diff --git a/CHANGELOG.md b/CHANGELOG.md index e54f0c3ea4..a289003f19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ * Fix issue when trying to remove policy and Identity is set to a random GUID or from another tenant FIXES [#4041](https://github.com/microsoft/Microsoft365DSC/issues/4041) +* IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled + * Added Assignments + FIXES [#2932](https://github.com/microsoft/Microsoft365DSC/issues/2932) # 1.23.1213.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 index 1880045ecd..382ee4d4cd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 @@ -101,6 +101,10 @@ function Get-TargetResource [Parameter()] [System.String] $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, #endregion [Parameter()] @@ -153,9 +157,15 @@ function Get-TargetResource $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' - $getValue = $null #region resource generator code - $getValue = Get-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -MdmWindowsInformationProtectionPolicyId $Id -ErrorAction SilentlyContinue + try + { + $getValue = Get-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -MdmWindowsInformationProtectionPolicyId $Id -ExpandProperty assignments -ErrorAction Stop + } + catch + { + $getValue = $null + } if ($null -eq $getValue) { @@ -166,11 +176,19 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + if ($getValue.count -gt 1) + { + throw ("Error: Ensure the displayName {$displayName} is unique.") + } + if (-not [String]::IsNullOrEmpty($getValue.Id)) + { + $getValue = Get-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -MdmWindowsInformationProtectionPolicyId $getValue.id -ExpandProperty assignments + } } } #endregion - if ($null -eq $getValue) + if ([String]::IsNullOrEmpty($getValue.Id)) { Write-Verbose -Message "Could not find an Intune Windows Information Protection Policy for Windows10 Mdm Enrolled with DisplayName {$DisplayName}" return $nullResult @@ -403,6 +421,10 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } + if ($getValue.assignments.count -gt 0) + { + $results.Add('Assignments', (ConvertFrom-IntunePolicyAssignment -Assignments $getValue.assignments -IncludeDeviceFilter $false)) + } return [System.Collections.Hashtable] $results } @@ -520,6 +542,10 @@ function Set-TargetResource [Parameter()] [System.String] $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, #endregion [Parameter(Mandatory)] @@ -579,6 +605,7 @@ function Set-TargetResource { Write-Verbose -Message "Creating an Intune Windows Information Protection Policy for Windows10 Mdm Enrolled with DisplayName {$DisplayName}" + $PSBoundParameters.remove('Assignments') | Out-Null $CreateParameters = ([Hashtable]$PSBoundParameters).clone() $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters $CreateParameters.Remove('Id') | Out-Null @@ -595,11 +622,25 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -BodyParameter $CreateParameters #endregion + + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + if ($policy.id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceAppManagement/mdmWindowsInformationProtectionPolicies' + } } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Updating the Intune Windows Information Protection Policy for Windows10 Mdm Enrolled with Id {$($currentInstance.Id)}" + $PSBoundParameters.remove('Assignments') | Out-Null $UpdateParameters = ([Hashtable]$PSBoundParameters).clone() $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters @@ -615,11 +656,20 @@ function Set-TargetResource } #region resource generator code - $UpdateParameters.Add("@odata.type", "#microsoft.graph.MdmWindowsInformationProtectionPolicy") - Update-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy ` + $UpdateParameters.Add('@odata.type', '#microsoft.graph.MdmWindowsInformationProtectionPolicy') + Update-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy ` -MdmWindowsInformationProtectionPolicyId $currentInstance.Id ` -BodyParameter $UpdateParameters #endregion + + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` + -Targets $assignmentsHash ` + -Repository 'deviceAppManagement/mdmWindowsInformationProtectionPolicies' } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { @@ -733,6 +783,10 @@ function Test-TargetResource [Parameter()] [System.String] $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, #endregion [Parameter()] @@ -802,6 +856,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -1105,7 +1164,18 @@ function Export-TargetResource $Results.Remove('SmbAutoEncryptedFileExtensions') | Out-Null } } - + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -1155,6 +1225,10 @@ function Export-TargetResource { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'SmbAutoEncryptedFileExtensions' -IsCIMArray:$True } + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + } #removing trailing commas and semi colons between items of an array of cim instances added by Convert-DSCStringParamToVariable $currentDSCBlock = $currentDSCBlock.replace( " ,`r`n" , " `r`n" ) $currentDSCBlock = $currentDSCBlock.replace( "`r`n;`r`n" , "`r`n" ) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.schema.mof index a2d1f0cfd6..35950770e5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.schema.mof @@ -1,3 +1,13 @@ +[ClassVersion("1.0.0.0")] +class MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphWindowsInformationProtectionDataRecoveryCertificate { @@ -79,6 +89,7 @@ class MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled : OMI_Ba [Write, Description("TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access")] String RightsManagementServicesTemplateId; [Write, Description("Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary"), EmbeddedInstance("MSFT_MicrosoftGraphwindowsInformationProtectionResourceCollection")] String SmbAutoEncryptedFileExtensions[]; [Write, Description("The policy's description.")] String Description; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolledPolicyAssignments")] String Assignments[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.Tests.ps1 index 2d3dbfa363..d44aaa166d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.Tests.ps1 @@ -41,7 +41,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -MockWith { } - + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } Mock -CommandName New-M365DSCConnection -MockWith { return 'Credentials' }