Merge pull request #4295 from ricmestre/fix4081

IntuneDeviceEnrollmentPlatformRestriction: Added priority parameter

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 # UNRELEASED
 
+* IntuneDeviceEnrollmentPlatformRestriction
+  * Added Priority parameter
+    FIXES [#4081](https://github.com/microsoft/Microsoft365DSC/issues/4081)
 * TeamsMeetingPolicy
   * Ignore the AllowUserToJoinExternalMeeting  parameterfor drift evaluation
     since it doesn't do anything based on official documentation.

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1

@@ -57,6 +57,10 @@ function Get-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $Assignments,
 
+        [Parameter()]
+        [System.Int32]
+        $Priority,
+
         [Parameter()]
         [System.String]
         [ValidateSet('Absent', 'Present')]
@@ -107,7 +111,12 @@ function Get-TargetResource
 
     try
     {
-        $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction silentlyContinue
+        try {
+            $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction Stop
+        }
+        catch {
+            $config = $null
+        }
 
         if ($null -eq $config)
         {
@@ -127,6 +136,7 @@ function Get-TargetResource
             DisplayName                       = $config.DisplayName
             Description                       = $config.Description
             DeviceEnrollmentConfigurationType = $config.DeviceEnrollmentConfigurationType.toString()
+            Priority                          = $config.Priority
             Ensure                            = 'Present'
             Credential                        = $Credential
             ApplicationId                     = $ApplicationId
@@ -229,6 +239,10 @@ function Set-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $Assignments,
 
+        [Parameter()]
+        [System.Int32]
+        $Priority,
+
         [Parameter()]
         [System.String]
         [ValidateSet('Absent', 'Present')]
@@ -258,6 +272,7 @@ function Set-TargetResource
         [Switch]
         $ManagedIdentity
     )
+
     $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
         -InboundParameters $PSBoundParameters
 
@@ -276,6 +291,12 @@ function Set-TargetResource
     $currentCategory = Get-TargetResource @PSBoundParameters
     $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
     $PSBoundParameters.Remove('Identity') | Out-Null
+    $PriorityPresent = $false
+    if ($PSBoundParameters.Keys.Contains('Priority'))
+    {
+        $PriorityPresent = $true
+        $PSBoundParameters.Remove('Priority') | Out-Null
+    }
 
     if ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Absent')
     {
@@ -332,10 +353,19 @@ function Set-TargetResource
                 $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments
 
                 Update-DeviceConfigurationPolicyAssignment `
-                    -DeviceConfigurationPolicyId  $policy.id `
+                    -DeviceConfigurationPolicyId $policy.Id `
                     -Targets $assignmentsHash `
                     -Repository 'deviceManagement/deviceEnrollmentConfigurations'
             }
+
+            if ($PriorityPresent -and $Priority -ne $policy.Priority)
+            {
+                $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id
+                $Body = @{
+                    priority = $Priority
+                }
+                Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body
+            }
         }
     }
     elseif ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Present')
@@ -380,29 +410,36 @@ function Set-TargetResource
         #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20)
         Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration `
             -BodyParameter ([hashtable]$PSBoundParameters) `
-            -DeviceEnrollmentConfigurationId $Identity
+            -DeviceEnrollmentConfigurationId $currentCategory.Identity
 
         #Assignments from DefaultPolicy are not editable and will raise an alert
-        if ($Identity -notlike '*_DefaultPlatformRestrictions')
+        if ($currentCategory.Identity -notlike '*_DefaultPlatformRestrictions')
         {
             if ($null -ne $Assignments -and $Assignments -ne @())
             {
                 $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments
 
                 Update-DeviceConfigurationPolicyAssignment `
-                -DeviceConfigurationPolicyId  $Identity `
-                -Targets $assignmentsHash `
-                -Repository 'deviceManagement/deviceEnrollmentConfigurations'
+                    -DeviceConfigurationPolicyId $currentCategory.Identity `
+                    -Targets $assignmentsHash `
+                    -Repository 'deviceManagement/deviceEnrollmentConfigurations'
+            }
+
+            if ($PriorityPresent -and $Priority -ne $currentCategory.Priority)
+            {
+                $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentCategory.Identity
+                $Body = @{
+                    priority = $Priority
+                }
+                Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body
             }
         }
     }
     elseif ($Ensure -eq 'Absent' -and $currentCategory.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Removing Device Enrollment Platform Restriction {$DisplayName}"
-        $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "displayName eq '$DisplayName'" `
-        | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' }
 
-        Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $config.id
+        Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentCategory.Identity
     }
 }
 
@@ -465,6 +502,10 @@ function Test-TargetResource
         [Microsoft.Management.Infrastructure.CimInstance[]]
         $Assignments,
 
+        [Parameter()]
+        [System.Int32]
+        $Priority,
+
         [Parameter()]
         [System.String]
         [ValidateSet('Absent', 'Present')]

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof

@@ -36,6 +36,7 @@ class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource
     [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacRestriction;
     [Write, Description("Mac OS restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacOSRestriction;
     [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] string Assignments[];
+    [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value. Inherited from deviceEnrollmentConfiguration.")] UInt32 Priority;
     [Write, Description("Present ensures the restriction exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
     [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;