From 1da75aac4a7573fa2730a49da80103bb2ae9252e Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 27 Oct 2023 15:05:38 -0700 Subject: [PATCH 1/3] Fixes #3787 --- CHANGELOG.md | 6 +++ ...SFT_AADRoleEligibilityScheduleRequest.psm1 | 49 ++++++++++--------- 2 files changed, 31 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93a773633d..4ba3b82a9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADRoleEligibilityScheduleRequest + * Fixes how the Get method retrieves existing instances for Groups. + FIXES [#3787](https://github.com/microsoft/Microsoft365DSC/issues/3787) + # 1.23.1025.1 * AADEntitlementManagementAccessPackageAssignmentPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 873eddbbce..f7a9a96153 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -177,10 +177,11 @@ $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id Write-Verbose -Message "Found Role {$RoleDefinitionId}" + $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" $request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" } } - if ($null -eq $request) + if ($null -eq $schedule) { return $nullResult } @@ -188,12 +189,12 @@ Write-Verbose -Message "Found existing AADRolelLigibilityScheduleRequest" if ($PrincipalType -eq 'User') { - $PrincipalInstance = Get-MgUser -UserId $request.PrincipalId -ErrorAction SilentlyContinue + $PrincipalInstance = Get-MgUser -UserId $schedule.PrincipalId -ErrorAction SilentlyContinue $PrincipalTypeValue = 'User' } if ($null -eq $PrincipalInstance -or $PrincipalType -eq 'Group') { - $PrincipalInstance = Get-MGGroup -GroupId $request.PrincipalId -ErrorAction SilentlyContinue + $PrincipalInstance = Get-MGGroup -GroupId $schedule.PrincipalId -ErrorAction SilentlyContinue $PrincipalTypeValue = 'Group' } @@ -201,47 +202,47 @@ { return $nullResult } - $RoleDefinitionValue = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $request.RoleDefinitionId + $RoleDefinitionValue = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $schedule.RoleDefinitionId $ScheduleInfoValue = @{} - if ($null -ne $request.ScheduleInfo.Expiration) + if ($null -ne $schedule.ScheduleInfo.Expiration) { $expirationValue = @{ - duration = $request.ScheduleInfo.Expiration.Duration - type = $request.ScheduleInfo.Expiration.Type + duration = $schedule.ScheduleInfo.Expiration.Duration + type = $schedule.ScheduleInfo.Expiration.Type } - if ($null -ne $request.ScheduleInfo.Expiration.EndDateTime) + if ($null -ne $schedule.ScheduleInfo.Expiration.EndDateTime) { - $expirationValue.Add('endDateTime', $request.ScheduleInfo.Expiration.EndDateTime.ToString("yyyy-MM-ddThh:mm:ssZ")) + $expirationValue.Add('endDateTime', $schedule.ScheduleInfo.Expiration.EndDateTime.ToString("yyyy-MM-ddThh:mm:ssZ")) } $ScheduleInfoValue.Add('expiration', $expirationValue) } - if ($null -ne $request.ScheduleInfo.Recurrence) + if ($null -ne $schedule.ScheduleInfo.Recurrence) { $recurrenceValue = @{ pattern = @{ - dayOfMonth = $request.ScheduleInfo.Recurrence.Pattern.dayOfMonth - daysOfWeek = $request.ScheduleInfo.Recurrence.Pattern.daysOfWeek - firstDayOfWeek = $request.ScheduleInfo.Recurrence.Pattern.firstDayOfWeek - index = $request.ScheduleInfo.Recurrence.Pattern.index - interval = $request.ScheduleInfo.Recurrence.Pattern.interval - month = $request.ScheduleInfo.Recurrence.Pattern.month - type = $request.ScheduleInfo.Recurrence.Pattern.type + dayOfMonth = $schedule.ScheduleInfo.Recurrence.Pattern.dayOfMonth + daysOfWeek = $schedule.ScheduleInfo.Recurrence.Pattern.daysOfWeek + firstDayOfWeek = $schedule.ScheduleInfo.Recurrence.Pattern.firstDayOfWeek + index = $schedule.ScheduleInfo.Recurrence.Pattern.index + interval = $schedule.ScheduleInfo.Recurrence.Pattern.interval + month = $schedule.ScheduleInfo.Recurrence.Pattern.month + type = $schedule.ScheduleInfo.Recurrence.Pattern.type } range = @{ - endDate = $request.ScheduleInfo.Recurrence.Range.endDate - numberOfOccurrences = $request.ScheduleInfo.Recurrence.Range.numberOfOccurrences - recurrenceTimeZone = $request.ScheduleInfo.Recurrence.Range.recurrenceTimeZone - startDate = $request.ScheduleInfo.Recurrence.Range.startDate - type = $request.ScheduleInfo.Recurrence.Range.type + endDate = $schedule.ScheduleInfo.Recurrence.Range.endDate + numberOfOccurrences = $schedule.ScheduleInfo.Recurrence.Range.numberOfOccurrences + recurrenceTimeZone = $schedule.ScheduleInfo.Recurrence.Range.recurrenceTimeZone + startDate = $schedule.ScheduleInfo.Recurrence.Range.startDate + type = $schedule.ScheduleInfo.Recurrence.Range.type } } $ScheduleInfoValue.Add('Recurrence', $recurrenceValue) } - if ($null -ne $request.ScheduleInfo.StartDateTime) + if ($null -ne $schedule.ScheduleInfo.StartDateTime) { - $ScheduleInfoValue.Add('StartDateTime', $request.ScheduleInfo.StartDateTime.ToString("yyyy-MM-ddThh:mm:ssZ")) + $ScheduleInfoValue.Add('StartDateTime', $schedule.ScheduleInfo.StartDateTime.ToString("yyyy-MM-ddThh:mm:ssZ")) } $ticketInfoValue = $null From f927989ae877d783ac5344c433b9921122077567 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 30 Oct 2023 10:48:59 -0400 Subject: [PATCH 2/3] Update MSFT_AADRoleEligibilityScheduleRequest.psm1 --- ...SFT_AADRoleEligibilityScheduleRequest.psm1 | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index f7a9a96153..f662a15551 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -181,6 +181,11 @@ $request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" } } + else + { + $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id + $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)' and RoleDefinitionId eq '$RoleDefinitionId'" + } if ($null -eq $schedule) { return $nullResult @@ -189,12 +194,12 @@ Write-Verbose -Message "Found existing AADRolelLigibilityScheduleRequest" if ($PrincipalType -eq 'User') { - $PrincipalInstance = Get-MgUser -UserId $schedule.PrincipalId -ErrorAction SilentlyContinue + $PrincipalInstance = Get-MgUser -UserId $request.PrincipalId -ErrorAction SilentlyContinue $PrincipalTypeValue = 'User' } if ($null -eq $PrincipalInstance -or $PrincipalType -eq 'Group') { - $PrincipalInstance = Get-MGGroup -GroupId $schedule.PrincipalId -ErrorAction SilentlyContinue + $PrincipalInstance = Get-MGGroup -GroupId $request.PrincipalId -ErrorAction SilentlyContinue $PrincipalTypeValue = 'Group' } @@ -202,7 +207,6 @@ { return $nullResult } - $RoleDefinitionValue = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $schedule.RoleDefinitionId $ScheduleInfoValue = @{} @@ -255,11 +259,11 @@ } $PrincipalValue = $null - if ($PrincipalTypeValue -eq 'User') + if ($PrincipalType -eq 'User') { $PrincipalValue = $PrincipalInstance.UserPrincipalName } - elseif ($PrincipalTypeValue -eq 'Group') + if ($null -eq $PrincipalValue -or $PrincipalTypeValue -eq 'Group') { $PrincipalValue = $PrincipalInstance.DisplayName } @@ -267,7 +271,7 @@ $results = @{ Principal = $PrincipalValue PrincipalType = $PrincipalTypeValue - RoleDefinition = $RoleDefinitionValue.DisplayName + RoleDefinition = $RoleDefinition DirectoryScopeId = $request.DirectoryScopeId AppScopeId = $request.AppScopeId Action = $request.Action @@ -730,10 +734,10 @@ function Export-TargetResource #region resource generator code $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -All -ErrorAction Stop [array] $Script:exportedInstances = @() - foreach ($schedule in $schedules) - { - [array] $allRequests = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -All ` + [array] $allRequests = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -All ` -Filter "Status ne 'Revoked'" -ErrorAction Stop + foreach ($schedule in $schedules) + { [array] $Script:exportedInstances += $allRequests | Where-Object -FilterScript {$_.TargetScheduleId -eq $schedule.Id} } #endregion @@ -752,10 +756,12 @@ function Export-TargetResource { $displayedKey = $request.Id Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + + $RoleDefinitionId = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $request.RoleDefinitionId $params = @{ Id = $request.Id Principal = $request.PrincipalId - RoleDefinition = 'TempDefinition' + RoleDefinition = $RoleDefinitionId.DisplayName ScheduleInfo = 'TempSchedule' Ensure = 'Present' Credential = $Credential From c6359a09dcdeee20b5a108405e0f05dacb61611f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Mon, 30 Oct 2023 11:20:54 -0400 Subject: [PATCH 3/3] Fixes Unit Tests --- ...SFT_AADRoleEligibilityScheduleRequest.psm1 | 2 +- ...ADRoleEligibilityScheduleRequest.Tests.ps1 | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index f662a15551..2e4b3c31ac 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -186,7 +186,7 @@ $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)' and RoleDefinitionId eq '$RoleDefinitionId'" } - if ($null -eq $schedule) + if ($null -eq $schedule -or $null -eq $request) { return $nullResult } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 index a3330e6392..6f7082cd94 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 @@ -25,6 +25,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $secpasswd = ConvertTo-SecureString 'test@password1' -AsPlainText -Force $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) $Script:exportedInstances = $null + $Script:ExportMode = $null Mock -CommandName Add-M365DSCTelemetryEvent -MockWith { } @@ -159,8 +160,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { RoleDefinition = "Teams Communications Administrator"; ScheduleInfo = New-CimInstance -ClassName MSFT_AADRoleEligibilityScheduleRequestSchedule -Property @{ - expiration = New-CimInstance -ClassName MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration -Property @{ - + expiration = New-CimInstance -ClassName MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration -Property @{ type = 'afterDateTime' } -ClientOnly } -ClientOnly @@ -182,6 +182,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { }; } } + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -MockWith { + return @{ + Action = "AdminAssign"; + Id = '12345-12345-12345-12345-12345' + DirectoryScopeId = "/"; + IsValidationOnly = $False; + PrincipalId = "123456"; + RoleDefinitionId = "12345"; + ScheduleInfo = @{ + expiration = @{ + type = 'afterDateTime' + } + }; + } + } } It 'Should return Values from the Get method' {