Merge branch 'microsoft:Dev' into EXOSmtpDaneInbound

CHANGELOG.md

@@ -1,14 +1,26 @@
 # Change log for Microsoft365DSC
 
-# UNRELEASED
+# 1.24.1218.1
 
+* AADApplication
+  * Added support for Oauth2PermissionScopes.
+  * Fixes comparison issue for permissions.
+* EXOTransportRule
+  * Fixes issue extracting arrays in Get-TargetResource.
+    * FIXES [#5575](https://github.com/microsoft/Microsoft365DSC/issues/5575)
 * TeamsMeetingPolicy
+  * Adds support for additional Copilot setting value.
+    * FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573)
   * FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550)
 * MISC
   * Fixed the Fabric web request to use basic parsing.
+  * Reset only necessary authentication context.
 * M365DSCUtil
   * Update `Get-M365DSCWorkloadsListFromResourceNames` function for more input types.
     FIXES [#5525](https://github.com/microsoft/Microsoft365DSC/issues/5525)
+* DEPENDENCIES
+  * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.202.
+  * Updated MSCloudLoginAssistant to version 1.1.31.
 
 # 1.24.1211.1
 
@@ -27,6 +39,8 @@
   * Fixing issue with the way the QrCodeImage property was exported and handled.
 * IntuneFirewallPolicyWindows10
   * Fix export of properties that appear multiple times in subsections.
+* IntuneSecurityBaselineWindows10
+  * Initial release.
 * M365DSCDRGUtil
   * Improve settings catalog handling for nested objects.
 * M365DSCResourceGenerator

Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.psm1

@@ -792,6 +792,11 @@ function Export-TargetResource
         }
         foreach ($config in $getValue)
         {
+            if ($null -ne $Global:M365DSCExportResourceInstancesCount)
+            {
+                $Global:M365DSCExportResourceInstancesCount++
+            }
+
             $displayedKey = $config.Id
             if (-not [String]::IsNullOrEmpty($config.displayName))
             {

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1

@@ -1149,9 +1149,8 @@ function Export-TargetResource
                 $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Members' -IsCIMArray $true
                 $currentDSCBlock = $currentDSCBlock.Replace("`",`"`r`n", '')
                 $currentDSCBlock = $currentDSCBlock.Replace(",`r`n", '').Replace("`");`r`n", ");`r`n")
-                $currentDSCBlock = $currentDSCBlock.Replace("Members              = @(`"", 'Members              = @(')
-                $currentDSCBlock = $currentDSCBlock.Replace("`$OrganizationName'", "' + `$OrganizationName")
             }
+
             $dscContent += $currentDSCBlock
             Save-M365DSCPartialExport -Content $currentDSCBlock `
                 -FileName $Global:PartialExportFileName

Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1

@@ -275,7 +275,24 @@ function Get-TargetResource
                     $complexPreAuthorizedApplications += $myPreAuthorizedApplications
                 }
             }
+
+            $complexOAuth2Scopes = @()
+            foreach ($currentOAuth2Scope in $AADApp.api.Oauth2PermissionScopes)
+            {
+                $complexOAuth2Scopes += @{
+                    adminConsentDescription = $currentOAuth2Scope.adminConsentDescription
+                    adminConsentDisplayName = $currentOAuth2Scope.adminConsentDisplayName
+                    id                      = $currentOAuth2Scope.id
+                    isEnabled               = $currentOAuth2Scope.isEnabled
+                    type                    = $currentOAuth2Scope.type
+                    userConsentDescription  = $currentOAuth2Scope.userConsentDescription
+                    userConsentDisplayName  = $currentOAuth2Scope.userConsentDisplayName
+                    value                   = $currentOAuth2Scope.value
+                }
+            }
+
             $complexApi.Add('PreAuthorizedApplications', $complexPreAuthorizedApplications)
+            $complexApi.Add('Oauth2PermissionScopes', $complexOAuth2Scopes)
             if ($complexApi.values.Where({ $null -ne $_ }).Count -eq 0)
             {
                 $complexApi = $null
@@ -736,18 +753,56 @@ function Set-TargetResource
     }
     $currentParameters.Remove('AvailableToOtherTenants') | Out-Null
     $currentParameters.Remove('PublicClient') | Out-Null
+    $currentParameters.Remove('Verbose') | Out-Null
 
-    if ($currentParameters.KnownClientApplications)
+    #region API
+    $apiValue = @{}
+    if ($currentParameters.Api.KnownClientApplications)
+    {
+        $apiValue.Add('KnownClientApplications', $currentParameters.Api.KnownClientApplications)
+    }
+    if ($currentParameters.Api.Oauth2PermissionScopes)
     {
-        $apiValue = @{
-            KnownClientApplications = $currentParameters.KnownClientApplications
+        Write-Verbose -Message "Oauth2PermissionScopes specified and is not empty"
+        $scopeValue = @()
+        foreach ($scope in $currentParameters.Api.Oauth2PermissionScopes)
+        {
+            $scopeEntry = @{
+                adminConsentDescription = $scope.adminConsentDescription
+                adminConsentDisplayName = $scope.adminConsentDisplayName
+                isEnabled               = $scope.isEnabled
+                type                    = $scope.type
+                userConsentDescription  = $scope.userConsentDescription
+                userConsentDisplayName  = $scope.userConsentDisplayName
+                value                   = $scope.value
+            }
+            if (-not [System.String]::IsNullOrEmpty($scope.id))
+            {
+                Write-Verbose -Message "Adding existing scope id {$($scope.id)}"
+                $scopeEntry.Add('id', $scope.id)
+            }
+            else
+            {
+                Write-Verbose -Message "Generating new scope id"
+                $scopeEntry.Add('id', (New-Guid).ToString())
+            }
+
+            $scopeValue += $scopeEntry
         }
-        $currentParameters.Add('Api', $apiValue)
-        $currentParameters.Remove('KnownClientApplications') | Out-Null
+        $apiValue.Add('Oauth2PermissionScopes', $scopeValue)
+    }
+    $currentParameters.Remove('KnownClientApplications') | Out-Null
+    #endregion
+
+    if ($currentParameters.ContainsKey('Api'))
+    {
+        Write-Verbose "Found existing API parameter. Updating with $(Convert-M365DscHashtableToString -Hashtable $apiValue)"
+        $currentParameters.Api = $apiValue
     }
     else
     {
-        $currentParameters.Remove('KnownClientApplications') | Out-Null
+        Write-Verbose "Adding API parameter with $(Convert-M365DscHashtableToString -Hashtable $apiValue)"
+        $currentParameters.Add('Api', $apiValue)
     }
 
     if ($ReplyUrls -or $LogoutURL -or $Homepage)
@@ -774,7 +829,6 @@ function Set-TargetResource
     $currentParameters.Remove('Homepage') | Out-Null
     $currentParameters.Remove('OnPremisesPublishing') | Out-Null
 
-
     $keys = (([Hashtable]$currentParameters).clone()).Keys
     foreach ($key in $keys)
     {
@@ -859,6 +913,7 @@ function Set-TargetResource
         $currentParameters.Remove('ApplicationTemplateId') | Out-Null
         Write-Verbose -Message "Creating New AzureAD Application {$DisplayName} with values:`r`n$($currentParameters | Out-String)"
 
+        Write-Verbose -Message "Parameters with API: $(ConvertTo-Json $currentParameters -Depth 10)"
         $currentAADApp = New-MgApplication @currentParameters
         Write-Verbose -Message "Azure AD Application {$DisplayName} was successfully created"
         $needToUpdatePermissions = $true
@@ -1043,7 +1098,7 @@ function Set-TargetResource
             $allRequiredAccess = @()
         }
         else
-            {
+        {
             $allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
             $allRequiredAccess = @()
 
@@ -1371,8 +1426,8 @@ function Test-TargetResource
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
 
-    if ($CurrentValues.Permissions.Length -gt 0 -and `
-        $null -ne $CurrentValues.Permissions.Name)
+    if ($CurrentValues.Permissions.Length -gt 0 -and $null -ne $CurrentValues.Permissions.Name -and `
+        $null -ne $Permissions)
     {
         $differenceObject = $Permissions.Name
         if ($null -eq $differenceObject)
@@ -1570,6 +1625,11 @@ function Export-TargetResource
                                 CimInstanceName = 'MicrosoftGraphPreAuthorizedApplication'
                                 IsRequired      = $False
                             }
+                            @{
+                                Name            = 'Oauth2PermissionScopes'
+                                CimInstanceName = 'MSFT_MicrosoftGraphApiOauth2PermissionScopes'
+                                IsRequired      = $False
+                            }
                         )
                         $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
                             -ComplexObject $Results.Api `

Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof

@@ -82,10 +82,26 @@ class MSFT_MicrosoftGraphPreAuthorizedApplication
     [Write, Description("The unique identifier for the scopes the client application is granted.")] String PermissionIds[];
 };
 
+[ClassVersion("1.0.0")]
+class MSFT_MicrosoftGraphApiOauth2PermissionScopes
+{
+    [Write, Description("A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences.")] String adminConsentDescription;
+    [Write, Description("The permission's title, intended to be read by an administrator granting the permission on behalf of all users.")] String adminConsentDisplayName;
+    [Write, Description("A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.")] String userConsentDescription;
+    [Write, Description("A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.")] String userConsentDisplayName;
+    [Write, Description("Specifies the value to include in the scp (scope) claim in access tokens. Must not exceed 120 characters in length.")] String value;
+    [Write, Description("When you create or update a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.")] Boolean isEnabled;
+    [Write, Description("The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required.")] String type;
+    [Write, Description("Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.")] String id;
+
+};
+
 [ClassVersion("1.0.0")]
 class MSFT_MicrosoftGraphApiApplication
 {
     [Write, Description("Lists the client applications that are preauthorized with the specified delegated permissions to access this application's APIs. Users aren't required to consent to any preauthorized application (for the permissions specified). However, any other permissions not listed in preAuthorizedApplications (requested through incremental consent for example) will require user consent."), EmbeddedInstance("MSFT_MicrosoftGraphPreAuthorizedApplication")] String PreAuthorizedApplications[];
+    [Write, Description("List of associated API scopes."), EmbeddedInstance("MSFT_MicrosoftGraphAPIOauth2PermissionScopes")] String Oauth2PermissionScopes[];
+
 };
 
 [ClassVersion("1.0.0")]

Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementRoleAssignment/MSFT_EXOManagementRoleAssignment.psm1

@@ -387,7 +387,7 @@ function Set-TargetResource
         Write-Verbose -Message 'Waiting for 20 seconds for new permissions to be effective.'
         Start-Sleep 20
         Write-Verbose -Message 'Disconnecting from Exchange Online'
-        Reset-MSCloudLoginConnectionProfileContext
+        Reset-MSCloudLoginConnectionProfileContext -Workload ExchangeOnline
     }
 }
 

Modules/Microsoft365DSC/DSCResources/MSFT_EXOTransportRule/MSFT_EXOTransportRule.psm1

@@ -971,8 +971,8 @@ function Get-TargetResource
             foreach ($key in $inputParams.Keys)
             {
                 $propertyInfo = $inputParams.$key
-                $curVar = Get-Variable -Name $key -ErrorAction SilentlyContinue
-                if ($propertyInfo.ParameterType.Name -eq 'String[]' -and $curVar -ne $null -and $curVar.Value -eq $null)
+                $curVar = $TransportRule.$key
+                if ($propertyInfo.ParameterType.Name -eq 'String[]' -and $curVar -eq $null)
                 {
                     $result.$key = @()
                 }

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json

@@ -1,29 +1,41 @@
 {
-    "resourceName": "IntuneSecurityBaselineDefenderForEndpoint",
-    "description": "This resource configures an Test Intune Security Baseline Defender For Endpoint.",
-    "permissions": {
-        "graph": {
-            "delegated": {
-                "read": [
-                    {
-                        "name": "DeviceManagementConfiguration.Read.All"
+    "resourceName":"IntuneSecurityBaselineDefenderForEndpoint",
+    "description":"This resource configures an Test Intune Security Baseline Defender For Endpoint.",
+    "permissions":{
+        "graph":{
+            "delegated":{
+                "read":[
+                    {
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.Read.All"
                     }
                 ],
-                "update": [
+                "update":[
+                    {
+                        "name":"Group.Read.All"
+                    },
                     {
-                        "name": "DeviceManagementConfiguration.ReadWrite.All"
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
                     }
                 ]
             },
-            "application": {
-                "read": [
+            "application":{
+                "read":[
                     {
-                        "name": "DeviceManagementConfiguration.Read.All"
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.Read.All"
                     }
                 ],
-                "update": [
+                "update":[
+                    {
+                        "name":"Group.Read.All"
+                    },
                     {
-                        "name": "DeviceManagementConfiguration.ReadWrite.All"
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
                     }
                 ]
             }