Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PR: Add group display name to Intune Assignment (Batch 1) #4323

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
1c44711
FirstBatch
William-Francillette Feb 14, 2024
22d7cbc
Merge remote-tracking branch 'upstream/Dev' into IntuneAssignmentGrou…
William-Francillette Feb 14, 2024
0ef7831
update settings.json
William-Francillette Feb 14, 2024
dcb7229
Merge branch 'Dev' into IntuneAssignmentGroupDisplayName
ykuijs Feb 15, 2024
db3f82d
temp commit
William-Francillette Feb 20, 2024
829e7e7
Merge remote-tracking branch 'upstream/Dev' into IntuneAssignmentGrou…
William-Francillette Feb 20, 2024
4431518
Merge branch 'IntuneAssignmentGroupDisplayName' of https://github.com…
William-Francillette Feb 20, 2024
d840c16
Fix an issue with error handling in Get-TargetResource - implemented …
William-Francillette Feb 20, 2024
2c99885
Update MSFT_IntuneAppConfigurationPolicy.psm1
William-Francillette Feb 20, 2024
7f8bfd1
modified error handling from Get,Test and Export-TargetResource and u…
William-Francillette Feb 26, 2024
eeb7584
Merge remote-tracking branch 'upstream/dev' into IntuneAssignmentGrou…
William-Francillette Feb 26, 2024
e6f2292
Merge branch 'IntuneAssignmentGroupDisplayName' of https://github.com…
William-Francillette Feb 26, 2024
b1c9e65
added missing Group.Read.All permission
William-Francillette Feb 26, 2024
4c4f312
fix an issue with unit test due to $nullResult not being a clone of $…
William-Francillette Feb 26, 2024
bd8b07b
fix changelog
William-Francillette Feb 26, 2024
6511193
added groupDisplayName support to an additional 7 resources and to al…
William-Francillette Feb 27, 2024
7592599
Merge remote-tracking branch 'upstream/dev' into IntuneAssignmentGrou…
William-Francillette Feb 27, 2024
b390b18
fix firewall rules interfaceTypes parameter to support multiple values
William-Francillette Feb 29, 2024
027b01c
Merge branch 'Dev' into IntuneAssignmentGroupDisplayName
NikCharlebois Mar 13, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 45 additions & 7 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,56 @@

# UNRELEASED

* AADGroup
* Fixed issue where group owners were removed from existing groups when unspecified in the config
FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390)
* EXOHostedContentFilterPolicy
* Add support for IntraOrgFilterState parameter
FIXES [#4424](https://github.com/microsoft/Microsoft365DSC/issues/4424)
* EXOHostedContentFilterRule
* Fixed issue in case of different names of filter rule and filter policy
FIXES [#4401](https://github.com/microsoft/Microsoft365DSC/issues/4401)
* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneAccountProtectionLocalUserGroupMembershipPolicy
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneAccountProtectionPolicy
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneAntivirusPolicyWindows10SettingCatalog
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneAppConfigurationPolicy
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneApplicationControlPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneASRRulesPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyAndroid
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyAndroidDeviceOwner
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyAndroidWorkProfile
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyiOs
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyMacOS
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceCompliancePolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationCustomPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationDomainJoinPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationEmailProfilePolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* IntuneDeviceConfigurationEndpointProtectionPolicyWindows10
* Added support for assignment GroupDisplayName and improve error handling from Get-TargetResource
* Fixed an issue with the parameter InterfaceTypes from firewallrules defined as a string instead of string[]
* IntuneDeviceConfigurationPKCSCertificatePolicyWindows10
* Add property RootCertificateDisplayName in order to support assigning root
certificates by display name since their Ids in a blueprint might be from a
Expand Down Expand Up @@ -39,12 +83,7 @@
* Enhancement to obfuscate password from verbose logging and avoid empty lines
FIXES [#4392](https://github.com/microsoft/Microsoft365DSC/issues/4392)
* Fix example in documentation for Update-M365DSCAzureAdApplication

# UNRELEASED

* AADGroup
* Fixed issue where group owners were removed from existing groups when unspecified in the config
FIXES [#4390](https://github.com/microsoft/Microsoft365DSC/issues/4390)
* Added support for groupDisplayName to all devices and all users groups

# 1.24.228.1

Expand Down Expand Up @@ -178,7 +217,6 @@
* Updated Microsoft.Graph to version 2.14.1.

# 1.24.214.2

* AADConditionalAccessPolicy
* Removed invalid empty string value that was added to the validate set
of two parameters.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,10 @@ function Get-TargetResource
try
{
#Retrieve policy general settings

$policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue
if (-not [string]::IsNullOrEmpty($Identity))
{
$policy = Get-MgBetaDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction SilentlyContinue
}

if ($null -eq $policy)
{
Expand All @@ -189,6 +191,11 @@ function Get-TargetResource
{
$policy = Get-MgBetaDeviceManagementIntent -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue
}

if(([array]$policy).count -gt 1)
{
throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique"
}
}
if ($null -eq $policy)
{
Expand Down Expand Up @@ -225,19 +232,12 @@ function Get-TargetResource
$returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent)

$returnAssignments = @()
$returnAssignments += Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id
$assignmentResult = @()
foreach ($assignmentEntry in $returnAssignments)
$graphAssignments = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $policy.Id
if ($graphAssignments.count -gt 0)
{
$assignmentValue = @{
dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type'
deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString()
deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId
groupId = $assignmentEntry.Target.AdditionalProperties.groupId
}
$assignmentResult += $assignmentValue
$returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments $graphAssignments -IncludeDeviceFilter:$true
}
$returnHashtable.Add('Assignments', $assignmentResult)
$returnHashtable.Add('Assignments', $returnAssignments)

return $returnHashtable
}
Expand All @@ -260,6 +260,7 @@ function Get-TargetResource
-Credential $Credential
}

$nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult
return $nullResult
}
}
Expand Down Expand Up @@ -546,7 +547,7 @@ function Set-TargetResource
#Using Rest to reduce the number of calls
$Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings"
$body = @{'settings' = $settings }
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json'
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null

#region Assignments
$assignmentsHash = @()
Expand Down Expand Up @@ -737,6 +738,11 @@ function Test-TargetResource
Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}"

$CurrentValues = Get-TargetResource @PSBoundParameters
if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues))
{
Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed"
throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information."
}

Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
Expand All @@ -748,75 +754,28 @@ function Test-TargetResource
$ValuesToCheck.Remove('ApplicationSecret') | Out-Null
$ValuesToCheck.Remove('Identity') | Out-Null

$testResult = $true
if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure)
{
return $false
$testResult = $false
}
#region Assignments
$testResult = $true

if ((-not $CurrentValues.Assignments) -xor (-not $ValuesToCheck.Assignments))
if ($testResult)
{
Write-Verbose -Message 'Configuration drift: one the assignment is null'
return $false
$source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments
$target = $CurrentValues.Assignments
$testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target
$ValuesToCheck.Remove('Assignments') | Out-Null
}
#endregion

if ($CurrentValues.Assignments)
{
if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count)
{
Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}"
return $false
}
foreach ($assignment in $CurrentValues.Assignments)
{
#GroupId Assignment
if (-not [String]::IsNullOrEmpty($assignment.groupId))
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}
#AllDevices/AllUsers assignment
else
{
$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType }
if (-not $source)
{
Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found"
$testResult = $false
break
}
$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment
}

if (-not $testResult)
{
$testResult = $false
break
}

}
}
if (-not $testResult)
if ($testResult)
{
return $false
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
$ValuesToCheck.Remove('Assignments') | Out-Null
#endregion

$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys

Write-Verbose -Message "Test-TargetResource returned $TestResult"

return $TestResult
Expand Down Expand Up @@ -908,6 +867,11 @@ function Export-TargetResource
}

$Results = Get-TargetResource @params
if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results))
{
Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed"
throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information."
}

if ($Results.Assignments)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
"graph": {
"delegated": {
"read": [
{
"name": "Group.Read.All"
},
{
"name": "DeviceManagementConfiguration.Read.All"
}
Expand All @@ -17,6 +20,9 @@
},
"application": {
"read": [
{
"name": "Group.Read.All"
},
{
"name": "DeviceManagementConfiguration.Read.All"
}
Expand Down
Loading
Loading