            foreach ($authContext in $AuthenticationContexts)
+            {
+                $currentClassId = $classReferences | Where-Object -FilterScript {$_.DisplayName -eq $authContext}
+                if ($null -ne $currentClassId)
+                {
+                    $AuthenticationContextsValues += $currentClassId.Id
+                }
+            }
+            $conditions.Applications.Add('IncludeAuthenticationContextClassReferences', $AuthenticationContextsValues)
+        }
 
         #create and provision User Condition object
         Write-Verbose -Message 'Set-Targetresource: process includeusers'
@@ -1725,6 +1764,10 @@ function Test-TargetResource
         [System.String]
         $AuthenticationStrength,
 
+        [Parameter()]
+        [System.String[]]
+        $AuthenticationContexts,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -42,6 +42,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled;
     [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode;
     [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
+    [Write, Description("Authentication context class references.")] String AuthenticationContexts[];
     [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;