Merge pull request #3825 from salbeck-sit/Dev

AADUser: Add support for MemberOf
microsoft · Nov 30, 2023 · 8abd8c9 · 8abd8c9
2 parents 0bf094c + c5a8831
commit 8abd8c9
Show file tree

Hide file tree

Showing 7 changed files with 342 additions and 1 deletion.
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md
@@ -3,3 +3,5 @@
 ## Description
 
 This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups.
+
+If using with AADUser, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADUser
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1
@@ -28,6 +28,10 @@ function Get-TargetResource
         [System.String[]]
         $LicenseAssignment,
 
+        [Parameter()]
+        [System.String[]]
+        $MemberOf,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $Password,
@@ -150,6 +154,7 @@ function Get-TargetResource
         LastName              = $null
         UsageLocation         = $null
         LicenseAssignment     = $null
+        MemberOf              = $null
         Password              = $null
         Credential            = $Credential
         ApplicationId         = $ApplicationId
@@ -187,6 +192,9 @@ function Get-TargetResource
             $currentLicenseAssignment += $sku.SkuPartNumber
         }
 
+        # return membership of static groups only
+        [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript {$_.GroupTypes -notcontains 'DynamicMembership'}).DisplayName
+
         $userPasswordPolicyInfo = $user | Select-Object UserprincipalName, @{
             N = 'PasswordNeverExpires'; E = { $_.PasswordPolicies -contains 'DisablePasswordExpiration' }
         }
@@ -216,6 +224,7 @@ function Get-TargetResource
             LastName              = $user.Surname
             UsageLocation         = $user.UsageLocation
             LicenseAssignment     = $currentLicenseAssignment
+            MemberOf              = $currentMemberOf
             Password              = $Password
             City                  = $user.City
             Country               = $user.Country
@@ -283,6 +292,10 @@ function Set-TargetResource
         [System.String[]]
         $LicenseAssignment,
 
+        [Parameter()]
+        [System.String[]]
+        $MemberOf,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $Password,
@@ -559,6 +572,79 @@ function Set-TargetResource
         }
         #endregion
 
+        #region Update MemberOf groups - if specified
+        if ($null -ne $MemberOf)
+        {
+            if ($null -eq $user.MemberOf)
+            {
+                # user is not currently a member of any groups, add user to groups listed in MemberOf
+                foreach ($memberOfGroup in $MemberOf)
+                {
+                    $group = Get-MgGroup -Filter "DisplayName eq '$memberOfGroup'" -Property Id, GroupTypes
+                    if ($null -eq $group)
+                    {
+                        New-M365DSCLogEntry -Message 'Error updating data:' `
+                        -Exception "Attempting to add a user to a group that doesn't exist" `
+                        -Source $($MyInvocation.MyCommand.Source) `
+                        -TenantId $TenantId `
+                        -Credential $Credential
+
+                        throw "Group '$memberOfGroup' does not exist in tenant"
+                    }
+                    if ($group.GroupTypes -contains 'DynamicMembership')
+                    {
+                        New-M365DSCLogEntry -Message 'Error updating data:' `
+                        -Exception "Attempting to add a user to a dynamic group" `
+                        -Source $($MyInvocation.MyCommand.Source) `
+                        -TenantId $TenantId `
+                        -Credential $Credential
+
+                        throw "Cannot add user $UserPrincipalName to group '$memberOfGroup' because it is a dynamic group"
+                    }
+                    New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
+                }
+            }
+            else
+            {
+                # user is a member of some groups, ensure that user is only a member of groups listed in MemberOf
+                Compare-Object -ReferenceObject $MemberOf -DifferenceObject $user.MemberOf | ForEach-Object {
+                    $group = Get-MgGroup -Filter "DisplayName eq '$($_.InputObject)" -Property Id, GroupTypes
+                    if ($_.SideIndicator -eq '<=')
+                    {
+                        # Group in MemberOf not present in groups that user is a member of, add user to group
+                        if ($null -eq $group)
+                        {
+                            New-M365DSCLogEntry -Message 'Error updating data:' `
+                            -Exception "Attempting to add a user to a group that doesn't exist" `
+                            -Source $($MyInvocation.MyCommand.Source) `
+                            -TenantId $TenantId `
+                            -Credential $Credential
+
+                            throw "Group '$($_.InputObject)' does not exist in tenant"
+                        }
+                        if ($group.GroupTypes -contains 'DynamicMembership')
+                        {
+                            New-M365DSCLogEntry -Message 'Error updating data:' `
+                            -Exception "Attempting to add a user to a dynamic group" `
+                            -Source $($MyInvocation.MyCommand.Source) `
+                            -TenantId $TenantId `
+                            -Credential $Credential
+
+                            throw "Cannot add user $UserPrincipalName to group '$($_.InputObject)' because it is a dynamic group"
+                        }
+                        New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
+                    }
+                    else
+                    {
+                        # Group that user is a member of is not present in MemberOf, remove user from group
+                        # (no need to test for dynamic groups as they are ignored in Get-TargetResource)
+                        Remove-MgGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $user.Id
+                    }
+                }
+            }
+        }
+        #endregion
+
         #region Roles
         if ($null -ne $Roles)
         {
@@ -633,6 +719,10 @@ function Test-TargetResource
         [System.String[]]
         $LicenseAssignment,
 
+        [Parameter()]
+        [System.String[]]
+        $MemberOf,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $Password,

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof
@@ -13,6 +13,7 @@ class MSFT_AADUser : OMI_BaseResource
     [Write, Description("The Country name of the user")] String Country;
     [Write, Description("The Department name of the user")] String Department;
     [Write, Description("The Fax Number of the user")] String Fax;
+    [Write, Description("The Groups that the user is a direct member of")] String MemberOf[];
     [Write, Description("The Mobile Phone Number of the user")] String MobilePhone;
     [Write, Description("The Office Name of the user")] String Office;
     [Write, Description("Specifies whether the user password expires periodically. Default value is false")] Boolean PasswordNeverExpires;

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md
@@ -2,4 +2,6 @@
 
 ## Description
 
-This resource allows users to create Azure AD Users and assign them licenses.
+This resource allows users to create Azure AD Users and assign them licenses, roles and/or groups.
+
+If using with AADGroup, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADGroup
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json
@@ -16,6 +16,12 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "Group.Read.All"
+                    },
+                    {
+                        "name": "GroupMember.Read.All"
                     }
                 ],
                 "update": [
@@ -31,9 +37,22 @@
                     {
                         "name": "User.Read.All"
                     },
+                    {
+                        "name": "Group.Read.All"
+                    },
+                    {
+                        "name": "GroupMember.Read.All"
+                    },
                     {
                         "name": "User.ReadWrite.All"
+                    },
+                    {
+                        "name": "Group.ReadWrite.All"
+                    },
+                    {
+                        "name": "GroupMember.ReadWrite.All"
                     }
+
                 ]
             },
             "application": {

diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUser/2-CreateNewAADUser.ps1
@@ -0,0 +1,32 @@
+<#
+This example is used to test new resources and showcase the usage of new resources being worked on.
+It is not meant to use as a production baseline.
+#>
+
+Configuration Example
+{
+    param(
+        [Parameter(Mandatory = $true)]
+        [PSCredential]
+        $credsGlobalAdmin
+    )
+    Import-DscResource -ModuleName Microsoft365DSC
+
+    node localhost
+    {
+        AADUser 'ConfigureJohnSMith'
+        {
+            UserPrincipalName  = "[email protected]"
+            FirstName          = "John"
+            LastName           = "Smith"
+            DisplayName        = "John J. Smith"
+            City               = "Gatineau"
+            Country            = "Canada"
+            Office             = "Ottawa - Queen"
+            MemberOf           = @('Group-M365-Standard-License', 'Group-PowerBI-Pro-License')
+            UsageLocation      = "US"
+            Ensure             = "Present"
+            Credential         = $credsGlobalAdmin
+        }
+    }
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,5 @@
		## Description

		This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups.

		If using with AADUser, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADUser