diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ae7222a60..263817c6fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,11 +24,19 @@ * Fixes an issue where assignment wasn't properly set if the groupId was null. FIXES [#5430](https://github.com/microsoft/Microsoft365DSC/issues/5430) +* IntuneRoleAssignment + * Improve verbose output and fix copy-pasted variables. +* IntuneRoleScopeTag + * Initial release. * TeamsUserPolicyAssignment * Added support for the Global policies. * TeamsUpgradePolicy * DEPRECATED: Users properties. Use the TeamsUserPolicyAssignment resource instead. +* M365DSCUtil + * When exporting generate the instance names of resources with their mandatory + keys instead of random GUIDs , this makes exports idempotent again + FIXES [#5469](https://github.com/microsoft/Microsoft365DSC/issues/5469) * MISC * Removed hardcoded Graph urls and replaced by MSCloudLoginAssistant values. * Add separate module handling for PowerShell Core. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 00eb0e124e..00cc64d642 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -689,7 +689,7 @@ function Set-TargetResource { Write-Verbose -Message "Adding new owner {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" $ownerObject = @{ - '@odata.id' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" } try { @@ -751,7 +751,7 @@ function Set-TargetResource { Write-Verbose -Message "Adding new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" $memberObject = @{ - '@odata.id' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" } New-MgGroupMemberByRef -GroupId ($currentGroup.Id) -BodyParameter $memberObject | Out-Null } @@ -759,7 +759,7 @@ function Set-TargetResource { Write-Verbose -Message "Removing new member {$($diff.InputObject)} to AAD Group {$($currentGroup.DisplayName)}" $memberObject = @{ - '@odata.id' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/{$($directoryObject.Id)}" } Remove-MgGroupMemberDirectoryObjectByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($directoryObject.Id) | Out-Null } @@ -809,7 +809,7 @@ function Set-TargetResource { Write-Verbose -Message "Adding AAD group {$($groupAsMember.DisplayName)} as member of AAD group {$($currentGroup.DisplayName)}" $groupAsMemberObject = @{ - "@odata.id"= $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($groupAsMember.Id)" + "@odata.id"= $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($groupAsMember.Id)" } New-MgBetaGroupMemberByRef -GroupId ($currentGroup.Id) -Body $groupAsMemberObject | Out-Null } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 index bf57b6fb57..fc5e7abded 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 @@ -269,7 +269,7 @@ function Set-TargetResource foreach ($provider in $IdentityProviders) { $params = @{ - "@odata.id" = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/identityProviders/$($provider)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProviders/$($provider)" } Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" @@ -318,7 +318,7 @@ function Set-TargetResource { $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" $params = @{ - "@odata.id" = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/identity/apiConnectors/$($getConnector.Id)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/apiConnectors/$($getConnector.Id)" } Write-Verbose -Message "Updating the Post Federation Signup connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" @@ -330,7 +330,7 @@ function Set-TargetResource { $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" $params = @{ - "@odata.id" = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/identity/apiConnectors/$($getConnector.Id)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/apiConnectors/$($getConnector.Id)" } Write-Verbose -Message "Updating the Post Attribute Collection connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" @@ -344,7 +344,7 @@ function Set-TargetResource foreach ($provider in $providersToAdd) { $params = @{ - "@odata.id" = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/identityProviders/$($provider)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProviders/$($provider)" } Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 index 6bf1872082..ee4831624e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 @@ -262,7 +262,7 @@ function Set-TargetResource "@context" = '#$delta' value = @(@{}) } - Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles" -Method Patch -Body $params + Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles" -Method Patch -Body $params #adding forwarding profiles if required if ($forwardingProfilesList.Count -gt 0) { @@ -270,7 +270,7 @@ function Set-TargetResource "@context" = '#$delta' value = $forwardingProfilesList } - Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles" -Method Patch -Body $params + Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles" -Method Patch -Body $params } } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 103556254a..46671eae5f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -424,7 +424,7 @@ function Set-TargetResource { $value = $presentationValue.clone() $value = Rename-M365DSCCimInstanceParameter -Properties $value -KeyMapping $keyToRename - $value.add('presentation@odata.bind', $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") + $value.add('presentation@odata.bind', $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") $value.remove('PresentationDefinitionId') $value.remove('PresentationDefinitionLabel') $value.remove('id') @@ -432,7 +432,7 @@ function Set-TargetResource } } $complexDefinitionValue = @{ - 'definition@odata.bind' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" + 'definition@odata.bind' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" enabled = $definitionValue.Enabled presentationValues = $complexPresentationValues } @@ -520,7 +520,7 @@ function Set-TargetResource { $value = $presentationValue.clone() $value = Rename-M365DSCCimInstanceParameter -Properties $value -KeyMapping $keyToRename - $value.add('presentation@odata.bind', "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") + $value.add('presentation@odata.bind', "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") $value.remove('PresentationDefinitionId') $value.remove('PresentationDefinitionLabel') $value.remove('id') @@ -528,7 +528,7 @@ function Set-TargetResource } } $complexDefinitionValue = @{ - 'definition@odata.bind' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" + 'definition@odata.bind' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" enabled = $definitionValue.Enabled presentationValues = $complexPresentationValues } @@ -554,7 +554,7 @@ function Set-TargetResource $currentPresentationValue = $currentDefinitionValue.PresentationValues | Where-Object { $_.PresentationDefinitionId -eq $presentationValue.presentationDefinitionId } $value = $presentationValue.clone() $value = Rename-M365DSCCimInstanceParameter -Properties $value -KeyMapping $keyToRename - $value.add('presentation@odata.bind', "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") + $value.add('presentation@odata.bind', "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')/presentations('$($presentationValue.presentationDefinitionId)')") $value.remove('PresentationDefinitionId') $value.remove('PresentationDefinitionLabel') $value.remove('id') @@ -564,7 +564,7 @@ function Set-TargetResource } $complexDefinitionValue = @{ id = $currentDefinitionValue.Id - 'definition@odata.bind' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" + 'definition@odata.bind' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyDefinitions('$($definitionValue.Definition.Id)')" enabled = $definitionValue.Enabled presentationValues = $complexPresentationValues } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 index 68cf903ef4..6e478c8b13 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 @@ -522,7 +522,7 @@ function Set-TargetResource } #region resource generator code - $CreateParameters.Add("rootCertificate@odata.bind", "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$RootCertificateId')") + $CreateParameters.Add("rootCertificate@odata.bind", "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$RootCertificateId')") $CreateParameters.Add("@odata.type", "#microsoft.graph.windows81SCEPCertificateProfile") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments @@ -1034,7 +1034,7 @@ function Update-DeviceConfigurationPolicyRootCertificateId $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate/`$ref" $ref = @{ - '@odata.id' = $Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$RootCertificateId')" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$RootCertificateId')" } Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body ($ref|ConvertTo-Json) -ErrorAction Stop diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 index 4ba16773c9..8e4c4b36a7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 @@ -564,7 +564,7 @@ function Set-TargetResource -CertificateId $RootCertificatesForServerValidationIds[$i] ` -CertificateDisplayName $RootCertificatesForServerValidationDisplayNames[$i] ` -OdataTypes @('#microsoft.graph.windows81TrustedRootCertificate') - $rootCertificatesForServerValidation += "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" + $rootCertificatesForServerValidation += "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" } $CreateParameters.Add('rootCertificatesForServerValidation@odata.bind', $rootCertificatesForServerValidation) } @@ -579,7 +579,7 @@ function Set-TargetResource '#microsoft.graph.windows81TrustedRootCertificate', ` '#microsoft.graph.windows10PkcsCertificateProfile' ` ) - $ref = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" + $ref = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" $CreateParameters.Add('identityCertificateForClientAuthentication@odata.bind', $ref) } @@ -593,7 +593,7 @@ function Set-TargetResource '#microsoft.graph.windows81TrustedRootCertificate', ` '#microsoft.graph.windows10PkcsCertificateProfile' ` ) - $ref = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" + $ref = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" $CreateParameters.Add('secondaryIdentityCertificateForClientAuthentication@odata.bind', $ref) } @@ -603,7 +603,7 @@ function Set-TargetResource -CertificateId $RootCertificateForClientValidationId ` -CertificateDisplayName $RootCertificateForClientValidationDisplayName ` -OdataTypes @('#microsoft.graph.windows81TrustedRootCertificate') - $ref = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" + $ref = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" $CreateParameters.Add('rootCertificateForClientValidation@odata.bind', $ref) } @@ -613,7 +613,7 @@ function Set-TargetResource -CertificateId $SecondaryRootCertificateForClientValidationId ` -CertificateDisplayName $SecondaryRootCertificateForClientValidationDisplayName ` -OdataTypes @('#microsoft.graph.windows81TrustedRootCertificate') - $ref = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" + $ref = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$checkedCertId')" $CreateParameters.Add('secondaryRootCertificateForClientValidation@odata.bind', $ref) } @@ -1242,7 +1242,7 @@ function Update-DeviceConfigurationPolicyCertificateId foreach ($certificateId in $CertificateIds) { $ref = @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$certificateId')" + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/deviceConfigurations('$certificateId')" } Invoke-MgGraphRequest -Method $method -Uri $Uri -Body ($ref | ConvertTo-Json) -ErrorAction Stop 4>$null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 index 55c7a998de..59278dd90c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 @@ -451,8 +451,8 @@ function Set-TargetResource throw "Mobile App Category with DisplayName $($category.DisplayName) not found." } - Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + Invoke-MgGraphRequest -Uri "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" } } @@ -508,7 +508,7 @@ function Set-TargetResource } Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/`$ref" -Method 'POST' -Body @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" } } else diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 index 47edb1bd12..7979ebe48b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 @@ -488,7 +488,7 @@ function Set-TargetResource } Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" } } @@ -545,7 +545,7 @@ function Set-TargetResource } Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/`$ref" -Method 'POST' -Body @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" } } else diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/MSFT_IntuneRoleAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/MSFT_IntuneRoleAssignment.psm1 index 28c286f642..324052a0cf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/MSFT_IntuneRoleAssignment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/MSFT_IntuneRoleAssignment.psm1 @@ -78,58 +78,51 @@ function Get-TargetResource $AccessTokens ) + Write-Verbose -Message "Getting configuration of the Intune Role Assignment with Id {$Id} and DisplayName {$DisplayName}" + try { $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters - } - catch - { - Write-Verbose -Message ($_) - } - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' - $nullResult = $PSBoundParameters - $nullResult.Ensure = 'Absent' - try - { $getValue = $null - if ($Id -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$') + $getValue = Get-MgBetaDeviceManagementRoleAssignment -DeviceAndAppManagementRoleAssignmentId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) { - $getValue = Get-MgBetaDeviceManagementRoleAssignment -DeviceAndAppManagementRoleAssignmentId $id -ErrorAction SilentlyContinue - if ($null -ne $getValue) - { - Write-Verbose -Message "Found something with id {$id}" - } + Write-Verbose -Message "Could not find an Intune Role Assignment with Id {$Id}" + + $getValue = Get-MgBetaDeviceManagementRoleAssignment ` + -All ` + -Filter "displayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue } - else + + if ($null -eq $getValue) { - Write-Verbose -Message "Nothing with id {$id} was found" - $Filter = "displayName eq '$DisplayName'" - $getValue = Get-MgBetaDeviceManagementRoleAssignment -All -Filter $Filter -ErrorAction SilentlyContinue - if ($null -ne $getValue) - { - Write-Verbose -Message "Found something with displayname {$DisplayName}" - } - else - { - Write-Verbose -Message "Nothing with displayname {$DisplayName} was found" - return $nullResult - } + Write-Verbose -Message "Could not find an Intune Role Assignment with DisplayName {$DisplayName}" + return $nullResult } - #Get Roledefinition first, loop through all roledefinitions and find the assignment match the id + $Id = $getValue.Id + Write-Verbose -Message "An Intune Role Assignment with Id {$Id} and DisplayName {$DisplayName} was found" + + #Get Roledefinition first, loop through all roledefinitions and find the assignment that matches the Id $tempRoleDefinitions = Get-MgDeviceManagementRoleDefinition foreach ($tempRoleDefinition in $tempRoleDefinitions) { @@ -142,8 +135,6 @@ function Get-TargetResource } } - #$RoleDefinitionid = Get-MgDeviceManagementRoleAssignment -DeviceAndAppManagementRoleAssignmentId $getvalue.Id -ExpandProperty * - $ResourceScopesDisplayNames = @() foreach ($ResourceScope in $getValue.ResourceScopes) { @@ -156,8 +147,6 @@ function Get-TargetResource $MembersDisplayNames += (Get-MgGroup -GroupId $tempMember).DisplayName } - Write-Verbose -Message "Found something with id {$id}" - $scopeTypeValue = $null if (-not ([System.String]::IsNullOrEmpty($getValue.ScopeType))) { @@ -188,26 +177,12 @@ function Get-TargetResource } catch { - try - { - Write-Verbose -Message $_ - $tenantIdValue = '' - if (-not [System.String]::IsNullOrEmpty($TenantId)) - { - $tenantIdValue = $TenantId - } - elseif ($null -ne $Credential) - { - $tenantIdValue = $Credential.UserName.Split('@')[1] - } - Add-M365DSCEvent -Message $_ -EntryType 'Error' ` - -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $tenantIdValue - } - catch - { - Write-Verbose -Message $_ - } + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + return $nullResult } } @@ -314,28 +289,20 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters if (!($RoleDefinition -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')) { [string]$roleDefinition = $null $Filter = "displayName eq '$RoleDefinitionDisplayName'" - $RoleDefinitionId = Get-MgDeviceManagementRoleDefinition -Filter $Filter -ErrorAction SilentlyContinue + $RoleDefinitionId = Get-MgDeviceManagementRoleDefinition -All -Filter $Filter -ErrorAction SilentlyContinue if ($null -ne $RoleDefinitionId) { $roleDefinition = $RoleDefinitionId.Id } else { - Write-Verbose -Message "Nothing with displayname {$RoleDefinitionDisplayName} was found" + Write-Verbose -Message "No role definition with DisplayName {$RoleDefinitionDisplayName} was found" } } @@ -353,7 +320,7 @@ function Set-TargetResource } else { - Write-Verbose -Message "Nothing with displayname {$MembersDisplayName} was found" + Write-Verbose -Message "No member of type group with DisplayName {$MembersDisplayName} was found" } } @@ -371,7 +338,7 @@ function Set-TargetResource } else { - Write-Verbose -Message "Nothing with displayname {$ResourceScopesDisplayName} was found" + Write-Verbose -Message "No resource scope of type group with DisplayName {$ResourceScopesDisplayName} was found" } } if ($ScopeType -match 'AllDevices|AllLicensedUsers|AllDevicesAndLicensedUsers') @@ -385,7 +352,7 @@ function Set-TargetResource } if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating {$DisplayName}" + Write-Verbose -Message "Creating an Intune Role Assignment with DisplayName {$DisplayName}" $CreateParameters = @{ description = $Description @@ -394,14 +361,13 @@ function Set-TargetResource scopeType = $ScopeType members = $Members '@odata.type' = '#microsoft.graph.deviceAndAppManagementRoleAssignment' - 'roleDefinition@odata.bind' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/roleDefinitions('$roleDefinition')" + 'roleDefinition@odata.bind' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/roleDefinitions('$roleDefinition')" } - $policy = New-MgBetaDeviceManagementRoleAssignment -BodyParameter $CreateParameters - + $null = New-MgBetaDeviceManagementRoleAssignment -BodyParameter $CreateParameters } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating {$DisplayName}" + Write-Verbose -Message "Updating the Intune Role Assignment with Id {$($currentInstance.Id)} and DisplayName {$DisplayName}" $UpdateParameters = @{ description = $Description @@ -410,16 +376,15 @@ function Set-TargetResource scopeType = $ScopeType members = $Members '@odata.type' = '#microsoft.graph.deviceAndAppManagementRoleAssignment' - 'roleDefinition@odata.bind' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)beta/deviceManagement/roleDefinitions('$roleDefinition')" + 'roleDefinition@odata.bind' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)beta/deviceManagement/roleDefinitions('$roleDefinition')" } Update-MgBetaDeviceManagementRoleAssignment -BodyParameter $UpdateParameters ` -DeviceAndAppManagementRoleAssignmentId $currentInstance.Id - } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing {$DisplayName}" + Write-Verbose -Message "Removing the Intune Role Assignment with Id {$($currentInstance.Id)} and DisplayName {$DisplayName}" Remove-MgBetaDeviceManagementRoleAssignment -DeviceAndAppManagementRoleAssignmentId $currentInstance.Id } } @@ -516,16 +481,16 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of {$id - $displayName}" + Write-Verbose -Message "Testing configuration of {$Id - $displayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - if (!($RoleDefinition -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')) + if (-not ($RoleDefinition -match '^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')) { [string]$roleDefinition = $null $Filter = "displayName eq '$RoleDefinitionDisplayName'" - $RoleDefinitionId = Get-MgDeviceManagementRoleDefinition -Filter $Filter -ErrorAction SilentlyContinue + $RoleDefinitionId = Get-MgDeviceManagementRoleDefinition -All -Filter $Filter -ErrorAction SilentlyContinue if ($null -ne $RoleDefinitionId) { $roleDefinition = $RoleDefinitionId.Id @@ -533,7 +498,7 @@ function Test-TargetResource } else { - Write-Verbose -Message "Nothing with displayname {$RoleDefinitionDisplayName} was found" + Write-Verbose -Message "No role definition with DisplayName {$RoleDefinitionDisplayName} was found" } } @@ -550,7 +515,7 @@ function Test-TargetResource } else { - Write-Verbose -Message "Nothing with displayname {$RoleDefinitionDisplayName} was found" + Write-Verbose -Message "No member of type group with DisplayName {$MembersDisplayName} was found" } } $PSBoundParameters.Set_Item('Members', $Members) @@ -568,7 +533,7 @@ function Test-TargetResource } else { - Write-Verbose -Message "Nothing with displayname {$RoleDefinitionDisplayName} was found" + Write-Verbose -Message "No resource scope of type group with DisplayName {$ResourceScopesDisplayName} was found" } } $PSBoundParameters.Set_Item('ResourceScopes', $ResourceScopes) @@ -691,14 +656,14 @@ function Export-TargetResource $Global:M365DSCExportResourceInstancesCount++ } - $displayedKey = $config.id + $displayedKey = $config.Id if (-not [String]::IsNullOrEmpty($config.displayName)) { $displayedKey = $config.displayName } Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline $params = @{ - id = $config.id + Id = $config.Id DisplayName = $config.displayName Ensure = 'Present' Credential = $Credential @@ -749,3 +714,5 @@ function Export-TargetResource return '' } } + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.psm1 new file mode 100644 index 0000000000..4c7cd488fe --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.psm1 @@ -0,0 +1,562 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Getting configuration of the Intune Role Scope Tag with Id {$Id} DisplayName {$DisplayName}" + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + if ($PSBoundParameters.ContainsKey("Id")) + { + $getValue = Get-MgBetaDeviceManagementRoleScopeTag -RoleScopeTagId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Role Scope Tag with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementRoleScopeTag ` + -All ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Role Scope Tag with DisplayName {$DisplayName}." + return $nullResult + } + + $Id = $getValue.Id + Write-Verbose -Message "An Intune Role Scope Tag with Id {$Id} and DisplayName {$DisplayName} was found" + + $results = @{ + #region resource generator code + DisplayName = $getValue.DisplayName + Id = $getValue.Id + Description = $getValue.Description + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + + $assignmentsValues = Get-MgBetaDeviceManagementRoleScopeTagAssignment -RoleScopeTagId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Setting configuration of the Intune Role Scope Tag with Id {$Id} and DisplayName {$DisplayName}" + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Role Scope Tag with DisplayName {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$createParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') + { + $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + } + } + + #region resource generator code + $createParameters.Add("@odata.type", "#microsoft.graph.RoleScopeTag") + $policy = New-MgBetaDeviceManagementRoleScopeTag -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$false -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/roleScopeTags' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Role Scope Tag with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$updateParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $updateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*') + { + $updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.RoleScopeTagId + } + } + + #region resource generator code + $UpdateParameters.Add("@odata.type", "#microsoft.graph.RoleScopeTag") + Update-MgBetaDeviceManagementRoleScopeTag ` + -RoleScopeTagId $currentInstance.Id ` + -BodyParameter $UpdateParameters + + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$false -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/roleScopeTags' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Role Scope Tag with Id {$($currentInstance.Id)}" + + #region resource generator code + Remove-MgBetaDeviceManagementRoleScopeTag -RoleScopeTagId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Role Scope Tag with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaDeviceManagementRoleScopeTag ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object { $_.IsBuiltIn -eq $false } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.schema.mof new file mode 100644 index 0000000000..a62e29de0b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/MSFT_IntuneRoleScopeTag.schema.mof @@ -0,0 +1,27 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneRoleScopeTag")] +class MSFT_IntuneRoleScopeTag : OMI_BaseResource +{ + [Key, Description("The display or friendly name of the Role Scope Tag.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Description of the Role Scope Tag.")] String Description; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/readme.md new file mode 100644 index 0000000000..d7ed9b6f01 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/readme.md @@ -0,0 +1,6 @@ + +# IntuneRoleScopeTag + +## Description + +This resource configures an Intune Role Scope Tag diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/settings.json new file mode 100644 index 0000000000..eece1c58a9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleScopeTag/settings.json @@ -0,0 +1,44 @@ +{ + "resourceName": "IntuneRoleScopeTag", + "description": "This resource configures an Intune Role Scope Tag.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_O365Group/MSFT_O365Group.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_O365Group/MSFT_O365Group.psm1 index bb6fa09486..8d6020d84d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_O365Group/MSFT_O365Group.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_O365Group/MSFT_O365Group.psm1 @@ -352,7 +352,7 @@ function Set-TargetResource $userId = (Get-MgUser -UserId $member).Id # There are no cmldet to remove members from group available at the time of writing this resource (March 8th 2022) - $url = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/groups/$($ADGroup[0].Id)/members/$userId/`$ref" + $url = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/groups/$($ADGroup[0].Id)/members/$userId/`$ref" Invoke-MgGraphRequest -Method DELETE -Uri $url | Out-Null } } @@ -398,7 +398,7 @@ function Set-TargetResource Write-Verbose -Message "Adding Owner {$owner}" $userId = (Get-MgUser -UserId $owner).Id $newGroupOwner = @{ - '@odata.id' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/users/{$userId}" + '@odata.id' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/users/{$userId}" } New-MgGroupOwnerByRef -GroupId $ADGroup[0].Id -BodyParameter $newGroupOwner @@ -410,7 +410,7 @@ function Set-TargetResource $userId = (Get-MgUser -UserId $owner).Id # There are no cmldet to remove members from group available at the time of writing this resource (March 8th 2022) - $url = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/groups/$($ADGroup[0].Id)/owners/$userId/`$ref" + $url = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/groups/$($ADGroup[0].Id)/owners/$userId/`$ref" Invoke-MgGraphRequest -Method DELETE -Uri $url | Out-Null } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 index 3b8db6bd7e..7581137a90 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PlannerTask/MSFT_PlannerTask.psm1 @@ -492,7 +492,7 @@ function Set-TargetResource Write-Verbose -Message "Updating Task with:`r`n$JSONDetails" # Need to continue to rely on Invoke-MgGraphRequest Invoke-MgGraphRequest -Method PATCH ` - -Uri "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/planner/tasks/$taskId" ` + -Uri "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/planner/tasks/$taskId" ` -Headers $Headers ` -Body $JSONDetails @@ -504,7 +504,7 @@ function Set-TargetResource $JSONDetails = (ConvertTo-Json $details) Write-Verbose -Message "Updating Task's details with:`r`n$JSONDetails" Invoke-MgGraphRequest -Method PATCH ` - -Uri "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/planner/tasks/$taskId/details" ` + -Uri "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/planner/tasks/$taskId/details" ` -Headers $Headers ` -Body $JSONDetails @@ -940,7 +940,7 @@ function Get-M365DSCPlannerTasksFromPlan $Credential ) $results = @() - $uri = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/planner/plans/$PlanId/tasks" + $uri = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/planner/plans/$PlanId/tasks" $taskResponse = Invoke-MSCloudLoginMicrosoftGraphAPI -Credential $Credential ` -Uri $uri ` -Method Get diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannelTab/MSFT_TeamsChannelTab.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannelTab/MSFT_TeamsChannelTab.psm1 index d55b1ee958..f860d32bb3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannelTab/MSFT_TeamsChannelTab.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannelTab/MSFT_TeamsChannelTab.psm1 @@ -368,7 +368,7 @@ function Set-TargetResource Write-Verbose -Message "Params: $($CurrentParameters | Out-String)" $additionalProperties = @{ - 'teamsApp@odata.bind' = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/appCatalogs/teamsApps/$TeamsApp" + 'teamsApp@odata.bind' = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/appCatalogs/teamsApps/$TeamsApp" } $CurrentParameters.Add('AdditionalProperties', $additionalProperties) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/MSFT_TeamsTeam.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/MSFT_TeamsTeam.psm1 index 35e6848a74..13b7e219ae 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/MSFT_TeamsTeam.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/MSFT_TeamsTeam.psm1 @@ -443,7 +443,7 @@ function Set-TargetResource Write-Verbose -Message "Retrieving Group Owner {$currentOwner}" $ownerUser = Get-MgUser -Search $currentOwner -ConsistencyLevel eventual - $ownerOdataID = "$($Global:MSCloudLoginAssistant.MicrosoftGraph.ResourceUrl)v1.0/directoryObjects/$($ownerUser.Id)" + $ownerOdataID = "$($Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl)v1.0/directoryObjects/$($ownerUser.Id)" Write-Verbose -Message "Adding Owner {$($ownerUser.Id)} to Group {$($group.Id)}" try diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/1-Create.ps1 new file mode 100644 index 0000000000..8a758caf8e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/1-Create.ps1 @@ -0,0 +1,27 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyNewTag" + Description = "My Example Tag" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/2-Update.ps1 new file mode 100644 index 0000000000..292e124591 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/2-Update.ps1 @@ -0,0 +1,28 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyExistingTag" + Id = "5" + Description = "My Example Tag" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/3-Remove.ps1 new file mode 100644 index 0000000000..2d02be7b42 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneRoleScopeTag/IntuneRoleScopeTag/3-Remove.ps1 @@ -0,0 +1,28 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyExistingTag" + Id = "5" + Description = "My Example Tag" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 index 1753fce3f7..81fcd5b67d 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 @@ -37,9 +37,9 @@ Configuration Example DisableSafetyFilterOverrideForAppRepUnknown = '1' } Ensure = 'Present' - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint } } } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 5343487a47..388520fb96 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -3204,14 +3204,11 @@ function Update-M365DSCDependencies [Parameter()] [Switch] $ValidateOnly, - [Parameter()] [ValidateSet("CurrentUser", "AllUsers")] $Scope = "AllUsers" ) - $isPSResourceGetInstalled = Get-Module -Name Microsoft.PowerShell.PSResourceGet -ListAvailable - try { $Global:MaximumFunctionCount = 32767 @@ -3261,14 +3258,14 @@ function Update-M365DSCDependencies } if (-not $errorFound) { - if (($dependency.PowerShellCore -eq $false -or $dependency.InstallLocation -eq "WindowsPowerShell") -and $Script:IsPowerShellCore) + if (-not $dependency.PowerShellCore -and $Script:IsPowerShellCore) { - Write-Warning "The dependency {$($dependency.ModuleName)} requires Windows PowerShell for installation. Please run Update-M365DSCDependencies in Windows PowerShell." + Write-Warning "The dependency {$($dependency.ModuleName)} does not support PowerShell Core. Please run Update-M365DSCDependencies in Windows PowerShell." continue } elseif ($dependency.PowerShellCore -and -not $Script:IsPowerShellCore) { - Write-Warning "The dependency {$($dependency.ModuleName)} requires PowerShell Core for installation. Please run Update-M365DSCDependencies in PowerShell Core." + Write-Warning "The dependency {$($dependency.ModuleName)} requires PowerShell Core. Please run Update-M365DSCDependencies in PowerShell Core." continue } @@ -3279,15 +3276,7 @@ function Update-M365DSCDependencies Remove-Module 'Microsoft.Graph.Authentication' -Force -ErrorAction SilentlyContinue } Remove-Module $dependency.ModuleName -Force -ErrorAction SilentlyContinue - - if ($null -eq $isPSResourceGetInstalled) - { - Install-Module $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -AllowClobber -Force -Scope $Scope - } - else - { - Install-PSResource -Name $dependency.ModuleName -Version $dependency.RequiredVersion -AcceptLicense -Scope $Scope -Reinstall -TrustRepository - } + Install-Module $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -AllowClobber -Force -Scope "$Scope" } } @@ -3787,13 +3776,13 @@ function Get-M365DSCExportContentForResource Import-Module $Resource.Path -Force $moduleInfo = Get-Command -Module $ModuleFullName -ErrorAction SilentlyContinue $cmdInfo = $moduleInfo | Where-Object -FilterScript {$_.Name -eq 'Get-TargetResource'} - $Keys = $cmdInfo.Parameters.Keys + $Keys = $cmdInfo.Parameters.Values.Where({ $_.ParameterSets.Values.IsMandatory }).Name } } else { $cmdInfo = $moduleInfo | Where-Object -FilterScript {$_.Name -eq 'Get-TargetResource'} - $Keys = $cmdInfo.Parameters.Keys + $Keys = $cmdInfo.Parameters.Values.Where({ $_.ParameterSets.Values.IsMandatory }).Name } if ($Keys.Contains('IsSingleInstance')) @@ -3840,9 +3829,14 @@ function Get-M365DSCExportContentForResource { $primaryKey = $Results.UserPrincipalName } - elseif ($Keys.Contains('User')) + + if ([String]::IsNullOrEmpty($primaryKey) -and ` + -not $Keys.Contains('IsSingleInstance')) { - $primaryKey = $Results.User + foreach ($Key in $Keys) + { + $primaryKey += $Results.$Key + } } $instanceName = $ResourceName @@ -3850,10 +3844,6 @@ function Get-M365DSCExportContentForResource { $instanceName += "-$primaryKey" } - elseif (-not $Keys.Contains('IsSingleInstance')) - { - $instanceName += "-" + (New-Guid).ToString() - } if ($Results.ContainsKey('Workload')) { diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index eb8a1f59c3..12a4e32045 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -43490,6 +43490,71 @@ } ] }, + { + "ClassName": "MSFT_IntuneRoleScopeTag", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", "Parameters": [ diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index fbf4b5f665..4c956d09e2 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -3005,6 +3005,15 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyNewTag" + Description = "My Example Tag" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' { DisplayName = 'test' @@ -3020,9 +3029,9 @@ DisableSafetyFilterOverrideForAppRepUnknown = '1' } Ensure = 'Present' - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint } IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneRoleScopeTag.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneRoleScopeTag.Tests.ps1 new file mode 100644 index 0000000000..d89bf00022 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneRoleScopeTag.Tests.ps1 @@ -0,0 +1,217 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'IntuneRoleScopeTag' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementRoleScopeTag -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementRoleScopeTag -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementRoleScopeTag -MockWith { + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances = $null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTagAssignment -MockWith { + } + + } + + # Test contexts + Context -Name 'The IntuneRoleScopeTag should exist but it DOES NOT' -Fixture { + BeforeAll { + $testParams = @{ + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTag -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementRoleScopeTag -Exactly 1 + } + } + + Context -Name 'The IntuneRoleScopeTag exists but it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTag -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.RoleScopeTag' + } + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + IsBuiltIn = $True + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementRoleScopeTag -Exactly 1 + } + } + + Context -Name 'The IntuneRoleScopeTag Exists and Values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Id = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTag -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.RoleScopeTag' + } + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + IsBuiltIn = $True + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The IntuneRoleScopeTag exists and values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTag -MockWith { + return @{ + Description = 'FakeWrongStringValue' + DisplayName = 'FakeWrongStringValue' + Id = 'FakeStringValue' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementRoleScopeTag -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementRoleScopeTag -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.RoleScopeTag' + } + Description = 'FakeStringValue' + DisplayName = 'FakeStringValue' + Id = 'FakeStringValue' + IsBuiltIn = $false + } + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index e29324881e..e3024b7ad6 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -26932,50 +26932,79 @@ function Update-MgBetaDeviceAppManagementTargetedManagedAppConfiguration function Get-MgBetaDeviceManagementRoleScopeTag { [CmdletBinding()] - param( + param + ( [Parameter()] - [System.String[]] - $Property, + [System.String] + $RoleScopeTagId, [Parameter()] [PSObject] $InputObject, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String[]] + $ExpandProperty, [Parameter()] - [System.Int32] - $PageSize, + [System.String[]] + $Property, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $Filter, [Parameter()] [System.String] - $RoleScopeTagId, + $Search, [Parameter()] [System.Int32] $Skip, + [Parameter()] + [System.String[]] + $Sort, + [Parameter()] [System.Int32] $Top, [Parameter()] [System.String] - $CountVariable, + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -26983,109 +27012,210 @@ function Get-MgBetaDeviceManagementRoleScopeTag [Parameter()] [System.String] - $Filter, + $CountVariable + ) +} +function New-MgBetaDeviceManagementRoleScopeTag +{ + [CmdletBinding()] + param + ( [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $Search, + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Collections.IDictionary] + $Headers, [Parameter()] - [PSObject] - $HttpPipelineAppend + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm ) } -#endregion -#region Microsoft.Graph.Beta.DeviceManagement.Enrollment -function Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration + +function Remove-MgBetaDeviceManagementRoleScopeTag { [CmdletBinding()] - param( + param + ( [Parameter()] - [System.String[]] - $Property, + [System.String] + $RoleScopeTagId, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.String] + $ResponseHeadersVariable, + [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Break, [Parameter()] - [System.Int32] - $PageSize, + [System.Collections.IDictionary] + $Headers, [Parameter()] - [PSObject] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] - [System.Int32] - $Top, + [System.Uri] + $Proxy, [Parameter()] - [System.String] - $CountVariable, + [System.Management.Automation.PSCredential] + $ProxyCredential, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceManagementRoleScopeTag +{ + [CmdletBinding()] + param + ( [Parameter()] [System.String] - $DeviceEnrollmentConfigurationId, + $RoleScopeTagId, [Parameter()] - [System.Uri] - $Proxy, + [PSObject] + $InputObject, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, [Parameter()] [System.String] - $Filter, + $Description, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $DisplayName, [Parameter()] [System.String] - $Search, + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Collections.IDictionary] + $Headers, [Parameter()] - [PSObject] - $HttpPipelineAppend + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm ) } -function Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment +#endregion + +#region Microsoft.Graph.Beta.DeviceManagement.Enrollment +function Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration { [CmdletBinding()] param( @@ -27149,10 +27279,6 @@ function Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment [System.String] $Search, - [Parameter()] - [System.String] - $EnrollmentConfigurationAssignmentId, - [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -27166,7 +27292,7 @@ function Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile +function Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment { [CmdletBinding()] param( @@ -27202,6 +27328,10 @@ function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile [System.String] $CountVariable, + [Parameter()] + [System.String] + $DeviceEnrollmentConfigurationId, + [Parameter()] [System.Uri] $Proxy, @@ -27228,7 +27358,7 @@ function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile [Parameter()] [System.String] - $WindowsAutopilotDeploymentProfileId, + $EnrollmentConfigurationAssignmentId, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -27243,14 +27373,10 @@ function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment +function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfile { [CmdletBinding()] param( - [Parameter()] - [System.String] - $WindowsAutopilotDeploymentProfileAssignmentId, - [Parameter()] [System.String[]] $Property, @@ -27324,13 +27450,13 @@ function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfile +function Get-MgBetaDeviceManagementWindowsAutopilotDeploymentProfileAssignment { [CmdletBinding()] param( [Parameter()] [System.String] - $WindowsFeatureUpdateProfileId, + $WindowsAutopilotDeploymentProfileAssignmentId, [Parameter()] [System.String[]] @@ -27388,6 +27514,10 @@ function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfile [System.String] $Search, + [Parameter()] + [System.String] + $WindowsAutopilotDeploymentProfileId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -27401,7 +27531,84 @@ function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfile $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfileAssignment +function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $WindowsFeatureUpdateProfileId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaDeviceManagementWindowsFeatureUpdateProfileAssignment { [CmdletBinding()] param( @@ -92443,83 +92650,7 @@ function Get-MgBetaDeviceManagementRoleDefinition $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementRoleScopeTag -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.String] - $RoleScopeTagId, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.String] - $Search, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend - ) -} function New-MgBetaDeviceManagementRoleDefinition { [CmdletBinding()] @@ -104576,3 +104707,294 @@ function Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest ) } #endregion +#region MgBetaDeviceManagementRoleScopeTagAssignment +function Get-MgBetaDeviceManagementRoleScopeTagAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $RoleScopeTagAutoAssignmentId, + + [Parameter()] + [System.String] + $RoleScopeTagId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaDeviceManagementRoleScopeTagAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $RoleScopeTagId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $Target, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaDeviceManagementRoleScopeTagAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $RoleScopeTagAutoAssignmentId, + + [Parameter()] + [System.String] + $RoleScopeTagId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceManagementRoleScopeTagAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $RoleScopeTagAutoAssignmentId, + + [Parameter()] + [System.String] + $RoleScopeTagId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $Target, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + diff --git a/docs/docs/resources/intune/IntuneRoleScopeTag.md b/docs/docs/resources/intune/IntuneRoleScopeTag.md new file mode 100644 index 0000000000..4ecd5775af --- /dev/null +++ b/docs/docs/resources/intune/IntuneRoleScopeTag.md @@ -0,0 +1,157 @@ +# IntuneRoleScopeTag + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display or friendly name of the Role Scope Tag. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **Description** | Write | String | Description of the Role Scope Tag. | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +This resource configures an Intune Role Scope Tag + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyNewTag" + Description = "My Example Tag" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyExistingTag" + Id = "5" + Description = "My Example Tag" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneRoleScopeTag 'Example' + { + DisplayName = "MyExistingTag" + Id = "5" + Description = "My Example Tag" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md index af77fafef9..3956f4b458 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md @@ -247,9 +247,9 @@ Configuration Example DisableSafetyFilterOverrideForAppRepUnknown = '1' } Ensure = 'Present' - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint } } }