Merge branch 'Dev' into Report-and-Assessment-Improvements-and-Fixes

microsoft · Apr 21, 2023 · 8348030 · 8348030
2 parents fc012c7 + d3a7563
commit 8348030
Show file tree

Hide file tree

Showing 36 changed files with 7,669 additions and 113 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,15 +2,41 @@
 
 # UNRELEASED
 
+* AADAdministrativeUnit
+  * Fix issue incorrectly removing existing Members and ScopedRoleMembers
+    FIXES [#3194](https://github.com/microsoft/Microsoft365DSC/issues/3194)
+  * Fix issue creating ScopedRoleMembers of Type Group or ServicePrincipal
+    FIXES [#3189](https://github.com/microsoft/Microsoft365DSC/issues/3189)
+* SCSensitivityLabel
+  * Remove property Disabled from schema
+    FIXES [#3193](https://github.com/microsoft/Microsoft365DSC/issues/3193)
+* DEPENDENCIES
+  * Updated DSCParser dependencies to version 1.3.0.7.
+  * Updated Microsoft.PowerApps.Administration.PowerShell tp version 2.0.160.
+
+# 1.23.419.1
+
+* IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10
+  * Initial release
+* IntuneDeviceConfigurationEmailProfilePolicyWindows10
+  * Initial release
+* IntuneDeviceConfigurationKioskPolicyWindows10
+  * Initial release
+* EXOManagementRoleAssignment
+  * Fixed issue with incorrect Microsoft Graph cmdlets used to retrieve Administrative Units.
+    FIXES [#3185](https://github.com/microsoft/Microsoft365DSC/issues/3185)
 * SCLabelPolicy
   * If label policy is set to None don't get its label display name since it's not required
     FIXES [#3104](https://github.com/microsoft/Microsoft365DSC/issues/3104)
+* DRG
+  * Fixed issue retrieving the cmdlet definition when the resource type is derived from an abstract type
+  * Fixed issue with UnitTest and complex properties with AdditionalProperties
+  * Fixed issue with Complex constructor and complex properties with AdditionalProperties
 * MISC
   * Reports will now exclude the authentication parameters (e.g., CertificateThumbprint, Credential, etc.).
   * Changed the Encoding helper's logic to ensure titled quotes and apostrophes are correctly evaluated.
     FIXES [#3165](https://github.com/microsoft/Microsoft365DSC/issues/3165)
-* DEPENDENCIES
-  * Updated DSCParser dependencies to version 1.3.0.7.
+  * Fixes an issue where the new resource name extraction could still have duplicates.
 
 # 1.23.412.1
 

diff --git a/...s/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1 b/...s/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1
@@ -434,7 +434,7 @@ function Set-TargetResource
             $scopedRoleMemberSpecification = @()
             foreach ($roleMember in $CreateParameters.ScopedRoleMembers)
             {
-                Write-Verbose -Message "AU {$DisplayName} member: role '$($roleMember.RoleName)' type '$($roleMember.Type)' identity $($roleMember.Identity)"
+                Write-Verbose -Message "AU {$DisplayName} member: role '$($roleMember.RoleName)' type '$($roleMember.RoleMemberInfo.Type)' identity $($roleMember.RoleMemberInfo.Identity)"
                 try
                 {
                     $roleObject = Get-MgDirectoryRole -Filter "DisplayName eq '$($roleMember.RoleName)'" -ErrorAction stop
@@ -462,15 +462,19 @@ function Set-TargetResource
                         throw "AU {$($DisplayName)}:  Scoped Role User {$($roleMember.RoleMemberInfo.Identity)} for role {$($roleMember.RoleName)} does not exist"
                     }
                 }
-                elseif ($roleMember.Type -eq 'Group')
+                elseif ($roleMember.RoleMemberInfo.Type -eq 'Group')
                 {
                     $roleMemberIdentity = Get-MgGroup -Filter "displayName eq '$($roleMember.RoleMemberInfo.Identity)'" -ErrorAction Stop
                     if ($null -eq $roleMemberIdentity)
                     {
                         throw "AU {$($DisplayName)}: Scoped Role Group {$($roleMember.RoleMemberInfo.Identity)} for role {$($roleMember.RoleName)} does not exist"
                     }
+                    elseif ($roleMemberIdentity.IsAssignableToRole -eq $false)
+                    {
+                        throw "AU {$($DisplayName)}: Scoped Role Group {$($roleMember.RoleMemberInfo.Identity)} for role {$($roleMember.RoleName)} is not role-enabled"
+                    }
                 }
-                elseif ($roleMember.Type -eq 'ServicePrincipal')
+                elseif ($roleMember.RoleMemberInfo.Type -eq 'ServicePrincipal')
                 {
                     $roleMemberIdentity = Get-MgServicePrincipal -Filter "displayName eq '$($roleMember.RoleMemberInfo.Identity)'" -ErrorAction Stop
                     if ($null -eq $roleMemberIdentity)
@@ -555,7 +559,7 @@ function Set-TargetResource
 
         if ($MembershipType -ne 'Dynamic')
         {
-            if ($backCurrentMembers.Count -gt 0 -or $requestedMembers.Count -gt 0)
+            if ($PSBoundParameters.ContainsKey('Members') -and ($backCurrentMembers.Count -gt 0 -or $requestedMembers.Count -gt 0))
             {
                 $currentMembers = @()
                 foreach ($member in $backCurrentMembers)
@@ -616,7 +620,7 @@ function Set-TargetResource
             }
         }
 
-        if ($backCurrentScopedRoleMembers.Count -gt 0 -or $requestedScopedRoleMembers.Count -gt 0)
+        if ($PSBoundParameters.ContainsKey('ScopedRoleMembers') -and ($backCurrentScopedRoleMembers.Count -gt 0 -or $requestedScopedRoleMembers.Count -gt 0))
         {
             if ($backCurrentScopedRoleMembers.Length -ne 0)
             {
@@ -871,7 +875,7 @@ function Test-TargetResource
     # Visibility is currently not returned by Get-TargetResource
     $ValuesToCheck.Remove('Visibility') | Out-Null
 
-    if ($MembershipType -ne 'Dynamic' -and $CurrentValues.MembershipType -ne 'Dynamic')
+    if ($ValuesToCheck.ContainsKey('MembershipType') -and $MembershipType -ne 'Dynamic' -and $CurrentValues.MembershipType -ne 'Dynamic')
     {
         # MembershipType may be returned as null or Assigned with same effect. Only compare if Dynamic is specified or returned
         $ValuesToCheck.Remove('MembershipType') | Out-Null

diff --git a/...osoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.schema.mof b/...osoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.schema.mof
@@ -1,14 +1,14 @@
 [ClassVersion("1.0.0")]
 class MSFT_MicrosoftGraphMember
 {
-    [Write, Description("Identity of member. For users, specify a UserPrincipalName. For groups and devices, specify DisplayName")] String Identity;
-    [Write, Description("Specify User, Group or Device to interpret the identity. Can be ServicePrincipal in ScopedRoleMembers"), ValueMap{"User", "Group", "Device", "ServicePrincipal"}, Values{"User", "Group", "Device", "ServicePrincipal"}] String Type;
+    [Write, Description("Identity of member. For users, specify a UserPrincipalName. For groups, devices and serviceprincipals, specify DisplayName")] String Identity;
+    [Write, Description("Specify User, Group or Device to interpret the identity for Members. Specify User, Group or ServicePrincipal for ScopedRoleMembers."), ValueMap{"User", "Group", "Device", "ServicePrincipal"}, Values{"User", "Group", "Device", "ServicePrincipal"}] String Type;
 };
 [ClassVersion("1.0.0")]
 class MSFT_MicrosoftGraphScopedRoleMembership
 {
     [Write, Description("Name of the Azure AD Role that is assigned. See https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope")] String RoleName;
-    [Write, Description("Member that is assigned the scoped role"), EmbeddedInstance("MSFT_MicrosoftGraphMember")] String RoleMemberInfo;
+    [Write, Description("Member that is assigned the scoped role. Note: Any groups must be role-enabled"), EmbeddedInstance("MSFT_MicrosoftGraphMember")] String RoleMemberInfo;
 };
 
 [ClassVersion("1.0.0.0"), FriendlyName("AADAdministrativeUnit")]
@@ -22,7 +22,7 @@ class MSFT_AADAdministrativeUnit : OMI_BaseResource
     [Write, Description("Specify membership rule. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.")] String MembershipRule;
     [Write, Description("Specify dynamic membership-rule processing-state. Valid values are 'On' and 'Paused'. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.")] String MembershipRuleProcessingState;
     [Write, Description("Specify members. Only specify if MembershipType is NOT set to Dynamic"), EmbeddedInstance("MSFT_MicrosoftGraphMember")] String Members[];
-    [Write, Description("Specify Scoped Role Membership."), EmbeddedInstance("MSFT_MicrosoftGraphScopedRoleMembership")] String ScopedRoleMembers[];
+    [Write, Description("Specify Scoped Role Membership. Note: Any groups must be role-enabled"), EmbeddedInstance("MSFT_MicrosoftGraphScopedRoleMembership")] String ScopedRoleMembers[];
     [Write, Description("Present ensures the Administrative Unit exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
     [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;

diff --git a/...65DSC/DSCResources/MSFT_EXOManagementRoleAssignment/MSFT_EXOManagementRoleAssignment.psm1 b/...65DSC/DSCResources/MSFT_EXOManagementRoleAssignment/MSFT_EXOManagementRoleAssignment.psm1
@@ -131,7 +131,7 @@ function Get-TargetResource
             {
                 $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
                     -InboundParameters $PSBoundParameters
-                $adminUnit = Get-MgAdministrativeUnit -AdministrativeUnitId $roleAssignment.CustomRecipientWriteScope
+                $adminUnit = Get-MgDirectoryAdministrativeUnit -AdministrativeUnitId $roleAssignment.CustomRecipientWriteScope
 
                 if ($RecipientAdministrativeUnitScope -eq $adminUnit.Id)
                 {
@@ -315,12 +315,14 @@ function Set-TargetResource
     if (-not [System.String]::IsNullOrEmpty($RecipientAdministrativeUnitScope))
     {
         $NewManagementRoleParams.Remove('CustomRecipientWriteScope') | Out-Null
-        $adminUnit = Get-AdministrativeUnit -Identity $RecipientAdministrativeUnitScope -ErrorAction SilentlyContinue
+        $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
+            -InboundParameters $PSBoundParameters
+        $adminUnit = Get-MgDirectoryAdministrativeUnit -AdministrativeUnitId $RecipientAdministrativeUnitScope -ErrorAction SilentlyContinue
         if ($null -eq $adminUnit)
         {
-            $adminUnit = Get-AdministrativeUnit | Where-Object -FilterScript { $_.DisplayName -eq $RecipientAdministrativeUnitScope }
+            $adminUnit = Get-MgDirectoryAdministrativeUnit -All | Where-Object -FilterScript { $_.DisplayName -eq $RecipientAdministrativeUnitScope }
         }
-        $NewManagementRoleParams.RecipientAdministrativeUnitScope = $adminUnit.Name
+        $NewManagementRoleParams.RecipientAdministrativeUnitScope = $adminUnit.Id
     }
 
     # CASE: Management Role doesn't exist but should;