diff --git a/CHANGELOG.md b/CHANGELOG.md index e23650eda8..03548b85ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,56 @@ # UNRELEASED +* AADGroup + * Fixed issue where group owners were removed from existing groups when unspecified in the config + FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390) * EXOHostedContentFilterPolicy * Add support for IntraOrgFilterState parameter FIXES [#4424](https://github.com/microsoft/Microsoft365DSC/issues/4424) * EXOHostedContentFilterRule * Fixed issue in case of different names of filter rule and filter policy FIXES [#4401](https://github.com/microsoft/Microsoft365DSC/issues/4401) +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneAccountProtectionPolicy + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneAntivirusPolicyWindows10SettingCatalog + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneAppConfigurationPolicy + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneApplicationControlPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneASRRulesPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyAndroid + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyAndroidDeviceOwner + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyAndroidWorkProfile + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyiOs + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyMacOS + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceCompliancePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationCustomPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationDomainJoinPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationEmailProfilePolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource +* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 + * Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource + * Fixed an issue with the parameter InterfaceTypes from firewallrules defined as a string instead of string[] * IntuneDeviceConfigurationPKCSCertificatePolicyWindows10 * Add property RootCertificateDisplayName in order to support assigning root certificates by display name since their Ids in a blueprint might be from a @@ -39,12 +83,7 @@ * Enhancement to obfuscate password from verbose logging and avoid empty lines FIXES [#4392](https://github.com/microsoft/Microsoft365DSC/issues/4392) * Fix example in documentation for Update-M365DSCAzureAdApplication - -# UNRELEASED - -* AADGroup - * Fixed issue where group owners were removed from existing groups when unspecified in the config - FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390) + * Added support for groupDisplayName to all devices and all users groups # 1.24.228.1 @@ -178,7 +217,6 @@ * Updated Microsoft.Graph to version 2.14.1. # 1.24.214.2 - * AADConditionalAccessPolicy * Removed invalid empty string value that was added to the validate set of two parameters. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index 6482cb21d7..5d7db7ea9e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -179,8 +179,10 @@ function Get-TargetResource try { #Retrieve policy general settings - - $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + if (-not [string]::IsNullOrEmpty($Identity)) + { + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + } if ($null -eq $policy) { @@ -189,6 +191,11 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } if ($null -eq $policy) { @@ -225,19 +232,12 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -260,6 +260,7 @@ function Get-TargetResource -Credential $Credential } + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -546,7 +547,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments $assignmentsHash = @() @@ -737,6 +738,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -748,75 +754,28 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $ValuesToCheck.Remove('Identity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -908,6 +867,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json index a21e872c90..0250bfc33a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index a6ff9a5167..d4f7dfbf59 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -130,7 +130,7 @@ function Get-TargetResource try { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -138,28 +138,32 @@ function Get-TargetResource $policyTemplateID = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + if ($null -eq $policy) { Write-Verbose -Message "No Account Protection LAPS Policy {displayName: '$DisplayName'} was found" return $nullResult } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty settings -ErrorAction SilentlyContinue } $Identity = $policy.Id Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.id):$($policy.Name)}" - - #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $Identity ` - -ErrorAction Stop + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $Identity) $returnHashtable.Add('DisplayName', $policy.name) $returnHashtable.Add('Description', $policy.description) - foreach ($setting in $settings.settingInstance) + foreach ($setting in $settings.SettingInstance) { $addToParameters = $true $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 @@ -226,9 +230,16 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-DeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) + } $returnHashtable.Add('Assignments', $returnAssignments) + Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.name)}" $returnHashtable.Add('Ensure', 'Present') @@ -249,6 +260,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -562,87 +574,32 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection LAPS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = $PSBoundParameters + $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - $ValuesToCheck.Remove('Identity') | Out-Null - - if ($BackupDirectory -eq 0) - { - $ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null - $ValuesToCheck.Remove('PasswordAgeDays') | Out-Null - $ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null - $ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null - } - elseif ($BackupDirectory -eq 1) { - $ValuesToCheck.Remove('PasswordAgeDays') | Out-Null - $ValuesToCheck.Remove('PasswordExpirationProtectionEnabled') | Out-Null - $ValuesToCheck.Remove('AdEncryptedPasswordHistorySize') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionEnabled') | Out-Null - $ValuesToCheck.Remove('AdPasswordEncryptionPrincipal') | Out-Null - } elseif ($BackupDirectory -eq 2) - { - $ValuesToCheck.Remove('PasswordAgeDays_AAD') | Out-Null - } $testResult = $true - if ([Array]$Assignments.count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" - $testResult = $false + Write-Verbose -Message "Test-TargetResource returned $false" + return $false } - if ($testResult) - { - foreach ($assignment in $CurrentValues.Assignments) - { - if ($null -ne $Assignment) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - } - if (-not $testResult) - { - $testResult = $false - break - } - - } - - } + #Compare Cim instances + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target $ValuesToCheck.Remove('Assignments') | Out-Null if ($testResult) @@ -744,7 +701,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Ensure -eq 'Present') { $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` @@ -752,7 +713,8 @@ function Export-TargetResource if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) ` + -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult @@ -771,12 +733,7 @@ function Export-TargetResource if ($Results.Assignments) { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } $dscContent += $currentDSCBlock diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json index 76338d2e0a..7f3c9f6cc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 4b58e81abc..e29a872555 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -79,7 +79,7 @@ function Get-TargetResource { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -87,18 +87,26 @@ function Get-TargetResource if (-not [String]::IsNullOrEmpty($DisplayName)) { $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue + + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + if ($null -eq $policy) + { + Write-Verbose -Message "No Account Protection Local User Group Membership Policy with displayName {$DisplayName} was found" + return $nullResult + } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.id -ExpandProperty settings -ErrorAction SilentlyContinue } } - if ($null -eq $policy) - { - Write-Verbose -Message "No Account Protection Local User Group Membership Policy with displayName {$DisplayName} was found" - return $nullResult - } + #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $policy.Id ` - -ErrorAction Stop + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.Id) @@ -148,19 +156,14 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -183,6 +186,7 @@ function Get-TargetResource -Credential $Credential } + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -401,7 +405,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -412,109 +420,66 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $ValuesToCheck.Remove('Identity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } #region LocalUserGroupCollection - $testResult = $true - if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) - { - Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' - return $false - } - - if ($CurrentValues.LocalUserGroupCollection) + if ($testResult) { - if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) + if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) { - Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" + Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' return $false } - for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) - { - $source = $ValuesToCheck.LocalUserGroupCollection[$i] - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] - - if (-not $testResult) - { - $testResult = $false - break - } - } - } - if (-not $testResult) - { - return $false - } - $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null - #endregion - - #region Assignments - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) - { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false - } - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) + if ($CurrentValues.LocalUserGroupCollection) { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) + if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment + Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" + return $false } - #AllDevices/AllUsers assignment - else + for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) + $source = $ValuesToCheck.LocalUserGroupCollection[$i] + $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] + + if (-not $testResult) { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" $testResult = $false break } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment } - - if (-not $testResult) - { - $testResult = $false - break - } - } + if (-not $testResult) + { + return $false + } + $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null } - if (-not $testResult) + #endregion + + #region Assignments + if ($testResult) { - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null #endregion - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -607,6 +572,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.LocalUserGroupCollection) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json index 76dcf45483..d6aeda8c71 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 327fc77e61..4efcd196ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -144,7 +144,7 @@ function Get-TargetResource { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ExpandProperty settings,assignments -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -153,17 +153,25 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue } + + if ($null -eq $policy) + { + Write-Verbose -Message "No Account Protection Policy with displayName {$DisplayName} was found" + return $nullResult + } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + $policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $policy.id -ExpandProperty settings,assignments -ErrorAction SilentlyContinue + } - if ($null -eq $policy) - { - Write-Verbose -Message "No Account Protection Policy with displayName {$DisplayName} was found" - return $nullResult - } - #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementIntentSetting ` - -DeviceManagementIntentId $policy.Id ` - -ErrorAction Stop + + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.Id) @@ -202,19 +210,11 @@ function Get-TargetResource $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + if ($policy.assignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $policy.assignments -IncludeDeviceFilter $true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -237,6 +237,7 @@ function Get-TargetResource -Credential $Credential } + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -443,7 +444,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments $assignmentsHash = @() @@ -598,6 +599,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -610,96 +616,29 @@ function Test-TargetResource $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('Verbose') | Out-Null - foreach ($key in $PSBoundParameters.Keys) { - if ($null -eq $ValuesToCheck.$key) { - $ValuesToCheck.Remove($key) | Out-Null - } - } - - if ($CurrentValues.WindowsHelloForBusinessBlocked -in @('notconfigured', 'True')) - { - $ValuesToCheck.Remove('PinMinimumLength') | Out-Null - $ValuesToCheck.Remove('PinMaximumLength') | Out-Null - $ValuesToCheck.Remove('PinLowercaseCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinUppercaseCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinSpecialCharactersUsage') | Out-Null - $ValuesToCheck.Remove('PinExpirationInDays') | Out-Null - $ValuesToCheck.Remove('PinPreviousBlockCount') | Out-Null - $ValuesToCheck.Remove('PinRecoveryEnabled') | Out-Null - $ValuesToCheck.Remove('SecurityDeviceRequired') | Out-Null - $ValuesToCheck.Remove('UnlockWithBiometricsEnabled') | Out-Null - $ValuesToCheck.Remove('EnhancedAntiSpoofingForFacialFeaturesEnabled') | Out-Null - $ValuesToCheck.Remove('UseCertificatesForOnPremisesAuthEnabled') | Out-Null - } - + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - return $false + $testResult = $false } - #region Assignments - $testResult = $true - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + #region assignments + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" @@ -792,6 +731,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json index bdddc7e8c6..1d0cdf0573 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 2659437cce..a0aebd0e44 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -373,7 +373,7 @@ function Get-TargetResource try { #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue if ($null -eq $policy) { @@ -385,12 +385,19 @@ function Get-TargetResource Write-Verbose -Message "No policy with name {$DisplayName} was found." return $nullResult } + + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.id -ExpandProperty settings -ErrorAction SilentlyContinue + } #Retrieve policy specific settings - [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` - -DeviceManagementConfigurationPolicyId $policy.Id ` - -ErrorAction Stop + $Identity = $policy.id + [array]$settings = $policy.settings $returnHashtable = @{} $returnHashtable.Add('Identity', $policy.id) @@ -442,19 +449,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" @@ -476,7 +478,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -1279,6 +1282,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -1286,58 +1294,22 @@ function Test-TargetResource $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } $testResult = $true - if ([Array]$Assignments.count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" $testResult = $false } - if ($testResult) - { - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - } + #region Assignments + if ($testResult) + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null + #endregion if ($testResult) { @@ -1451,6 +1423,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Ensure -eq 'Present') { @@ -1656,7 +1633,7 @@ function Update-IntuneDeviceConfigurationPolicy } $body = $policy | ConvertTo-Json -Depth 20 #write-verbose -Message $body - Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop + Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop 4> Out-Null } catch diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json index f00abc50c8..307c2f8403 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index eab7b43d76..de530f8d76 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -70,9 +70,7 @@ function Get-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $nullResult = @{ - DisplayName = $DisplayName - } + $nullResult = ([Hashtable]$PSBoundParameters).clone() $nullResult.Ensure = 'Absent' try { @@ -104,6 +102,10 @@ function Get-TargetResource Write-Verbose -Message "No App Configuration Policy with DisplayName {$DisplayName} was found" return $nullResult } + if(([array]$configPolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } Write-Verbose -Message "Found App Configuration Policy with Id {$($configPolicy.Id)} and DisplayName {$($configPolicy.DisplayName)}" @@ -122,19 +124,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceAppManagementTargetedManagedAppConfigurationAssignment -TargetedManagedAppConfigurationId $configPolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceAppManagementTargetedManagedAppConfigurationAssignment -TargetedManagedAppConfigurationId $configPolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } @@ -146,6 +143,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -355,79 +353,68 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune App Configuration Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } - if ($CurrentValues.Ensure -eq 'Absent' -and $PSBoundParameters.Ensure -eq 'Absent') - { - Write-Verbose -Message "Test-TargetResource returned $true" - return $true + $testResult = $false } - $testResult = $true - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) + $ValuesToCheck = $PSBoundParameters + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $ValuesToCheck.Remove('CustomSettings') | Out-Null + + #region CustomSettings + if ($testResult) { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $source = $PSBoundParameters.CustomSettings + $target = $CurrentValues.CustomSettings - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) - if ($key -eq "Assignments") - { - $testResult = $source.count -eq $target.count - if (-Not $testResult) { break } - foreach ($assignment in $source) - { - if ($assignment.dataType -like '*GroupAssignmentTarget') - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) - #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key - if (-not $testResult) - { - $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) - } - if (-not $testResult -and $groupNotFound) - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) - } - } - else - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) - } - if (-Not $testResult) { break } - } - if (-Not $testResult) { break } - } - if (-Not $testResult) { break } - - $ValuesToCheck.Remove($key) | Out-Null + if (-Not $testResult) + { + $testResult = $false + break } + $ValuesToCheck.Remove('CustomSettings') | Out-Null } + #endregion - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + #region Assignments + if ($testResult) + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null + } + #endregion - if ($TestResult) + if ($testResult) { $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -510,6 +497,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + if ($Results.CustomSettings.Count -gt 0) { $Results.CustomSettings = Get-M365DSCIntuneAppConfigurationPolicyCustomSettingsAsString -Settings $Results.CustomSettings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json index b3e924b2f7..e5bfa4dcaf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 index 1a04856c16..b2e0ebca32 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1 @@ -345,15 +345,13 @@ function Get-TargetResource } catch { - Write-Verbose -Message "ERROR on get-targetresource for $displayName" - $nullResult.Ensure = 'ERROR' - New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -932,6 +930,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Android App Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } if ($CurrentValues.Ensure -eq 'ERROR') { @@ -1107,7 +1110,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json index c70b824025..10e50f1081 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json index d2fd86113a..270c79777d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 index 7231018cf5..3f7a12d3d9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 @@ -84,6 +84,11 @@ function Get-TargetResource #Retrieve policy general settings $policy = Get-MgBetaDeviceManagementIntent -Filter "displayName eq '$DisplayName'" -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateId -eq '63be6324-e3c9-4c97-948a-e7f4b96f0f20' } + if(([array]$policy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } + if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Application Control Policy {$DisplayName} was found" @@ -112,19 +117,12 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true } - $returnHashtable.Add('Assignments', $assignmentResult) + $returnHashtable.Add('Assignments', $returnAssignments) return $returnHashtable } catch @@ -135,6 +133,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -375,6 +374,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Endpoint Protection Application Control Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -384,69 +388,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - #region Assignments $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $testResult = $false } - - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - } - } - if (-not $testResult) + #region Assignments + if ($TestResult) { - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - $ValuesToCheck.Remove('Assignments') | Out-Null #endregion - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($TestResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $TestResult" @@ -534,7 +497,11 @@ function Export-TargetResource } $Results = Get-TargetResource @params - + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json index 6c5d9e4b38..0bd2d39195 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 index 39d61be227..49d3415dd6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 @@ -186,6 +186,10 @@ function Get-TargetResource -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Android Device Compliance Policy with displayName {$DisplayName} was found" @@ -234,19 +238,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -258,6 +257,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -707,6 +707,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -717,75 +722,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -869,7 +827,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json index 6ac3bd8092..f744b68ee9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 index 75d548ae46..d52429d287 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 @@ -139,7 +139,10 @@ function Get-TargetResource $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidDeviceOwnerCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Intune Android Device Owner Device Compliance Policy with displayName {$DisplayName} was found" @@ -176,19 +179,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -200,6 +198,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -558,6 +557,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Work Profile Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -570,76 +574,28 @@ function Test-TargetResource $ValuesToCheck.Remove('CertificateThumbprint') | Out-Null $ValuesToCheck.Remove('ManagedIdentity') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -725,7 +681,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json index c3b7a98d3f..d32693cec5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 index 256d43baf4..5f38012691 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 @@ -175,7 +175,10 @@ function Get-TargetResource -ErrorAction SilentlyContinue | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidWorkProfileCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Intune Android Work Profile Device Compliance Policy with displayName {$DisplayName} was found" @@ -222,19 +225,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -246,6 +244,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -670,6 +669,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Android Work Profile Device Compliance Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -680,76 +684,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -833,7 +789,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json index 2a9f984ec7..ab503e6e12 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 index 864a3cf2c3..537f689115 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 @@ -158,7 +158,10 @@ function Get-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.macOSCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No MacOS Device Compliance Policy with displayName {$DisplayName} was found" @@ -200,19 +203,15 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) + return [System.Collections.Hashtable] $results } @@ -224,6 +223,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -616,6 +616,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance MacOS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -627,76 +632,28 @@ function Test-TargetResource $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } #region Assignments - $testResult = $true - - if (($null -ne $CurrentValues.Assignments) -xor ($null -ne $ValuesToCheck.Assignments)) + if ($testResult) { - Write-Verbose -Message 'Configuration drift: one the assignment is null' - return $false + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } + #endregion - if ($null -ne $CurrentValues.Assignments) - { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - } - if (-not $testResult) + if ($testResult) { - return $false + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys } - $ValuesToCheck.Remove('Assignments') | Out-Null - #endregion - - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -781,7 +738,13 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $results = Get-TargetResource @params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + if ($Results.Assignments) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json index f939681409..bd59e189c5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 index 0e78c8b97a..ca8a3c3d06 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 @@ -200,7 +200,10 @@ function Get-TargetResource -ErrorAction SilentlyContinue | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No Windows 10 Device Compliance Policy with displayName {$DisplayName} was found" @@ -252,9 +255,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $myAssignments = @() - $myAssignments += Get-M365DSCDeviceManagementPolicyAssignments -DeviceManagementPolicyId $devicePolicy.id -repository 'deviceCompliancePolicies' - $results.Add('Assignments', $myAssignments) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) + } + $results.Add('Assignments', $returnAssignments) + return [System.Collections.Hashtable] $results } catch @@ -265,6 +275,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -738,6 +749,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance Windows 10 Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -748,85 +764,20 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } $testResult = $true - if (([Array]$Assignments).count -ne $CurrentValues.Assignments.count) + if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Configuration drift:Number of assignments does not match: Source=$([Array]$Assignments.count) Target=$($CurrentValues.Assignments.count)" $testResult = $false } + #region Assignments if ($testResult) { - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - #collectionId Assignment - elseif (-not [String]::IsNullOrEmpty($assignment.collectionId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.collectionId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: collectionId {$($assignment.collectionId)} not found" - $testResult = $false - break - } - - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $CIMAssignmentAsHash = Get-M365DSCAssignmentsAsHashtable -CIMAssignment $source - } - - foreach ($key in $assignment.keys) - { - $compareResult = Compare-Object ` - -ReferenceObject @($assignment[$key] | Select-Object) ` - -DifferenceObject @($CIMAssignmentAsHash[$key] | Select-Object) - - if ($null -ne $compareResult) - { - Write-Verbose -Message "Configuration drift in assignment key: $key - CurrentValue $($assignment[$key]|Out-String)" - Write-Verbose -Message "Configuration drift in assignment key: $key - TargetValue $($CIMAssignmentAsHash[$key]|Out-String)" - return $false - } - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } - + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } - - $ValuesToCheck.Remove('Assignments') | Out-Null + #endregion if ($testResult) { @@ -834,7 +785,6 @@ function Test-TargetResource -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys - } Write-Verbose -Message "Test-TargetResource returned $TestResult" @@ -919,7 +869,13 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json index 08a66e8728..876c98b3c1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 index d9fe71c7a5..be6be2df95 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 @@ -149,7 +149,10 @@ function Get-TargetResource -ErrorAction SilentlyContinue | Where-Object ` -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.iosCompliancePolicy' -and ` $_.displayName -eq $($DisplayName) } - + if(([array]$devicePolicy).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } if ($null -eq $devicePolicy) { Write-Verbose -Message "No iOS Device Compliance Policy with displayName {$DisplayName} was found" @@ -189,19 +192,14 @@ function Get-TargetResource } $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + $graphAssignments = Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $devicePolicy.Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -213,6 +211,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -601,6 +600,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Intune Device Compliance iOS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" @@ -611,46 +615,28 @@ function Test-TargetResource $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - #region Assignments + $testResult = $true if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false + $testResult = $false } - $testResult = $true - - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) + #region Assignments + if ($testResult) { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - - if (-Not $testResult) - { - $testResult = $false - break - } - - $ValuesToCheck.Remove($key) | Out-Null - } + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null } #endregion if ($testResult) { - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult @@ -734,7 +720,12 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } if ($Results.RestrictedApps) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json index 40c5882040..4f70de0036 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 14affae7de..144f52df92 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -94,14 +94,19 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementGroupPolicyConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Administrative Template Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Administrative Template Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Administrative Template Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -227,19 +232,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment -GroupPolicyConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment -GroupPolicyConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return $results } @@ -261,6 +262,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential } + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -665,6 +667,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Administrative Template Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() @@ -714,6 +721,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -835,7 +847,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json index ef5aae1c68..4636671998 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index e35f2b96c7..4586beaf3f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -96,14 +96,20 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration" ` } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Custom Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Custom Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Custom Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -115,6 +121,7 @@ function Get-TargetResource if ($currentomaSettings.isEncrypted -eq $true) { + write-verbose ("IsEncrypted = true -- $($currentomaSettings.displayName)") $SecretReferenceValueId = $currentomaSettings.secretReferenceValueId $OmaSettingPlainTextValue = Get-OmaSettingPlainTextValue -SecretReferenceValueId $SecretReferenceValueId if (![String]::IsNullOrEmpty($OmaSettingPlainTextValue)) @@ -165,20 +172,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -190,7 +193,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -446,6 +450,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Custom Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -468,6 +477,10 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } if (-Not $testResult) { $testResult = $false @@ -587,7 +600,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($null -ne $Results.OmaSettings) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json index a9b8d6e3a0..4f57251847 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -16,8 +19,11 @@ ] }, "application": { - "read": [ - { + "read": [ + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 index 5607bb05f1..c5ea49acb8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 @@ -116,14 +116,19 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windowsDefenderAdvancedThreatProtectionConfiguration" ` } + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -148,20 +153,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -173,6 +173,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -447,6 +448,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Defender For Endpoint Onboarding Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -469,6 +475,10 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } if (-Not $testResult) { $testResult = $false @@ -588,7 +598,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json index fa063bd0d5..1ec45e354d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index 133d05a210..ce5217efc4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -160,14 +160,20 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementDeviceConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Delivery Optimization Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Delivery Optimization Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Delivery Optimization Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -288,23 +294,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) - + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } catch @@ -315,6 +313,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -681,6 +680,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Delivery Optimization Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null @@ -705,6 +709,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -819,7 +828,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ( $null -ne $Results.BandwidthMode) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json index 7a4ac875c3..ad18510898 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 index 01120c5c19..627f2bd758 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 @@ -108,14 +108,19 @@ function Get-TargetResource -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windowsDomainJoinConfiguration" ` } + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Domain Join Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if(([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Domain Join Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Domain Join Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -138,20 +143,15 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -163,7 +163,8 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult } } @@ -421,6 +422,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Domain Join Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -443,6 +449,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -562,7 +573,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json index 283b168e60..2ebe5a545e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json @@ -5,7 +5,10 @@ "graph": { "delegated": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], @@ -17,7 +20,10 @@ }, "application": { "read": [ - { + { + "name": "Group.Read.All" + }, + { "name": "DeviceManagementConfiguration.Read.All" } ], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 index 1666e3262e..00adc0b616 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 @@ -10,17 +10,17 @@ function Get-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -49,17 +49,17 @@ function Get-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -132,7 +132,7 @@ function Get-TargetResource $getValue = $null #region resource generator code - $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue if ($null -eq $getValue) { @@ -144,16 +144,22 @@ function Get-TargetResource -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue | Where-Object ` -FilterScript { ` - $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10EasEmailProfileConfiguration" ` - } + $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10EasEmailProfileConfiguration' ` + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if (([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Email Profile Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -222,20 +228,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -247,6 +249,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -262,17 +265,17 @@ function Set-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -301,17 +304,17 @@ function Set-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -380,7 +383,7 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Device Configuration Email Profile Policy for Windows10 with DisplayName {$DisplayName}" - $BoundParameters.Remove("Assignments") | Out-Null + $BoundParameters.Remove('Assignments') | Out-Null $CreateParameters = ([Hashtable]$BoundParameters).clone() $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters @@ -395,7 +398,7 @@ function Set-TargetResource } } #region resource generator code - $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10EasEmailProfileConfiguration") + $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EasEmailProfileConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters $assignmentsHash = @() foreach ($assignment in $Assignments) @@ -405,7 +408,7 @@ function Set-TargetResource if ($policy.id) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' } @@ -414,7 +417,7 @@ function Set-TargetResource elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Updating the Intune Device Configuration Email Profile Policy for Windows10 with Id {$($currentInstance.Id)}" - $BoundParameters.Remove("Assignments") | Out-Null + $BoundParameters.Remove('Assignments') | Out-Null $UpdateParameters = ([Hashtable]$BoundParameters).clone() $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters @@ -430,7 +433,7 @@ function Set-TargetResource } } #region resource generator code - $UpdateParameters.Add("@odata.type", "#microsoft.graph.windows10EasEmailProfileConfiguration") + $UpdateParameters.Add('@odata.type', '#microsoft.graph.windows10EasEmailProfileConfiguration') Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters @@ -466,17 +469,17 @@ function Test-TargetResource $AccountName, [Parameter()] - [ValidateSet('userDefined','oneDay','threeDays','oneWeek','twoWeeks','oneMonth','unlimited')] + [ValidateSet('userDefined', 'oneDay', 'threeDays', 'oneWeek', 'twoWeeks', 'oneMonth', 'unlimited')] [System.String] $DurationOfEmailToSync, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $EmailAddressSource, [Parameter()] - [ValidateSet('userDefined','asMessagesArrive','manual','fifteenMinutes','thirtyMinutes','sixtyMinutes','basedOnMyUsage')] + [ValidateSet('userDefined', 'asMessagesArrive', 'manual', 'fifteenMinutes', 'thirtyMinutes', 'sixtyMinutes', 'basedOnMyUsage')] [System.String] $EmailSyncSchedule, @@ -505,17 +508,17 @@ function Test-TargetResource $CustomDomainName, [Parameter()] - [ValidateSet('fullDomainName','netBiosDomainName')] + [ValidateSet('fullDomainName', 'netBiosDomainName')] [System.String] $UserDomainNameSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress','samAccountName')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress', 'samAccountName')] [System.String] $UsernameAADSource, [Parameter()] - [ValidateSet('userPrincipalName','primarySmtpAddress')] + [ValidateSet('userPrincipalName', 'primarySmtpAddress')] [System.String] $UsernameSource, @@ -581,6 +584,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Email Profile Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) @@ -603,6 +611,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -689,7 +702,7 @@ function Export-TargetResource -ErrorAction Stop | Where-Object ` -FilterScript { ` $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10EasEmailProfileConfiguration' ` - } + } #endregion $i = 1 @@ -711,18 +724,23 @@ function Export-TargetResource } Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline $params = @{ - Id = $config.Id - DisplayName = $config.DisplayName - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($Results.Assignments) @@ -744,7 +762,7 @@ function Export-TargetResource -Credential $Credential if ($Results.Assignments) { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } $dscContent += $currentDSCBlock @@ -758,7 +776,7 @@ function Export-TargetResource catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` - $_.Exception -like "*Request not applicable to target tenant*") + $_.Exception -like '*Request not applicable to target tenant*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json index 2dd5dfecf6..7f59aea637 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json @@ -1,33 +1,38 @@ { "resourceName": "IntuneDeviceConfigurationEmailProfilePolicyWindows10", "description": "This resource configures an Intune Device Configuration Email Profile Policy for Windows10.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - }, - "application": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - } - } -} - + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index c9b1f664a1..36da338cf7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -1043,7 +1043,7 @@ function Get-TargetResource $getValue = $null #region resource generator code - $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $Id -ErrorAction SilentlyContinue if ($null -eq $getValue) { @@ -1054,14 +1054,19 @@ function Get-TargetResource $getValue = Get-MgBetaDeviceManagementDeviceConfiguration ` -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Endpoint Protection Policy for Windows10 with DisplayName {$DisplayName}" + return $nullResult + } + if (([array]$getValue).count -gt 1) + { + throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + } } } #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Intune Device Configuration Endpoint Protection Policy for Windows10 with DisplayName {$DisplayName}" - return $nullResult - } + $Id = $getValue.Id Write-Verbose -Message "An Intune Device Configuration Endpoint Protection Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName} was found." @@ -1300,7 +1305,7 @@ function Get-TargetResource $myfirewallRules.Add('FilePath', $currentfirewallRules.filePath) if ($null -ne $currentfirewallRules.interfaceTypes) { - $myfirewallRules.Add('InterfaceTypes', $currentfirewallRules.interfaceTypes.toString()) + $myfirewallRules.Add('InterfaceTypes', $currentfirewallRules.interfaceTypes.toString() -split ',') } $myfirewallRules.Add('LocalAddressRanges', $currentfirewallRules.localAddressRanges) $myfirewallRules.Add('LocalPortRanges', $currentfirewallRules.localPortRanges) @@ -2618,22 +2623,16 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent #endregion } - $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) - { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + + $returnAssignments = @() + $graphAssignments = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id + if ($graphAssignments.count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) } - $results.Add('Assignments', $assignmentResult) + $results.Add('Assignments', $returnAssignments) return [System.Collections.Hashtable] $results } @@ -2645,6 +2644,7 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult return $nullResult } } @@ -3704,11 +3704,24 @@ function Set-TargetResource $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key } } + if ($CreateParameters.FirewallRules.count -gt 0) + { + $intuneFirewallRules = @() + foreach ($firewallRule in $CreateParameters.FirewallRules) + { + if ($firewallRule.interfaceTypes -gt 1) + { + $firewallRule.interfaceTypes = $firewallRule.interfaceTypes -join ',' + } + $intuneFirewallRules += $firewallRule + } + $CreateParameters.FirewallRules = $intuneFirewallRules + } #region resource generator code - $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10EndpointProtectionConfiguration") + $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters $assignmentsHash = @() - foreach($assignment in $Assignments) + foreach ($assignment in $Assignments) { $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment } @@ -3739,8 +3752,21 @@ function Set-TargetResource $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key } } + if ($UpdateParameters.FirewallRules.count -gt 0) + { + $intuneFirewallRules = @() + foreach ($firewallRule in $UpdateParameters.FirewallRules) + { + if ($firewallRule.interfaceTypes -gt 1) + { + $firewallRule.interfaceTypes = $firewallRule.interfaceTypes -join ',' + } + $intuneFirewallRules += $firewallRule + } + $UpdateParameters.FirewallRules = $intuneFirewallRules + } #region resource generator code - $UpdateParameters.Add("@odata.type", "#microsoft.graph.windows10EndpointProtectionConfiguration") + $UpdateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters @@ -4801,6 +4827,11 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of the Intune Device Configuration Endpoint Protection Policy for Windows10 with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Id') | Out-Null @@ -4825,6 +4856,11 @@ function Test-TargetResource -Source ($source) ` -Target ($target) + if ($key -eq 'Assignments') + { + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + } + if (-Not $testResult) { $testResult = $false @@ -4939,7 +4975,12 @@ function Export-TargetResource Managedidentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params + $Results = Get-TargetResource @params + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ( $null -ne $Results.BitLockerFixedDrivePolicy) @@ -6077,7 +6118,7 @@ function Export-TargetResource catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` - $_.Exception -like "*Request not applicable to target tenant*") + $_.Exception -like '*Request not applicable to target tenant*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof index fe67f8bd62..0ddd9c37aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.schema.mof @@ -92,7 +92,7 @@ class MSFT_MicrosoftGraphWindowsFirewallRule [Write, Description("The display name of the rule. Does not need to be unique.")] String DisplayName; [Write, Description("Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. Possible values are: notConfigured, blocked, allowed."), ValueMap{"notConfigured","blocked","allowed"}, Values{"notConfigured","blocked","allowed"}] String EdgeTraversal; [Write, Description("The full file path of an app that's affected by the firewall rule.")] String FilePath; - [Write, Description("The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan."), ValueMap{"notConfigured","remoteAccess","wireless","lan"}, Values{"notConfigured","remoteAccess","wireless","lan"}] String InterfaceTypes; + [Write, Description("The interface types of the rule. Possible values are: notConfigured, remoteAccess, wireless, lan."), ValueMap{"notConfigured","remoteAccess","wireless","lan"}, Values{"notConfigured","remoteAccess","wireless","lan"}] String InterfaceTypes[]; [Write, Description("List of local addresses covered by the rule. Default is any address. Valid tokens include:'' indicates any local address. If present, this must be the only token included.A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.A valid IPv6 address.An IPv4 address range in the format of 'start address - end address' with no spaces included.An IPv6 address range in the format of 'start address - end address' with no spaces included.")] String LocalAddressRanges[]; [Write, Description("List of local port ranges. For example, '100-120', '200', '300-320'. If not specified, the default is All.")] String LocalPortRanges[]; [Write, Description("Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.")] String LocalUserAuthorizations; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json index 31fc646302..eb9da4aa9e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,6 +20,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 84a923e68d..1cfbe9a39f 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1153,9 +1153,21 @@ function ConvertFrom-IntunePolicyAssignment $group = Get-MgGroup -GroupId ($groupId) -ErrorAction SilentlyContinue if ($null -ne $group) { - $hashAssignment.add('groupDisplayName', $group.DisplayName) + $groupDisplayName = $group.DisplayName } } + if ($dataType -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') + { + $groupDisplayName = 'All users' + } + if ($dataType -eq '#microsoft.graph.allDevicesAssignmentTarget') + { + $groupDisplayName = 'All devices' + } + if ($null -ne $groupDisplayName) + { + $hashAssignment.add('groupDisplayName', $groupDisplayName) + } if ($IncludeDeviceFilter) { if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) @@ -1338,7 +1350,7 @@ function Update-DeviceConfigurationPolicyAssignment $body = @{$RootIdentifier = $deviceManagementPolicyAssignments} | ConvertTo-Json -Depth 20 Write-Verbose -Message $body - + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop } catch diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 1b093fe62f..2c18e4de0f 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -4433,6 +4433,75 @@ function Remove-M365DSCAuthenticationParameter return $BoundParameters } +<# +.Description +This function clears the authentication parameters from the hashtable. + +.Functionality +Internal +#> +function Clear-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $BoundParameters.Credential = $null + $BoundParameters.ApplicationId = $null + $BoundParameters.ApplicationSecret = $null + $BoundParameters.TenantId = $null + $BoundParameters.CertificatePassword = $null + $BoundParameters.CertificatePath = $null + $BoundParameters.CertificateThumbprint = $null + $BoundParameters.ManagedIdentity = $null + + return $BoundParameters +} +<# +.Description +This function validate if the authentication parameters from the hashtable have been cleared. + +.Functionality +Internal +#> +function Test-M365DSCAuthenticationParameter +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $BoundParameters + ) + + $authenticationParameterList = @( + 'Credential' + 'ApplicationId' + 'ApplicationSecret' + 'TenantId' + 'CertificatePassword' + 'CertificatePath' + 'CertificateThumbprint' + 'ManagedIdentity' + ) + + $containsAuthenticationParameter = $false + foreach ($parameter in $authenticationParameterList) + { + if ($null -ne $BoundParameters.$parameter) + { + $containsAuthenticationParameter = $true + break + } + } + + return $containsAuthenticationParameter +} + <# .Description This function analyzes an M365DSC configuration file and returns information about potential issues (e.g., duplicate primary keys). @@ -4622,6 +4691,7 @@ function Sync-M365DSCParameter Export-ModuleMember -Function @( 'Assert-M365DSCBlueprint', + 'Clear-M365DSCAuthenticationParameter', 'Confirm-ImportedCmdletIsAvailable', 'Confirm-M365DSCDependencies', 'Convert-M365DscHashtableToString', @@ -4655,6 +4725,7 @@ Export-ModuleMember -Function @( 'Set-EXOSafeAttachmentRule', 'Set-EXOSafeLinksRule', 'Split-ArrayByParts', + 'Test-M365DSCAuthenticationParameter' 'Test-M365DSCDependenciesForNewVersions', 'Test-M365DSCModuleValidity', 'Test-M365DSCParameterState', diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 index 2ed971ac91..6913e720b6 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 @@ -73,7 +73,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } }) } - + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -84,10 +100,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the instance doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -123,7 +139,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -139,29 +155,27 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } + Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { } } @@ -191,7 +205,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) BackupDirectory = '1' @@ -202,27 +216,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -238,7 +249,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Assignments = @( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -253,27 +264,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -308,27 +316,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateReference = @{ TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 index d7c738d6a1..f7d1a937f2 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 @@ -68,7 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the instance doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - Assignments = @( + Assignments = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -80,7 +80,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - LocalUserGroupCollection = @( + LocalUserGroupCollection = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators', 'users') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') @@ -124,7 +124,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - LocalUserGroupCollection = @( + LocalUserGroupCollection = [ciminstance[]]@( (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') @@ -139,78 +139,77 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'Non-existant value' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'Non-existant value' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } + + Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { } } @@ -259,76 +258,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -368,76 +364,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } @@ -472,80 +465,77 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateReference = @{ TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( + @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() + }, @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' + 'children' = @() } ) } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - }, - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) + ) + } + ) + } + ) + } + ) + } } + AdditionalProperties = $null } - AdditionalProperties = $null } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 index 19e09bc2af..ce354ae843 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 @@ -68,18 +68,33 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } - Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { - return @(@{ - target = @{ - deviceAndAppManagementAssignmentFilterType = 'none' - deviceAndAppManagementAssignmentFilterId = $null - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' - groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - } - } - }) + Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + DisplayName = 'My Test' + Assignments = @(@{ + target = @{ + deviceAndAppManagementAssignmentFilterType = 'none' + deviceAndAppManagementAssignmentFilterId = $null + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + } + }) + Settings = @(@{ + Id = 0 + DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' + ValueJson = 'true' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' + value = $true + } + }) + } } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -142,27 +157,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - UseSecurityKeyForSignin = $true - } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) + UseSecurityKeyForSignin = $false } Mock -CommandName Update-MgBetaDeviceManagementIntent -MockWith { } @@ -201,26 +196,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'true' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $true - } - }) - } } It 'Should return true from the Test method' { @@ -244,26 +219,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) - } } It 'Should return Present from the Get method' { @@ -287,26 +242,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementIntent -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - DisplayName = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @(@{ - Id = 0 - DefinitionId = 'deviceConfiguration--windowsIdentityProtectionConfiguration_useSecurityKeyForSignin' - ValueJson = 'false' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementBooleanSettingInstance' - value = $false - } - }) - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 index 74d382be01..11e38dfd2d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 @@ -47,25 +47,64 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateId = 'd02f2162-fcac-48db-9b7b-b0a3f160d2c2_1' } } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { return @{ - Id = '12345-12345-12345-12345-12345' - Source = 'direct' - SourceId = '12345-12345-12345-12345-12345' - Target = @{ - DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' - DeviceAndAppManagementAssignmentFilterType = 'none' - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' - groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - } - ) + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + TemplateReference = @{ + TemplateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' + TemplateFamily = 'endpointSecurityAntivirus' } + Settings = @(@{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' + AdditionalProperties = $null + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_0' #drift + settingValueTemplateReference = @{ + settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' + useTemplateDefault = $false + } + children = $null + } + } + + } + AdditionalProperties = $null + }) } } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -76,7 +115,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { BeforeAll { $testParams = @{ allowarchivescanning = '1' - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -115,7 +154,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { BeforeAll { $testParams = @{ allowarchivescanning = '1' - Assignments = @( + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -130,41 +169,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_0' #drift - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -184,8 +188,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the instance already exists and IS in the Desired State' -Fixture { BeforeAll { $testParams = @{ - allowarchivescanning = '1' - Assignments = @( + allowarchivescanning = '0' + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -200,42 +204,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return true from the Test method' { @@ -246,8 +214,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the instance exists and it SHOULD NOT' -Fixture { BeforeAll { $testParams = @{ - allowarchivescanning = '1' - Assignments = @( + allowarchivescanning = '0' + Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' DeviceAndAppManagementAssignmentFilterType = 'none' @@ -262,42 +230,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -321,45 +253,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test policy' - TemplateReference = @{ - templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' - templateFamily = 'endpointSecurityAntivirus' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1' - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 index c503c826ec..926700fdfd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationPolicy.Tests.ps1 @@ -67,7 +67,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should return absent from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + (Get-TargetResource @testParams ).Ensure | Should -Be 'Absent' } It 'Should return false from the Test method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 index 71d0b9db9d..77b72e6eea 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneApplicationControlPolicyWindows10.Tests.ps1 @@ -85,7 +85,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ DisplayName = 'Test App Configuration Policy' Description = 'Test Definition' - Assignments = (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + Assignments = [CimInstance[]]@(New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ groupId = '123456789' dataType = '#microsoft.graph.groupAssignmentTarget' deviceAndAppManagementAssignmentFilterType = 'include' @@ -104,13 +104,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @{ - DisplayName = 'Test App Configuration Policy' - Description = 'Different Value' - Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' + return @(@{ + #DisplayName = 'Test App Configuration Policy' + #Description = 'Different Value' + #Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' DefinitionId = 'appLockerApplicationControl' ValueJSON = "'true'" - } + }) } Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { return @( @@ -167,13 +167,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementIntentSetting -MockWith { - return @{ + return @(@{ DisplayName = 'Test App Configuration Policy' Description = 'Test Definition' Id = 'A_19dbaff5-9aff-48b0-a60d-d0471ddaf141' DefinitionId = 'appLockerApplicationControl' ValueJSON = "'true'" - } + }) } Mock -CommandName Get-MgBetaDeviceManagementIntentAssignment -MockWith { return @(