From c4e268d0526174a1b160b6d3a5aa388a1410d8a5 Mon Sep 17 00:00:00 2001 From: Michael Barmettler <99532854+mibarm@users.noreply.github.com> Date: Tue, 22 Aug 2023 16:24:58 +0200 Subject: [PATCH 1/2] fix: PermissionGrantPolicyIdsAssignedToDefaultUserRole to be compatible with beta --- .../MSFT_AADAuthorizationPolicy.psm1 | 10 +-- ...oft365DSC.AADAuthorizationPolicy.tests.ps1 | 70 +++++++++---------- 2 files changed, 38 insertions(+), 42 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.psm1 index f78db6224f..234571bb0b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.psm1 @@ -164,7 +164,7 @@ function Get-TargetResource DefaultUserRoleAllowedToReadOtherUsers = $Policy.DefaultUserRolePermissions.AllowedToReadOtherUsers DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice = $Policy.DefaultUserRolePermissions.AllowedToReadBitlockerKeysForOwnedDevice DefaultUserRoleAllowedToCreateTenants = $Policy.DefaultUserRolePermissions.AllowedToCreateTenants - PermissionGrantPolicyIdsAssignedToDefaultUserRole = $Policy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + PermissionGrantPolicyIdsAssignedToDefaultUserRole = $Policy.PermissionGrantPolicyIdsAssignedToDefaultUserRole GuestUserRole = Get-GuestUserRoleNameFromId -GuestUserRoleId $Policy.GuestUserRoleId Ensure = 'Present' Credential = $Credential @@ -325,12 +325,8 @@ function Set-TargetResource { if ($param -like 'Permission*') { - #beta profile - #$UpdateParameters.Add($param, $currentParameters.$param) - #Write-Verbose -Message "Added '$param' to UpdateParameters" - #v1.0 profile - $defaultUserRolePermissions.Add('PermissionGrantPoliciesAssigned', $currentParameters.$param) - Write-Verbose -Message "Added 'PermissionGrantPoliciesAssigned' ($param) to defaultUserRolePermissions" + $UpdateParameters.Add($param, $currentParameters.$param) + Write-Verbose -Message "Added '$param' to UpdateParameters" } else { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthorizationPolicy.tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthorizationPolicy.tests.ps1 index 09cf85add4..cad0aa0147 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthorizationPolicy.tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthorizationPolicy.tests.ps1 @@ -73,21 +73,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaPolicyAuthorizationPolicy -MockWith { $AADAuthPol = [pscustomobject]@{ - Id = 'authorizationPolicy' - DisplayName = 'Authorization Policy' - Description = 'something' - allowedToSignUpEmailBasedSubscriptions = $true - allowedToUseSSPR = $true - allowEmailVerifiedUsersToJoinOrganization = $true - AllowInvitesFrom = 'Everyone' - blockMsolPowerShell = $false - defaultUserRolePermissions = [pscustomobject]@{ - allowedToCreateApps = $true - allowedToCreateSecurityGroups = $true - allowedToReadOtherUsers = $true - PermissionGrantPoliciesAssigned = [string[]]@() + Id = 'authorizationPolicy' + DisplayName = 'Authorization Policy' + Description = 'something' + AllowedToSignUpEmailBasedSubscriptions = $true + AllowedToUseSspr = $true + AllowEmailVerifiedUsersToJoinOrganization = $true + AllowInvitesFrom = 'Everyone' + BlockMsolPowerShell = $false + PermissionGrantPolicyIdsAssignedToDefaultUserRole = [string[]]@() + DefaultUserRolePermissions = [pscustomobject]@{ + AllowedToCreateApps = $true + AllowedToCreateSecurityGroups = $true + AllowedToReadOtherUsers = $true } - GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest + GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest } return $AADAuthPol } @@ -129,21 +129,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaPolicyAuthorizationPolicy -MockWith { $AADAuthPol = [pscustomobject]@{ - Id = 'authorizationPolicy' - DisplayName = 'Authorization Policy' - Description = 'something' - allowedToSignUpEmailBasedSubscriptions = $true - allowedToUseSSPR = $true - allowEmailVerifiedUsersToJoinOrganization = $true - AllowInvitesFrom = 'Everyone' - blockMsolPowerShell = $false - defaultUserRolePermissions = [pscustomobject]@{ + Id = 'authorizationPolicy' + DisplayName = 'Authorization Policy' + Description = 'something' + allowedToSignUpEmailBasedSubscriptions = $true + allowedToUseSSPR = $true + allowEmailVerifiedUsersToJoinOrganization = $true + AllowInvitesFrom = 'Everyone' + blockMsolPowerShell = $false + PermissionGrantPolicyIdsAssignedToDefaultUserRole = [string[]]@() + defaultUserRolePermissions = [pscustomobject]@{ allowedToCreateApps = $true allowedToCreateSecurityGroups = $true allowedToReadOtherUsers = $true - PermissionGrantPoliciesAssigned = [string[]]@() } - GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest + GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest } return $AADAuthPol } @@ -183,20 +183,20 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaPolicyAuthorizationPolicy -MockWith { $AADAuthPol = [pscustomobject]@{ - DisplayName = 'Authorization Policy' - Description = 'something' - allowedToSignUpEmailBasedSubscriptions = $true - allowedToUseSSPR = $true - allowEmailVerifiedUsersToJoinOrganization = $true - AllowInvitesFrom = 'Everyone' - blockMsolPowerShell = $false - defaultUserRolePermissions = [pscustomobject]@{ + DisplayName = 'Authorization Policy' + Description = 'something' + allowedToSignUpEmailBasedSubscriptions = $true + allowedToUseSSPR = $true + allowEmailVerifiedUsersToJoinOrganization = $true + AllowInvitesFrom = 'Everyone' + blockMsolPowerShell = $false + PermissionGrantPolicyIdsAssignedToDefaultUserRole = [string[]]@() + defaultUserRolePermissions = [pscustomobject]@{ allowedToCreateApps = $true allowedToCreateSecurityGroups = $true allowedToReadOtherUsers = $true - PermissionGrantPoliciesAssigned = [string[]]@() } - GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest + GuestUserRoleId = '10dae51f-b6af-4016-8d66-8c2a99b929b3' # Guest } return $AADAuthPol } From b86be44c6a34108b2f4c00accc4bb2cc667667d0 Mon Sep 17 00:00:00 2001 From: Michael Barmettler <99532854+mibarm@users.noreply.github.com> Date: Wed, 23 Aug 2023 15:37:11 +0200 Subject: [PATCH 2/2] add changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5bbf5bd4d1..cc98514da3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,9 @@ * EXOSafeAttachmentPolicy * Deprecated ActionOnError Parameter FIXES [#3579](https://github.com/microsoft/Microsoft365DSC/issues/3579) - +* AADAuthorizationPolicy + * Fix issue with property PermissionGrantPolicyIdsAssignedToDefaultUserRole + FIXES [#3594](https://github.com/microsoft/Microsoft365DSC/issues/3594) * AADGroupsSettings * Add support for enabling sensitivity labels in M365-groups * O365OrgSettings