Skip to content

Commit

Permalink
Merge branch 'Dev' into fix4333
Browse files Browse the repository at this point in the history
  • Loading branch information
@ykuijs
ykuijs authored Feb 26, 2024
2 parents 9f6119d + 740b3bc commit f1e2199
Show file tree
Hide file tree
Showing 7 changed files with 90 additions and 54 deletions.
17 changes: 13 additions & 4 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,21 @@
# Change log for Microsoft365DSC

# UNRELEASED
# Unreleased

* AADConditionalAccessPolicy
* Improved verbose logging to show that items are being skipped.
* IntuneExploitProtectionPolicyWindows10SettingCatalog
* Fix update and removal of resource when Identity is from another tenant
FIXES [#3962](https://github.com/microsoft/Microsoft365DSC/issues/3962)
* SPOAccessControlSettings
* Added support for the ConditionalAccessPolicy parameter based on the PNP Module
* MISC
* M365DSCDRGUtil
Add new parameter for customizable assignment identifier
* M365DSCUtil
* Change heuristics on how to find the mandatory key of the resources to
include them as part of the ResourceInstanceName during their export
FIXES [#4333](https://github.com/microsoft/Microsoft365DSC/issues/4333)
Change heuristics on how to find the mandatory key of the resources to
include them as part of the ResourceInstanceName during their export
FIXES [#4333](https://github.com/microsoft/Microsoft365DSC/issues/4333)

# 1.24.221.1

Expand Down
80 changes: 41 additions & 39 deletions ...t365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ function Get-TargetResource
$ApplicationsFilter,

[Parameter()]
[ValidateSet("include", "exclude")]
[ValidateSet('include', 'exclude')]
[System.String]
$ApplicationsFilterMode,

Expand Down Expand Up @@ -300,7 +300,8 @@ function Get-TargetResource
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
$message = "Couldn't find IncludedUser '$IncludeUserGUID', that is defined in policy '$PolicyDisplayName'. Skipping user."
New-M365DSCLogEntry -Message $message `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -334,8 +335,9 @@ function Get-TargetResource
}
catch
{
$message = "Couldn't find user $ExcludeUserGUID , that is defined in policy $PolicyDisplayName"
$message = "Couldn't find ExcludedUser '$ExcludeUserGUID', that is defined in policy '$PolicyDisplayName'. Skipping user."
New-M365DSCLogEntry -Message $message `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
Expand Down Expand Up @@ -366,8 +368,9 @@ function Get-TargetResource
}
catch
{
$message = "Couldn't find Group $IncludeGroupGUID , that is defined in policy $PolicyDisplayName"
$message = "Couldn't find IncludedGroup '$IncludeGroupGUID', that is defined in policy '$PolicyDisplayName'. Skipping group."
New-M365DSCLogEntry -Message $message `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
Expand All @@ -393,8 +396,9 @@ function Get-TargetResource
}
catch
{
$message = "Couldn't find Group $ExcludeGroupGUID , that is defined in policy $PolicyDisplayName"
$message = "Couldn't find ExcludedGroup '$ExcludeGroupGUID', that is defined in policy '$PolicyDisplayName'. Skipping group."
New-M365DSCLogEntry -Message $message `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
Expand Down Expand Up @@ -426,7 +430,7 @@ function Get-TargetResource
{
if ($null -eq $rolelookup[$IncludeRoleGUID])
{
$message = "Couldn't find role $IncludeRoleGUID , couldn't add to policy $PolicyDisplayName"
$message = "Couldn't find IncludedRole '$IncludeRoleGUID', that is defined in policy '$PolicyDisplayName'. Skipping role."
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand All @@ -446,7 +450,7 @@ function Get-TargetResource
{
if ($null -eq $rolelookup[$ExcludeRoleGUID])
{
$message = "Couldn't find role $ExcludeRoleGUID , couldn't add to policy $PolicyDisplayName"
$message = "Couldn't find ExcludedRole '$ExcludeRoleGUID', that is defined in policy '$PolicyDisplayName'. Skipping role."
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -576,7 +580,7 @@ function Get-TargetResource

$AuthenticationStrengthValue = $null
if ($null -ne $Policy.GrantControls -and $null -ne $Policy.GrantControls.AuthenticationStrength -and `
$null -ne $Policy.GrantControls.AuthenticationStrength.Id)
$null -ne $Policy.GrantControls.AuthenticationStrength.Id)
{
$strengthPolicy = Get-MgBetaPolicyAuthenticationStrengthPolicy -AuthenticationStrengthPolicyId $Policy.GrantControls.AuthenticationStrength.Id
if ($null -ne $strengthPolicy)
Expand All @@ -591,8 +595,8 @@ function Get-TargetResource
foreach ($class in $Policy.Conditions.Applications.IncludeAuthenticationContextClassReferences)
{
$classReference = Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference `
-AuthenticationContextClassReferenceId $class `
-ErrorAction SilentlyContinue
-AuthenticationContextClassReferenceId $class `
-ErrorAction SilentlyContinue
if ($null -ne $classReference)
{
$AuthenticationContextsValues += $classReference.DisplayName
Expand Down Expand Up @@ -678,9 +682,9 @@ function Get-TargetResource
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
}

Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)"
return $result

}

function Set-TargetResource
Expand Down Expand Up @@ -715,7 +719,7 @@ function Set-TargetResource
$ApplicationsFilter,

[Parameter()]
[ValidateSet("include", "exclude")]
[ValidateSet('include', 'exclude')]
[System.String]
$ApplicationsFilterMode,

Expand Down Expand Up @@ -947,18 +951,16 @@ function Set-TargetResource
#create Conditions object
Write-Verbose -Message 'Set-Targetresource: create Conditions object'
$conditions = @{
Applications = @{
}
Users = @{
}
Applications = @{}
Users = @{}
}
#create and provision Application Condition object
Write-Verbose -Message 'Set-Targetresource: create Application Condition object'
if ($currentParameters.ContainsKey("IncludeApplications"))
if ($currentParameters.ContainsKey('IncludeApplications'))
{
$conditions.Applications.Add('IncludeApplications', $IncludeApplications)
}
if ($currentParameters.ContainsKey("ExcludeApplications"))
if ($currentParameters.ContainsKey('ExcludeApplications'))
{
$conditions.Applications.Add('ExcludeApplications', $ExcludeApplications)
}
Expand All @@ -968,7 +970,7 @@ function Set-TargetResource
rule = $ApplicationsFilter
mode = $ApplicationsFilterMode
}
$conditions.Applications.Add("ApplicationFilter", $appFilterValue)
$conditions.Applications.Add('ApplicationFilter', $appFilterValue)
}
if ($IncludeUserActions)
{
Expand All @@ -981,7 +983,7 @@ function Set-TargetResource
$classReferences = Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference -ErrorAction SilentlyContinue
foreach ($authContext in $AuthenticationContexts)
{
$currentClassId = $classReferences | Where-Object -FilterScript {$_.DisplayName -eq $authContext}
$currentClassId = $classReferences | Where-Object -FilterScript { $_.DisplayName -eq $authContext }
if ($null -ne $currentClassId)
{
$AuthenticationContextsValues += $currentClassId.Id
Expand Down Expand Up @@ -1018,7 +1020,7 @@ function Set-TargetResource
}
if ($null -eq $userguid)
{
$message = "Couldn't find user $includeuser , couldn't add to policy $DisplayName"
$message = "Couldn't find user '$includeuser', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -1065,7 +1067,7 @@ function Set-TargetResource
}
if ($null -eq $userguid)
{
$message = "Couldn't find user $excludeuser , couldn't add to policy $DisplayName"
$message = "Couldn't find user '$excludeuser', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -1110,7 +1112,7 @@ function Set-TargetResource
}
if ($GroupLookup.Length -gt 1)
{
$message = "Duplicate group found with displayname $includegroup , couldn't add to policy $DisplayName"
$message = "Duplicate group found with displayname '$includegroup', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand All @@ -1119,7 +1121,7 @@ function Set-TargetResource
}
elseif ($null -eq $GroupLookup)
{
$message = "Couldn't find group $includegroup , couldn't add to policy $DisplayName"
$message = "Couldn't find group '$includegroup', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand All @@ -1128,7 +1130,7 @@ function Set-TargetResource
}
else
{
Write-Verbose -Message 'adding group to includegroups'
Write-Verbose -Message 'Adding group to includegroups'
$conditions.Users.IncludeGroups += $GroupLookup.Id
}
}
Expand Down Expand Up @@ -1160,7 +1162,7 @@ function Set-TargetResource
}
if ($GroupLookup.Length -gt 1)
{
$message = "Duplicate group found with displayname $ExcludeGroup , couldn't add to policy $DisplayName"
$message = "Duplicate group found with displayname '$ExcludeGroup', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand All @@ -1169,7 +1171,7 @@ function Set-TargetResource
}
elseif ($null -eq $GroupLookup)
{
$message = "Couldn't find group $ExcludeGroup , couldn't add to policy $DisplayName"
$message = "Couldn't find group '$ExcludeGroup', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand All @@ -1178,7 +1180,7 @@ function Set-TargetResource
}
else
{
Write-Verbose -Message 'adding group to ExcludeGroups'
Write-Verbose -Message 'Adding group to ExcludeGroups'
$conditions.Users.ExcludeGroups += $GroupLookup.Id
}
}
Expand All @@ -1203,7 +1205,7 @@ function Set-TargetResource
{
if ($null -eq $rolelookup[$IncludeRole])
{
$message = "Couldn't find role $IncludeRole , couldn't add to policy $DisplayName"
$message = "Couldn't find role '$IncludeRole', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -1237,7 +1239,7 @@ function Set-TargetResource
{
if ($null -eq $rolelookup[$ExcludeRole])
{
$message = "Couldn't find role $ExcludeRole , couldn't add to policy $DisplayName"
$message = "Couldn't find role '$ExcludeRole', couldn't add to policy '$DisplayName'"
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
Expand Down Expand Up @@ -1507,12 +1509,12 @@ function Set-TargetResource
}
if ($AuthenticationStrength)
{
$strengthPolicy = Get-MgBetaPolicyAuthenticationStrengthPolicy | Where-Object -FilterScript {$_.DisplayName -eq $AuthenticationStrength} -ErrorAction SilentlyContinue
$strengthPolicy = Get-MgBetaPolicyAuthenticationStrengthPolicy | Where-Object -FilterScript { $_.DisplayName -eq $AuthenticationStrength } -ErrorAction SilentlyContinue
if ($null -ne $strengthPolicy)
{
$authenticationStrengthInstance = @{
id = $strengthPolicy.Id
"@odata.type" = "#microsoft.graph.authenticationStrengthPolicy"
'@odata.type' = '#microsoft.graph.authenticationStrengthPolicy'
}
$GrantControls.Add('authenticationStrength', $authenticationStrengthInstance)
}
Expand Down Expand Up @@ -1575,15 +1577,15 @@ function Set-TargetResource
}
else
{
$sessioncontrols.SignInFrequency.Remove("type") | Out-Null
$sessioncontrols.SignInFrequency.Remove('type') | Out-Null
}
if ($SignInFrequencyValue -gt 0)
{
$sessioncontrols.SignInFrequency.value = $SignInFrequencyValue
}
else
{
$sessioncontrols.SignInFrequency.Remove("value") | Out-Null
$sessioncontrols.SignInFrequency.Remove('value') | Out-Null
}
$sessioncontrols.SignInFrequency.frequencyInterval = $SignInFrequencyInterval
}
Expand Down Expand Up @@ -1649,9 +1651,9 @@ function Set-TargetResource
else
{
New-M365DSCLogEntry -Message 'Error creating new policy:' `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

Write-Verbose -Message 'Set-Targetresource: Failed creating new policy. At least a user rule, application rule and grant or session control is required'
}
Expand All @@ -1674,7 +1676,7 @@ function Set-TargetResource
Write-Verbose -Message "Set-Targetresource: Failed deleting policy $DisplayName"
}
}
Write-Verbose -Message "Set-Targetresource: finished processing Policy $Displayname"
Write-Verbose -Message "Set-Targetresource: Finished processing Policy $Displayname"
}

function Test-TargetResource
Expand Down Expand Up @@ -1710,7 +1712,7 @@ function Test-TargetResource
$ApplicationsFilter,

[Parameter()]
[ValidateSet("include", "exclude")]
[ValidateSet('include', 'exclude')]
[System.String]
$ApplicationsFilterMode,

Expand Down
8 changes: 4 additions & 4 deletions ...icyWindows10SettingCatalog/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,8 +320,8 @@ function Set-TargetResource
-TemplateReferenceId $templateReferenceId

Update-IntuneDeviceConfigurationPolicy `
-DeviceConfigurationPolicyId $Identity `
-Name $DisplayName `
-DeviceConfigurationPolicyId $currentPolicy.Identity `
-Name $currentPolicy.DisplayName `
-Description $Description `
-TemplateReferenceId $templateReferenceId `
-Platforms $platforms `
Expand All @@ -334,14 +334,14 @@ function Set-TargetResource
{
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment
}
Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $Identity `
Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity `
-Targets $assignmentsHash
#endregion
}
elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing Endpoint Protection Policy {$($currentPolicy.DisplayName)}"
Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity
Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity
}
}

Expand Down
Loading

0 comments on commit f1e2199

Please sign in to comment.