From a295d69c93d218eaf57f38c44ddad485b7d405d1 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 13 Oct 2023 09:25:36 -0400 Subject: [PATCH] Added support for Sign In Frequency Interval --- CHANGELOG.md | 2 + .../MSFT_AADConditionalAccessPolicy.psm1 | 46 ++++++++++++++++--- ...MSFT_AADConditionalAccessPolicy.schema.mof | 3 +- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1fe2b370d5..40539eb523 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ * AADAuthenticationMethodPolicyAuthenticator * Fixes an issue with the Get method when an assigned group was deleted. +* AADConditionalAccessPolicy + * Added support for the SigninFrequencyInterval parameter. # 1.23.1011.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index c6419665fb..e6abf5f904 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -159,6 +159,11 @@ function Get-TargetResource [System.Boolean] $SignInFrequencyIsEnabled, + [Parameter()] + [ValidateSet('timeBased', 'everyTime', 'unknownFutureValue')] + [System.String] + $SignInFrequencyInterval, + [Parameter()] [ValidateSet('Always', 'Never', '')] [System.String] @@ -525,10 +530,12 @@ function Get-TargetResource if ($Policy.SessionControls.SignInFrequency.IsEnabled) { $SignInFrequencyType = [System.String]$Policy.SessionControls.SignInFrequency.Type + $SignInFrequencyIntervalValue = [System.String]$Policy.SessionControls.SignInFrequency.FrequencyInterval } else { $SignInFrequencyType = $null + $SignInFrequencyIntervalValue = $null } if ($Policy.SessionControls.PersistentBrowser.IsEnabled) { @@ -626,6 +633,7 @@ function Get-TargetResource SignInFrequencyValue = $Policy.SessionControls.SignInFrequency.Value #no translation or conversion needed, $null returned if undefined SignInFrequencyType = [System.String]$Policy.SessionControls.SignInFrequency.Type + SignInFrequencyInterval = $SignInFrequencyIntervalValue #no translation needed PersistentBrowserIsEnabled = $false -or $Policy.SessionControls.PersistentBrowser.IsEnabled #make false if undefined, true if true @@ -807,6 +815,11 @@ function Set-TargetResource [System.Boolean] $SignInFrequencyIsEnabled, + [Parameter()] + [ValidateSet('timeBased', 'everyTime', 'unknownFutureValue')] + [System.String] + $SignInFrequencyInterval, + [Parameter()] [ValidateSet('Always', 'Never', '')] [System.String] @@ -1421,16 +1434,32 @@ function Set-TargetResource if ($SignInFrequencyIsEnabled) { $SigninFrequencyProp = @{ - IsEnabled = $true - Type = $null - Value = $null + isEnabled = $true + type = $null + value = $null + frequencyInterval = $null } $sessioncontrols.Add('SignInFrequency', $SigninFrequencyProp) #create and provision SignInFrequency object if used - $sessioncontrols.SignInFrequency.IsEnabled = $true - $sessioncontrols.SignInFrequency.Type = $SignInFrequencyType - $sessioncontrols.SignInFrequency.Value = $SignInFrequencyValue + $sessioncontrols.SignInFrequency.isEnabled = $true + if ($SignInFrequencyType -ne '') + { + $sessioncontrols.SignInFrequency.type = $SignInFrequencyType + } + else + { + $sessioncontrols.SignInFrequency.Remove("type") | Out-Null + } + if ($SignInFrequencyValue -gt 0) + { + $sessioncontrols.SignInFrequency.value = $SignInFrequencyValue + } + else + { + $sessioncontrols.SignInFrequency.Remove("value") | Out-Null + } + $sessioncontrols.SignInFrequency.frequencyInterval = $SignInFrequencyInterval } if ($PersistentBrowserIsEnabled) { @@ -1670,6 +1699,11 @@ function Test-TargetResource [System.Boolean] $SignInFrequencyIsEnabled, + [Parameter()] + [ValidateSet('timeBased', 'everyTime', 'unknownFutureValue')] + [System.String] + $SignInFrequencyInterval, + [Parameter()] [ValidateSet('Always', 'Never', '')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index 2005af05e6..5e37ff420b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -23,7 +23,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[]; [Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[]; [Write, Description("AAD Named Locations out of scope of the Policy.")] String ExcludeLocations[]; - [Write, Description("Client Device Filter mode of the Policy."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String DeviceFilterMode; + [Write, Description("Client Device Filter mode of the Policy."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String DeviceFilterMode; [Write, Description("Client Device Filter rule of the Policy.")] String DeviceFilterRule; [Write, Description("AAD Identity Protection User Risk Levels in scope of the Policy.")] String UserRiskLevels[]; [Write, Description("AAD Identity Protection Sign-in Risk Levels in scope of the Policy.")] String SignInRiskLevels[]; @@ -38,6 +38,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Custom Controls assigned to the grant property of this policy.")] String CustomAuthenticationFactors[]; [Write, Description("Sign in frequency unit (days/hours) to be interpreted by the policy."), ValueMap{"Days","Hours",""}, Values{"Days","Hours",""}] String SignInFrequencyType; [Write, Description("Specifies, whether sign-in frequency is enforced by the Policy.")] Boolean SignInFrequencyIsEnabled; + [Write, Description("Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue."), ValueMap{"timeBased","everyTime","unknownFutureValue"}, Values{"timeBased","everyTime","unknownFutureValue"}] String SignInFrequencyInterval; [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled; [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode; [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;