diff --git a/.github/workflows/Generate Wiki.yml b/.github/workflows/Generate Wiki.yml index 6d236821ce..92a5caf540 100644 --- a/.github/workflows/Generate Wiki.yml +++ b/.github/workflows/Generate Wiki.yml @@ -22,7 +22,7 @@ jobs: -Type 'Wiki' ` -MainModulePath 'Modules\Microsoft365DSC' ` -ResourceModuleName 'Microsoft365DSC' - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: Upload Wiki Content path: D:\a\Microsoft365DSC\Microsoft365DSC\Microsoft365DSC_1.0.0_wikicontent.zip diff --git a/.github/workflows/website-deploy-preview.yml b/.github/workflows/website-deploy-preview.yml index 3918d6b981..fd3699e24c 100644 --- a/.github/workflows/website-deploy-preview.yml +++ b/.github/workflows/website-deploy-preview.yml @@ -30,7 +30,7 @@ jobs: REACT_APP_SITE_DESCRIPTION: ${{ secrets.REACT_APP_SITE_DESCRIPTION }} REACT_APP_INSTRUMENTATION_KEY: ${{ secrets.REACT_APP_INSTRUMENTATION_KEY }} - name: Publish Artifact - uses: actions/upload-artifact@master + uses: actions/upload-artifact@v4 with: name: website-build path: ${{ github.workspace }}/generator/build @@ -43,7 +43,7 @@ jobs: name: Deploy to Preview needs: build steps: - - uses: actions/download-artifact@master + - uses: actions/download-artifact@v4 with: name: website-build - name: Deploy to Preview Azure Static Web App diff --git a/.github/workflows/website-deploy-prod.yml b/.github/workflows/website-deploy-prod.yml index 35ad8da3eb..bfb5f1800a 100644 --- a/.github/workflows/website-deploy-prod.yml +++ b/.github/workflows/website-deploy-prod.yml @@ -30,7 +30,7 @@ jobs: REACT_APP_SITE_DESCRIPTION: ${{ secrets.REACT_APP_SITE_DESCRIPTION }} REACT_APP_INSTRUMENTATION_KEY: ${{ secrets.REACT_APP_INSTRUMENTATION_KEY }} - name: Publish Artifact - uses: actions/upload-artifact@master + uses: actions/upload-artifact@4 with: name: website-build path: ${{ github.workspace }}/generator/build @@ -43,7 +43,7 @@ jobs: name: Deploy to Production needs: build steps: - - uses: actions/download-artifact@master + - uses: actions/download-artifact@4 with: name: website-build - name: Deploy diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ed21867f..3e23fd33dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,222 @@ # Change log for Microsoft365DSC +# 1.24.1106.1 + +* AADAccessReviewDefinition + * Initial release. +* AADAccessReviewPolicy + * Initial release. +* AADAuthenticationMethodPolicyExternal + * Initial release. +* AADClaimsMappingPolicy + * Initial release. +* AADConditionalAccessPolicy + * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282) + * Added support for InsiderRiskLevels. +* AADCustomSecurityAttributeDefinition + * Fixed missing permissions in settings.json +* AADEnrichedAuditLogs + * Initial release. +* AADFederationConfiguration + * Initial release. +* AADFilteringPolicy + * Initial release. +* AADFilteringPolicyRule + * Initial release. +* AADFilteringProfile + * Initial release. +* AADGroup + * Added support for custom roles assignment. + FIXES [#5322](https://github.com/microsoft/Microsoft365DSC/issues/5322) +* AADHomeRealmDiscoveryPolicy + * Initial Release +* AADIdentityAPIConnector + * Initial release. +* AADIdentityB2XUserFlow + * Initial release. +* AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + * Initial release. +* AADIdentityGovernanceProgram + * Initial release. +* AADIdentityProtectionPolicySettings + * Initial release. +* AADNamedLocationPolicy + * Fixed issue where duplicate names were not detected correctly. +* AADNetworkAccessForwardingPolicy + * Initial release. +* AADNetworkAccessForwardingProfile + * Initial release. +* AADNetworkAccessSettingConditionalAccess + * Initial release. +* AADNetworkAccessSettingCrossTenantAccess + * Initial release. +* AADOnPremisesPublishingProfilesSettings + * Initial release. +* AADOrganizationCertificateBasedAuthConfiguration + * Initial release. +* AADRemoteNetwork + * Initial release. +* AADRoleEligibilityScheduleRequest + * Fixes for Custom roles. + FIXES [#5330](https://github.com/microsoft/Microsoft365DSC/issues/5330) + * Fixes to remove elegibility schedule for custom roles. + FIXES [#5331](https://github.com/microsoft/Microsoft365DSC/issues/5331) +* AADRoleManagementPolicyRule + * Initial release. +* AADServicePrincipal + * Added the notes field. + FIXES [#5312](https://github.com/microsoft/Microsoft365DSC/issues/5312) + * Added support for KeyCredentials and PasswordCredentials. + * Added support for SAML. + * Fixed issue with Owners. +* AADSocialIdentityProvider + * Fixed missing permissions in settings.json +* AADUserFlowAttribute + * Initial Release +* AADVerifiedIdAuthority + * Initial release. +* AADVerifiedIdAuthorityContract + * Initial release. +* AzureBillingAccountsAssociatedTenant + * Initial release. +* AzureBillingAccountsRoleAssignment + * Initial release. +* AzureDiagnosticSettings + * Initial release. +* AzureDiagnosticSettingsCustomSecurityAttribute + * Initial release. +* AzureSubscription + * Renamed parameters and added logic flow to create new subscriptions. +* AzureVerifiedIdFaceCheck + * Initial release. +* DefenderDeviceAuthenticatedScanDefinition + * Initial release. +* EXOActiveSyncMailboxPolicy + * Initial release. +* EXOArcConfig + * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` + when it has an array +* EXOMailboxAuditBypassAssociation + * Initial release. +* EXOMailboxSettings + * Added support for AddressBookPolicy, RetentionPolicy, RoleAssignmentPolicy + and SharingPolicy. +* EXOServicePrincipal + * Initial release. +* EXOTenantAllowBlockListItems + * Fixed `Test-TargetResource` to correctly mark when this resource is removed +* EXOTenantAllowBlockListSpoofItems + * Initial release. +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Updates values in `UserSelectionType`. + FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318) +* IntuneAntivirusPolicyLinux + * Initial release. +* IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr + * Initial release. +* IntuneAppCategory + * Fixed retrieval of resource which could then result in multiple categories + being created with same name. +* IntuneAppleMDMPushNotificationCertificate + * Initial release. +* IntuneAppProtectionPolicyiOS + * Fixes an issue that could cause multiple instances to be created when multiple + instances with the same display name exist. +* IntuneDerivedCredential + * Fixed export and deployment when `NotificationType` had more than one option + selected + * Fixed retrieval of resource when it cannot be found by `Id` + * Added a few verbose messages +* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + * Initial release. +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Fixes an issue with `AutoFromConnector` as the Configuration package type. + FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246) +* IntuneMobileThreatDefenseConnector + * Initial release. +* IntuneSecurityBaselineDefenderForEndpoint + * Initial release. +* IntuneSettingCatalogCustomPolicyWindows10 + * Fixes an issue with limited results when more than 25 results are present. +* Intune workload + * Fixed missing permissions in settings.json +* M365DSCRuleEvaluation + * Changed the name of the Key property from ResourceName to ResourceTypeName. + While this is considered a breaking change, the old property name was + breaking the DSCParser process. The impact of this breaking the parsing + process is important enough to justify an out-of-band breaking change of + this resource. +* ODSettings + * Deprecated property NotifyOwnersWhenInvitationsAccepted. + FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) +* PPPowerAppsEnvironment + * Add ProvisionDatabase attribute + FIXES [#5207](https://github.com/microsoft/Microsoft365DSC/issues/5207) +* PPTenantSettings + * Updated to support latest settings. +* SCInsiderRiskPolicy + * Added support for property MDATPTriageStatus. + * Added support for GPUUtilizationLimit and CPUUtilizationLimit. +* SCPolicyConfig + * Initial release. +* SCSensitivityLabel + * Fixed issue with setting label priority + FIXES [#5266](https://github.com/microsoft/Microsoft365DSC/issues/5266) +* SentinelAlertRule + * Initial release. +* SentinelThreatIntelligenceIndicator + * Initial release. +* SPOSharingSettings + * Deprecated property RequireAcceptingAccountMatchInvitedAccount. + FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) +* SPOTenantSettings + * Added support for AllowSelectSGsInODBListInTenant, + DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, + AllowSelectSecurityGroupsInSPSitesList, + ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. + * TenantDefaultTimezone changed to String instead of Array. +* TeamsMeetingPolicy + * Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking, + AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls, + ContentSharingInExternalMeetings, Copilot, CopyRestriction, + DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange, + VoiceIsolation +* TeamsOrgWideAppSettings + * Fixed an issue where ManagedIdentity wasn't define in the methods' signatures. + FIXES [#5188](https://github.com/microsoft/Microsoft365DSC/issues/5188) +* M365DSCDRGUtil + * Fixes an issue where non-unique properties were not combined + properly with their respective parent setting. +* MISC + * Fixed references to graph.microsoft.com with dynamic domain name based on target cloud. + Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup, + AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10, + IntuneAccountProtectionLocalUsersGroupMembershipPolicy, IntuneAccountProtectionPolicy, + IntuneAppProtectionPolicyiOS,IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10, + IntuneDeviceConfigurationSCEPCertificatePolicyWindows10, IntuneDeviceConfigurationWiredNetworkPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets, + IntuneSettingCatalogCustomPolicyWindows10, M365DSCRGUtil + * Exponential performance improvements by reducing complexity and roundtrips. + * Changed the logic that appends GUID in the resource name when primary key is not found during an + export. We will only append a GUID if the IsSingleInstance property is not found on the resource. + * Add check in AADGroupSettings for NewUnifiedGroupWritebackDefault not existing in Government by default + FIXES [#5213](https://github.com/microsoft/Microsoft365DSC/issues/5213) + * Fix static refrences to graph.microsoft.com + FIXES [#5339](https://github.com/microsoft/Microsoft365DSC/issues/5339) + AADNetworkAccessForwardingPolicy. AADOrganizationCertificateBasedAuthConfiguration, + AADAuthenticationMethodPolicyExternal, AADEnrichedAuditLogs + FIXES [#5340](https://github.com/microsoft/Microsoft365DSC/issues/5340) + IntuneDeviceManagementEnrollmentAndroidGooglePlay, IntuneAppleMDMPushNotificationCertificate + * Fixes static OData refrences to graph.microsoft.com + AADApplication, AADEntitlementManagementAccessPackage, AADEntitlementManagementConnectedOrganization + AADServicePrincipal + FIXES [#5342](https://github.com/microsoft/Microsoft365DSC/issues/5342) +* DEPENDENCIES + * Updated Microsoft.Graph to version 2.24.0. + * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. + * Updated MSCloudLoginAssistant to version 1.1.27 + * Updated MicrosoftTeams to version 6.6.0. + # 1.24.1016.1 * AADAdminConsentRequestPolicy @@ -14,6 +231,8 @@ * Initial release. * AADConnectorGroupApplicationProxy * Initial release. +* AADCustomAuthenticationExtension + * Initial release. * AADCustomSecurityAttributeDefinition * Initial release. * AADDeviceRegistrationPolicy @@ -25,7 +244,8 @@ * AADLifecycleWorkflowSettings * Initial release. * AADServicePrincipal - * Adding Delegated Permission Classification Property + * Added Delegated Permission Classification Property + * Added Custom Security Attributes Property * ADOPermissionGroupSettings * Initial release. * EXOATPBuiltInProtectionRule @@ -44,6 +264,8 @@ * Initial release. * IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 * Added deprecation notice. +* IntuneDeviceManagementEnrollmentAndroidGooglePlay + * Initial release * IntuneEndpointDetectionAndResponsePolicyWindows10 * Migrate to new Settings Catalog cmdlets. * IntuneMobileAppsMacOSLobApp @@ -67,6 +289,8 @@ * TeamsUpgradePolicy * Added support for tenant wide changes using the * value for users. FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) +* TeamsGroupPolicyAssignments + * FIXES [#5179](https://github.com/microsoft/Microsoft365DSC/issues/5179) * M365DSCDRGUtil * Fixes an issue for the handling of skipped one-property elements in the Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.psm1 new file mode 100644 index 0000000000..2810be790b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.psm1 @@ -0,0 +1,982 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $DescriptionForAdmins, + + [Parameter()] + [System.String] + $DescriptionForReviewers, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScopeValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SettingsValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $StageSettings, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityGovernanceAccessReviewDefinition -AccessReviewScheduleDefinitionId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Access Review Definition with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaIdentityGovernanceAccessReviewDefinition ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.AccessReviewScheduleDefinition" + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Access Review Definition with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Access Review Definition with Id {$Id} and DisplayName {$DisplayName} was found" + + #region resource generator code + $complexScope = @{} + $complexScope.Add('Query', $getValue.Scope.AdditionalProperties.query) + $complexScope.Add('QueryRoot', $getValue.Scope.AdditionalProperties.queryRoot) + $complexScope.Add('QueryType', $getValue.Scope.AdditionalProperties.queryType) + + $complexPrincipalScopes = @() + foreach ($currentPrincipalScopes in $getValue.Scope.AdditionalProperties.principalScopes) + { + $myPrincipalScopes = @{} + $myPrincipalScopes.Add('Query', $currentPrincipalScopes.query) + $myPrincipalScopes.Add('QueryRoot', $currentPrincipalScopes.queryRoot) + $myPrincipalScopes.Add('QueryType', $currentPrincipalScopes.queryType) + if ($null -ne $currentPrincipalScopes.'@odata.type') + { + $myPrincipalScopes.Add('odataType', $currentPrincipalScopes.'@odata.type'.ToString()) + } + if ($myPrincipalScopes.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPrincipalScopes += $myPrincipalScopes + } + } + $complexScope.Add('PrincipalScopes',$complexPrincipalScopes) + $complexResourceScopes = @() + foreach ($currentResourceScopes in $getValue.Scope.AdditionalProperties.resourceScopes) + { + $myResourceScopes = @{} + $myResourceScopes.Add('Query', $currentResourceScopes.query) + $myResourceScopes.Add('QueryRoot', $currentResourceScopes.queryRoot) + $myResourceScopes.Add('QueryType', $currentResourceScopes.queryType) + if ($null -ne $currentResourceScopes.'@odata.type') + { + $myResourceScopes.Add('odataType', $currentResourceScopes.'@odata.type'.ToString()) + } + if ($myResourceScopes.values.Where({$null -ne $_}).Count -gt 0) + { + $complexResourceScopes += $myResourceScopes + } + } + $complexScope.Add('ResourceScopes',$complexResourceScopes) + + + if ($null -ne $getValue.Scope.AdditionalProperties.'@odata.type') + { + $complexScope.Add('odataType', $getValue.Scope.AdditionalProperties.'@odata.type'.ToString()) + } + if ($complexScope.values.Where({$null -ne $_}).Count -eq 0) + { + $complexScope = $null + } + + $complexSettings = @{} + $complexApplyActions = @() + foreach ($currentApplyActions in $getValue.Settings.applyActions) + { + $myApplyActions = @{} + if ($null -ne $currentApplyActions.AdditionalProperties.'@odata.type') + { + $myApplyActions.Add('odataType', $currentApplyActions.AdditionalProperties.'@odata.type'.ToString()) + } + if ($myApplyActions.values.Where({$null -ne $_}).Count -gt 0) + { + $complexApplyActions += $myApplyActions + } + } + $complexSettings.Add('ApplyActions',$complexApplyActions) + $complexSettings.Add('AutoApplyDecisionsEnabled', $getValue.Settings.autoApplyDecisionsEnabled) + $complexSettings.Add('DecisionHistoriesForReviewersEnabled', $getValue.Settings.decisionHistoriesForReviewersEnabled) + $complexSettings.Add('DefaultDecision', $getValue.Settings.defaultDecision) + $complexSettings.Add('DefaultDecisionEnabled', $getValue.Settings.defaultDecisionEnabled) + $complexSettings.Add('InstanceDurationInDays', $getValue.Settings.instanceDurationInDays) + $complexSettings.Add('JustificationRequiredOnApproval', $getValue.Settings.justificationRequiredOnApproval) + $complexSettings.Add('MailNotificationsEnabled', $getValue.Settings.mailNotificationsEnabled) + $complexRecommendationInsightSettings = @() + foreach ($currentRecommendationInsightSettings in $getValue.Settings.recommendationInsightSettings) + { + $myRecommendationInsightSettings = @{} + $myRecommendationInsightSettings.Add('RecommendationLookBackDuration', $currentRecommendationInsightSettings.AdditionalProperties.recommendationLookBackDuration) + if ($null -ne $currentRecommendationInsightSettings.AdditionalProperties.signInScope) + { + $myRecommendationInsightSettings.Add('SignInScope', $currentRecommendationInsightSettings.AdditionalProperties.signInScope.ToString()) + } + if ($null -ne $currentRecommendationInsightSettings.AdditionalProperties.'@odata.type') + { + $myRecommendationInsightSettings.Add('odataType', $currentRecommendationInsightSettings.AdditionalProperties.'@odata.type'.ToString()) + } + if ($myRecommendationInsightSettings.values.Where({$null -ne $_}).Count -gt 0) + { + $complexRecommendationInsightSettings += $myRecommendationInsightSettings + } + } + $complexSettings.Add('RecommendationInsightSettings',$complexRecommendationInsightSettings) + + if ($null -ne $getValue.Settings.recommendationLookBackDuration) + { + $complexSettings.Add('RecommendationLookBackDuration', $getValue.Settings.recommendationLookBackDuration.ToString()) + } + $complexSettings.Add('RecommendationsEnabled', $getValue.Settings.recommendationsEnabled) + $complexRecurrence = @{} + $complexPattern = @{} + $complexPattern.Add('DayOfMonth', $getValue.settings.recurrence.pattern.dayOfMonth) + if ($null -ne $getValue.settings.recurrence.pattern.daysOfWeek) + { + $complexPattern.Add('DaysOfWeek', $getValue.settings.recurrence.pattern.daysOfWeek) + } + if ($null -ne $getValue.settings.recurrence.pattern.firstDayOfWeek) + { + $complexFirstDaysOfWeek = [String]::Join(", ", $getValue.settings.recurrence.pattern.firstDayOfWeek) + $complexPattern.Add('FirstDayOfWeek',$complexFirstDaysOfWeek) + } + if ($null -ne $getValue.settings.recurrence.pattern.index) + { + $complexPattern.Add('Index', $getValue.settings.recurrence.pattern.index.ToString()) + } + $complexPattern.Add('Interval', $getValue.settings.recurrence.pattern.interval) + $complexPattern.Add('Month', $getValue.settings.recurrence.pattern.month) + if ($null -ne $getValue.settings.recurrence.pattern.type) + { + $complexPattern.Add('Type', $getValue.settings.recurrence.pattern.type.ToString()) + } + if ($complexPattern.values.Where({$null -ne $_}).Count -eq 0) + { + $complexPattern = $null + } + $complexRecurrence.Add('Pattern',$complexPattern) + $complexRange = @{} + if ($null -ne $getValue.settings.recurrence.range.endDate) + { + $complexRange.Add('EndDate', ([DateTime]$getValue.settings.recurrence.range.endDate).ToString('')) + } + $complexRange.Add('NumberOfOccurrences', $getValue.settings.recurrence.range.numberOfOccurrences) + $complexRange.Add('RecurrenceTimeZone', $getValue.settings.recurrence.range.recurrenceTimeZone) + if ($null -ne $getValue.settings.recurrence.range.startDate) + { + $complexRange.Add('StartDate', ([DateTime]$getValue.settings.recurrence.range.startDate).ToString('')) + } + if ($null -ne $getValue.settings.recurrence.range.type) + { + $complexRange.Add('Type', $getValue.settings.recurrence.range.type.ToString()) + } + if ($complexRange.values.Where({$null -ne $_}).Count -eq 0) + { + $complexRange = $null + } + $complexRecurrence.Add('Range',$complexRange) + if ($complexRecurrence.values.Where({$null -ne $_}).Count -eq 0) + { + $complexRecurrence = $null + } + $complexSettings.Add('Recurrence',$complexRecurrence) + $complexSettings.Add('ReminderNotificationsEnabled', $getValue.Settings.reminderNotificationsEnabled) + if ($complexSettings.values.Where({$null -ne $_}).Count -eq 0) + { + $complexSettings = $null + } + + $complexStageSettings = @() + foreach ($currentStageSettings in $getValue.stageSettings) + { + $myStageSettings = @{} + $myStageSettings.Add('DecisionsThatWillMoveToNextStage', $currentStageSettings.decisionsThatWillMoveToNextStage) + $myStageSettings.Add('DependsOnValue', $currentStageSettings.dependsOn) + $myStageSettings.Add('DurationInDays', $currentStageSettings.durationInDays) + $complexRecommendationInsightSettings = @() + foreach ($currentRecommendationInsightSettings in $currentStageSettings.recommendationInsightSettings) + { + $myRecommendationInsightSettings = @{} + + if ($null -ne $currentRecommendationInsightSettings.recommendationLookBackDuration) + { + + $myRecommendationInsightSettings.Add('RecommendationLookBackDuration', $currentRecommendationInsightSettings.recommendationLookBackDuration.ToString()) + } + if ($null -ne $currentRecommendationInsightSettings.signInScope) + { + $myRecommendationInsightSettings.Add('SignInScope', $currentRecommendationInsightSettings.signInScope.ToString()) + } + if ($null -ne $currentRecommendationInsightSettings.'@odata.type') + { + $myRecommendationInsightSettings.Add('odataType', $currentRecommendationInsightSettings.'@odata.type'.ToString()) + } + if ($myRecommendationInsightSettings.values.Where({$null -ne $_}).Count -gt 0) + { + $complexRecommendationInsightSettings += $myRecommendationInsightSettings + } + } + $myStageSettings.Add('RecommendationInsightSettings',$complexRecommendationInsightSettings) + $myStageSettings.Add('RecommendationLookBackDuration', $currentStageSettings.recommendationLookBackDuration) + $myStageSettings.Add('RecommendationsEnabled', $currentStageSettings.recommendationsEnabled) + $myStageSettings.Add('StageId', $currentStageSettings.stageId) + if ($myStageSettings.values.Where({$null -ne $_}).Count -gt 0) + { + $complexStageSettings += $myStageSettings + } + } + #endregion + + $results = @{ + DescriptionForAdmins = $getValue.DescriptionForAdmins + DescriptionForReviewers = $getValue.DescriptionForReviewers + DisplayName = $getValue.DisplayName + ScopeValue = $complexScope + SettingsValue = $complexSettings + StageSettings = $complexStageSettings + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DescriptionForAdmins, + + [Parameter()] + [System.String] + $DescriptionForReviewers, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScopeValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SettingsValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $StageSettings, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if($StageSettings -ne $null) + { + Write-Verbose -Message "StageSettings cannot be updated after creation of access review definition." + + if($currentInstance.Ensure -ne 'Absent') { + Write-Verbose -Message "Removing the Azure AD Access Review Definition with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityGovernanceAccessReviewDefinition -AccessReviewScheduleDefinitionId $currentInstance.Id + } + + Write-Verbose -Message "Creating an Azure AD Access Review Definition with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Add('Scope', $createParameters.ScopeValue) + $createParameters.Remove('ScopeValue') | Out-Null + + $createParameters.Add('Settings', $createParameters.SettingsValue) + $createParameters.Remove('SettingsValue') | Out-Null + + foreach ($hashtable in $createParameters.StageSettings) { + $propertyToRemove = 'DependsOnValue' + $newProperty = 'DependsOn' + if ($hashtable.ContainsKey($propertyToRemove)) { + $value = $hashtable[$propertyToRemove] + $hashtable[$newProperty] = $value + $hashtable.Remove($propertyToRemove) + } + } + + foreach ($hashtable in $createParameters.StageSettings) { + $keys = (([Hashtable]$hashtable).Clone()).Keys + foreach ($key in $keys) + { + $value = $hashtable.$key + $hashtable.Remove($key) + $hashtable.Add($key.Substring(0,1).ToLower() + $key.Substring(1), $value) + } + } + + foreach ($hashtable in $createParameters.StageSettings) { + Write-Verbose -Message "Priting Values: $(Convert-M365DscHashtableToString -Hashtable $hashtable)" + } + + $keys = (([Hashtable]$createParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') + { + $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + } + } + $createParameters.Add("@odata.type", "#microsoft.graph.AccessReviewScheduleDefinition") + $policy = New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $createParameters + return; + } + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Access Review Definition with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + + $createParameters.Remove('Id') | Out-Null + + $createParameters.Add('Scope', $createParameters.ScopeValue) + $createParameters.Remove('ScopeValue') | Out-Null + + $createParameters.Add('Settings', $createParameters.SettingsValue) + $createParameters.Remove('SettingsValue') | Out-Null + + foreach ($hashtable in $createParameters.StageSettings) { + $propertyToRemove = 'DependsOnValue' + $newProperty = 'DependsOn' + if ($hashtable.ContainsKey($propertyToRemove)) { + $value = $hashtable[$propertyToRemove] + $hashtable[$newProperty] = $value + $hashtable.Remove($propertyToRemove) + } + } + + foreach ($hashtable in $createParameters.StageSettings) { + $keys = (([Hashtable]$hashtable).Clone()).Keys + foreach ($key in $keys) + { + $value = $hashtable.$key + $hashtable.Remove($key) + $hashtable.Add($key.Substring(0,1).ToLower() + $key.Substring(1), $value) + } + } + + foreach ($hashtable in $createParameters.StageSettings) { + Write-Verbose -Message "Priting Values: $(Convert-M365DscHashtableToString -Hashtable $hashtable)" + } + + $keys = (([Hashtable]$createParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') + { + $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + } + } + #region resource generator code + $createParameters.Add("@odata.type", "#microsoft.graph.AccessReviewScheduleDefinition") + $policy = New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $createParameters + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Access Review Definition with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $updateParameters.Add('Scope', $updateParameters.ScopeValue) + $updateParameters.Remove('ScopeValue') | Out-Null + + $updateParameters.Add('Settings', $updateParameters.SettingsValue) + $updateParameters.Remove('SettingsValue') | Out-Null + + + $keys = (([Hashtable]$updateParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $pdateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*') + { + $updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.AccessReviewScheduleDefinitionId + } + } + + #region resource generator code + $UpdateParameters.Add("@odata.type", "#microsoft.graph.AccessReviewScheduleDefinition") + Set-MgBetaIdentityGovernanceAccessReviewDefinition ` + -AccessReviewScheduleDefinitionId $currentInstance.Id ` + -BodyParameter $UpdateParameters + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Access Review Definition with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaIdentityGovernanceAccessReviewDefinition -AccessReviewScheduleDefinitionId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $DescriptionForAdmins, + + [Parameter()] + [System.String] + $DescriptionForReviewers, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScopeValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SettingsValue, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $StageSettings, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Access Review Definition with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityGovernanceAccessReviewDefinition ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ScopeValue) + { + $complexMapping = @( + @{ + Name = 'ScopeValue' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + @{ + Name = 'PrincipalScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + @{ + Name = 'ResourceScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ScopeValue ` + -CIMInstanceName 'MicrosoftGraphaccessReviewScope' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ScopeValue = $complexTypeStringResult + } + else + { + $Results.Remove('ScopeValue') | Out-Null + } + } + if ($null -ne $Results.SettingsValue) + { + $complexMapping = @( + @{ + Name = 'SettingsValue' + CimInstanceName = 'MicrosoftGraphAccessReviewScheduleSettings' + IsRequired = $False + } + @{ + Name = 'ApplyActions' + CimInstanceName = 'MicrosoftGraphAccessReviewApplyAction' + IsRequired = $False + } + @{ + Name = 'RecommendationInsightSettings' + CimInstanceName = 'MicrosoftGraphAccessReviewRecommendationInsightSetting' + IsRequired = $False + } + @{ + Name = 'Recurrence' + CimInstanceName = 'MicrosoftGraphPatternedRecurrence' + IsRequired = $False + } + @{ + Name = 'Pattern' + CimInstanceName = 'MicrosoftGraphRecurrencePattern' + IsRequired = $False + } + @{ + Name = 'Range' + CimInstanceName = 'MicrosoftGraphRecurrenceRange' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.SettingsValue ` + -CIMInstanceName 'MicrosoftGraphaccessReviewScheduleSettings' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.SettingsValue = $complexTypeStringResult + } + else + { + $Results.Remove('SettingsValue') | Out-Null + } + } + if ($null -ne $Results.StageSettings) + { + $complexMapping = @( + @{ + Name = 'StageSettings' + CimInstanceName = 'MicrosoftGraphAccessReviewStageSettings' + IsRequired = $False + } + @{ + Name = 'PrincipalScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + @{ + Name = 'ResourceScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + @{ + Name = 'RecommendationInsightSettings' + CimInstanceName = 'MicrosoftGraphAccessReviewRecommendationInsightSetting' + IsRequired = $False + } + @{ + Name = 'PrincipalScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + @{ + Name = 'ResourceScopes' + CimInstanceName = 'MicrosoftGraphAccessReviewScope' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.StageSettings ` + -CIMInstanceName 'MicrosoftGraphaccessReviewStageSettings' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.StageSettings = $complexTypeStringResult + } + else + { + $Results.Remove('StageSettings') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ScopeValue) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ScopeValue" -IsCIMArray:$False + } + if ($Results.SettingsValue) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "SettingsValue" -IsCIMArray:$False + } + if ($Results.StageSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "StageSettings" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.schema.mof new file mode 100644 index 0000000000..dcac4dc864 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.schema.mof @@ -0,0 +1,96 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphAccessReviewScope +{ + [Write, Description("The query representing what will be reviewed in an access review.")] String Query; + [Write, Description("In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager.")] String QueryRoot; + [Write, Description("Indicates the type of query. Types include MicrosoftGraph and ARM.")] String QueryType; + [Write, Description("Defines the scopes of the principals for which access to resources are reviewed in the access review."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewScope")] String PrincipalScopes[]; + [Write, Description("Defines the scopes of the resources for which access is reviewed."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewScope")] String ResourceScopes[]; + [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.accessReviewQueryScope","#microsoft.graph.accessReviewReviewerScope","#microsoft.graph.principalResourceMembershipsScope"}, Values{"#microsoft.graph.accessReviewQueryScope","#microsoft.graph.accessReviewReviewerScope","#microsoft.graph.principalResourceMembershipsScope"}] String odataType; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphAccessReviewScheduleSettings +{ + [Write, Description("Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewApplyAction")] String ApplyActions[]; + [Write, Description("Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.")] Boolean AutoApplyDecisionsEnabled; + [Write, Description("Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).")] Boolean DecisionHistoriesForReviewersEnabled; + [Write, Description("Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.")] String DefaultDecision; + [Write, Description("Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.")] Boolean DefaultDecisionEnabled; + [Write, Description("Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.")] UInt32 InstanceDurationInDays; + [Write, Description("Indicates whether reviewers are required to provide justification with their decision. Default value is false.")] Boolean JustificationRequiredOnApproval; + [Write, Description("Indicates whether emails are enabled or disabled. Default value is false.")] Boolean MailNotificationsEnabled; + [Write, Description("Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting")] String RecommendationInsightSettings[]; + [Write, Description("Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.")] String RecommendationLookBackDuration; + [Write, Description("Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.")] Boolean RecommendationsEnabled; + [Write, Description("Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type (weekly, absoluteMonthly) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts."), EmbeddedInstance("MSFT_MicrosoftGraphPatternedRecurrence")] String Recurrence; + [Write, Description("Indicates whether reminders are enabled or disabled. Default value is false.")] Boolean ReminderNotificationsEnabled; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphAccessReviewApplyAction +{ + [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.disableAndDeleteUserApplyAction","#microsoft.graph.removeAccessApplyAction"}, Values{"#microsoft.graph.disableAndDeleteUserApplyAction","#microsoft.graph.removeAccessApplyAction"}] String odataType; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting +{ + [Write, Description("Optional. Indicates the time period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days.")] String RecommendationLookBackDuration; + [Write, Description("Indicates whether inactivity is calculated based on the user's inactivity in the tenant or in the application. The possible values are tenant, application, unknownFutureValue. application is only relevant when the access review is a review of an assignment to an application."), ValueMap{"tenant","application","unknownFutureValue"}, Values{"tenant","application","unknownFutureValue"}] String SignInScope; + [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.groupPeerOutlierRecommendationInsightSettings","#microsoft.graph.userLastSignInRecommendationInsightSetting"}, Values{"#microsoft.graph.groupPeerOutlierRecommendationInsightSettings","#microsoft.graph.userLastSignInRecommendationInsightSetting"}] String odataType; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphPatternedRecurrence +{ + [Write, Description("The frequency of an event. Do not specify for a one-time access review. For access reviews: Do not specify this property for a one-time access review. Only interval, dayOfMonth, and type (weekly, absoluteMonthly) properties of recurrencePattern are supported."), EmbeddedInstance("MSFT_MicrosoftGraphRecurrencePattern")] String Pattern; + [Write, Description("The duration of an event."), EmbeddedInstance("MSFT_MicrosoftGraphRecurrenceRange")] String Range; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphRecurrencePattern +{ + [Write, Description("The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.")] UInt32 DayOfMonth; + [Write, Description("A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.")] String DaysOfWeek[]; + [Write, Description("The first day of the week. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. Default is sunday. Required if type is weekly.")] String FirstDayOfWeek; + [Write, Description("Specifies on which instance of the allowed days specified in daysOfWeek the event occurs, counted from the first instance in the month. The possible values are: first, second, third, fourth, last. Default is first. Optional and used if type is relativeMonthly or relativeYearly."), ValueMap{"first","second","third","fourth","last"}, Values{"first","second","third","fourth","last"}] String Index; + [Write, Description("The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.")] UInt32 Interval; + [Write, Description("The month in which the event occurs. This is a number from 1 to 12.")] UInt32 Month; + [Write, Description("The recurrence pattern type: daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly. Required. For more information, see values of type property."), ValueMap{"daily","weekly","absoluteMonthly","relativeMonthly","absoluteYearly","relativeYearly"}, Values{"daily","weekly","absoluteMonthly","relativeMonthly","absoluteYearly","relativeYearly"}] String Type; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphRecurrenceRange +{ + [Write, Description("The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.")] String EndDate; + [Write, Description("The number of times to repeat the event. Required and must be positive if type is numbered.")] UInt32 NumberOfOccurrences; + [Write, Description("Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.")] String RecurrenceTimeZone; + [Write, Description("The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.")] String StartDate; + [Write, Description("The recurrence range. Possible values are: endDate, noEnd, numbered. Required."), ValueMap{"endDate","noEnd","numbered"}, Values{"endDate","noEnd","numbered"}] String Type; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphAccessReviewStageSettings +{ + [Write, Description("Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.")] String DecisionsThatWillMoveToNextStage[]; + [Write, Description("Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.")] String DependsOnValue[]; + [Write, Description("The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.")] UInt32 DurationInDays; + [Write, Description("Recommendation Insights Settings"), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting")] String RecommendationInsightSettings[]; + [Write, Description("Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured. The recommendation is to deny if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.")] String RecommendationLookBackDuration; + [Write, Description("Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.")] Boolean RecommendationsEnabled; + [Write, Description("Unique identifier of the accessReviewStageSettings. The stageId is used in dependsOn property to indicate the stage relationship. Required.")] String StageId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADAccessReviewDefinition")] +class MSFT_AADAccessReviewDefinition : OMI_BaseResource +{ + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Required, Description("Name of the access review series. Supports $select and $orderby. Required on create.")] String DisplayName; + [Write, Description("Description provided by review creators to provide more context of the review to admins. Supports $select.")] String DescriptionForAdmins; + [Write, Description("Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.")] String DescriptionForReviewers; + [Write, Description("Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewScope")] String ScopeValue; + [Write, Description("The settings for an access review series, see type definition below. Supports $select. Required on create."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewScheduleSettings")] String SettingsValue; + [Write, Description("Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewStageSettings")] String StageSettings[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/readme.md new file mode 100644 index 0000000000..4506f5be71 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/readme.md @@ -0,0 +1,6 @@ + +# AADAccessReviewDefinition + +## Description + +Azure AD Access Review Definition diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/settings.json new file mode 100644 index 0000000000..f609988203 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewDefinition/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADAccessReviewDefinition", + "description": "This resource configures an Azure AD Access Review Definition.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "AccessReview.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "AccessReview.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 new file mode 100644 index 0000000000..226e9f3c22 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 @@ -0,0 +1,330 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop + if ($null -eq $instance) + { + throw 'Could not retrieve the Access Review Policy' + } + + $results = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $instance.IsGroupOwnerManagementEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $updateParameters = @{ + IsGroupOwnerManagementEnabled = $IsGroupOwnerManagementEnabled + } + + $updateJSON = ConvertTo-Json $updateParameters + Write-Verbose -Message "Updating the Entra Id Access Review Policy with values: $updateJSON" + Update-MgBetaPolicyAccessReviewPolicy -BodyParameter $updateParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = 'Access Review Policy' + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof new file mode 100644 index 0000000000..a5ddb2612b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADAccessReviewPolicy")] +class MSFT_AADAccessReviewPolicy : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("If true, group owners can create and manage access reviews on groups they own.")] Boolean IsGroupOwnerManagementEnabled; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md new file mode 100644 index 0000000000..70b59b7f25 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADAccessReviewPolicy + +## Description + +Use this resource to monitor the access review policy object. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json new file mode 100644 index 0000000000..64be16a4f7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADAccessReviewPolicy", + "description": "Use this resource to monitor the access review policy object.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AccessReview" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 index 317ea07cd2..682756ab41 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 @@ -40,6 +40,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -121,6 +125,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -181,6 +186,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -251,8 +260,9 @@ function Set-TargetResource $updateJSON = ConvertTo-Json $updateParameters Write-Verbose -Message "Updating the Entra Id Admin Consent Request Policy with values: $updateJSON" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/adminConsentRequestPolicy' Invoke-MgGraphRequest -Method 'PUT' ` - -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' ` + -Uri $Uri ` -Body $updateJSON | Out-Null } @@ -298,6 +308,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -433,6 +447,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof index d9c7b838fc..3789d722e6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof @@ -18,6 +18,7 @@ class MSFT_AADAdminConsentRequestPolicy : OMI_BaseResource [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 index c8e33c5291..75b7e9a62a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 @@ -391,8 +391,9 @@ function Get-TargetResource try { + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($AADBetaApp.Id)/onPremisesPublishing" $oppInfo = Invoke-MgGraphRequest -Method GET ` - -Uri "https://graph.microsoft.com/beta/applications/$($AADBetaApp.Id)/onPremisesPublishing" ` + -Uri $Uri ` -ErrorAction SilentlyContinue } catch @@ -924,7 +925,7 @@ function Set-TargetResource { $Type = 'directoryObjects' } - $ObjectUri = 'https://graph.microsoft.com/v1.0/{0}/{1}' -f $Type, $diff.InputObject + $ObjectUri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'v1.0/{0}/{1}' -f $Type, $diff.InputObject $ownerObject = @{ '@odata.id' = $ObjectUri } @@ -1135,8 +1136,10 @@ function Set-TargetResource $onPremisesPublishingValue.Add('singleSignOnSettings', $singleSignOnValues) $onPremisesPayload = ConvertTo-Json $onPremisesPublishingValue -Depth 10 -Compress Write-Verbose -Message "Updating the OnPremisesPublishing settings for application {$($currentAADApp.DisplayName)} with payload: $onPremisesPayload" + + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($currentAADApp.Id)/onPremisesPublishing" Invoke-MgGraphRequest -Method 'PATCH' ` - -Uri "https://graph.microsoft.com/beta/applications/$($currentAADApp.Id)/onPremisesPublishing" ` + -Uri $Uri ` -Body $onPremisesPayload } #endregion diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 new file mode 100644 index 0000000000..92eecc1e8d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1 @@ -0,0 +1,678 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + else + { + $response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Authentication Method Policy External with DisplayName {$DisplayName}" + return $nullResult + } + + Write-Verbose -Message "An Azure AD Authentication Method Policy External with displayName {$DisplayName} was found." + + #region resource generator code + $complexExcludeTargets = @() + foreach ($currentExcludeTargets in $getValue.excludeTargets) + { + $myExcludeTargets = @{} + if ($currentExcludeTargets.id -ne 'all_users'){ + $myExcludeTargetsDisplayName = get-MgGroup -GroupId $currentExcludeTargets.id + $myExcludeTargets.Add('Id', $myExcludeTargetsDisplayName.DisplayName) + } + else{ + $myExcludeTargets.Add('Id', $currentExcludeTargets.id) + } + if ($null -ne $currentExcludeTargets.targetType) + { + $myExcludeTargets.Add('TargetType', $currentExcludeTargets.targetType.toString()) + } + if ($myExcludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexExcludeTargets += $myExcludeTargets + } + } + #endregion + + $complexincludeTargets = @() + foreach ($currentincludeTargets in $getValue.includeTargets) + { + $myincludeTargets = @{} + if ($currentIncludeTargets.id -ne 'all_users'){ + $myIncludeTargetsDisplayName = get-MgGroup -GroupId $currentIncludeTargets.id + $myIncludeTargets.Add('Id', $myIncludeTargetsDisplayName.DisplayName) + } + else{ + $myIncludeTargets.Add('Id', $currentIncludeTargets.id) + } + if ($null -ne $currentincludeTargets.targetType) + { + $myincludeTargets.Add('TargetType', $currentincludeTargets.targetType.toString()) + } + if ($myincludeTargets.values.Where({ $null -ne $_ }).count -gt 0) + { + $complexincludeTargets += $myincludeTargets + } + } + + $complexOpenIdConnectSetting = @{ + clientId = $getValue.OpenIdConnectSetting.ClientId + discoveryUrl = $getValue.OpenIdConnectSetting.DiscoveryUrl + } + + #region resource generator code + $enumState = $null + if ($null -ne $getValue.State) + { + $enumState = $getValue.State.ToString() + } + #endregion + + $results = @{ + #region resource generator code + ExcludeTargets = $complexExcludeTargets + IncludeTargets = $complexincludeTargets + OpenIdConnectSetting = $complexOpenIdConnectSetting + State = $enumState + AppId = $getValue.appId + DisplayName = $getValue.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $params = ([Hashtable]$BoundParameters).clone() + $params = Rename-M365DSCCimInstanceParameter -Properties $params + + $params = Get-UpdatedTargetProperty($params) + + $params.Add('@odata.type', '#microsoft.graph.externalAuthenticationMethodConfiguration') + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$DisplayName}" + + $newobj = New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -BodyParameter $params + + Write-Verbose -Message "Creating the Azure AD Authentication Method Policy External with name {$($newObj.displayName)}" + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Authentication Method Policy External with name {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + $params.Remove('displayName') | Out-Null + + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` + -AuthenticationMethodConfigurationId $getValue.Id ` + -BodyParameter $params + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Authentication Method Policy External with Id {$($currentInstance.displayName)}" + + $response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/" + $getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName} + + Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $getValue.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ExcludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $IncludeTargets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OpenIdConnectSetting, + + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $State, + + [Parameter()] + [System.String] + $AppId, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Authentication Method Policy External with Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $desiredType = "#microsoft.graph.externalAuthenticationMethodConfiguration" + $getPolicy = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/" + $getValue = $getPolicy.AuthenticationMethodConfigurations | Where-Object -FilterScript {$_.'@odata.type' -eq $desiredType} + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.displayName + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ExcludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ExcludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalExcludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ExcludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('ExcludeTargets') | Out-Null + } + } + + if ($null -ne $Results.IncludeTargets) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncludeTargets ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalIncludeTarget' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncludeTargets = $complexTypeStringResult + } + else + { + $Results.Remove('IncludeTargets') | Out-Null + } + } + + if ($null -ne $Results.OpenIdConnectSetting) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.OpenIdConnectSetting ` + -CIMInstanceName 'AADAuthenticationMethodPolicyExternalOpenIdConnectSetting' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.OpenIdConnectSetting = $complexTypeStringResult + } + else + { + $Results.Remove('OpenIdConnectSetting') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ExcludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ExcludeTargets' -IsCIMArray:$True + } + if ($Results.IncludeTargets) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncludeTargets' -IsCIMArray:$True + } + if ($Results.OpenIdConnectSetting) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'OpenIdConnectSetting' -IsCIMArray:$False + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-UpdatedTargetProperty +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $params + ) + + $keys = (([Hashtable]$params).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $params.$key -and $params.$key.getType().Name -like '*cimInstance*') + { + $params.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $params.$key + } + if ($key -eq 'IncludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + if ($key -eq 'ExcludeTargets') + { + $i = 0 + foreach ($entry in $params.$key){ + if ($entry.id -notmatch '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$|all_users') + { + $Filter = "Displayname eq '$($entry.id)'" | Out-String + $params.$key[$i].foreach('id',(Get-MgGroup -Filter $Filter).id.ToString()) + } + $i++ + } + } + } + + return $params +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof new file mode 100644 index 0000000000..00077c4287 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget +{ + [Write, Description("The object identifier of an Azure AD group.")] String Id; + [Write, Description("The type of the authentication method target. Possible values are: group and unknownFutureValue."), ValueMap{"user","group","unknownFutureValue"}, Values{"user","group","unknownFutureValue"}] String TargetType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting +{ + [Write, Description("The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID.")] String ClientId; + [Write, Description("The host URL of the external identity provider's OIDC discovery endpoint.")] String DiscoveryUrl; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADAuthenticationMethodPolicyExternal")] +class MSFT_AADAuthenticationMethodPolicyExternal : OMI_BaseResource +{ + [Write, Description("Displayname of the groups of users that are excluded from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget")] String ExcludeTargets[]; + [Write, Description("Displayname of the groups of users that are included from a policy."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget")] String IncludeTargets[]; + [Write, Description("Open ID Connection settings used by this external authentication method."), EmbeddedInstance("MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting")] String OpenIdConnectSetting; + [Write, Description("The state of the policy. Possible values are: enabled, disabled."), ValueMap{"enabled","disabled"}, Values{"enabled","disabled"}] String State; + [Write, Description("The appId for the app registration in Microsoft Entra ID representing the integration with the external provider.")] String AppId; + [Key, Description("The displayName of the authentication policy configuration. Read-only.")] String DisplayName; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md new file mode 100644 index 0000000000..7dfd5268e3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/readme.md @@ -0,0 +1,6 @@ + +# AADAuthenticationMethodPolicyExternal + +## Description + +Azure AD Authentication Method Policy External diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json new file mode 100644 index 0000000000..8257c0365e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/settings.json @@ -0,0 +1,52 @@ +{ + "resourceName": "AADAuthenticationMethodPolicyExternal", + "description": "This resource configures an Azure AD Authentication Method Policy External.", + "roles": { + "read": [ + "Security Reader" + ], + "update": [ + "Authentication Policy Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "name": "Policy.Read.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.psm1 new file mode 100644 index 0000000000..20974fa4ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.psm1 @@ -0,0 +1,636 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaPolicyClaimMappingPolicy -ClaimsMappingPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Claims Mapping Policy with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaPolicyClaimMappingPolicy ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.ClaimsMappingPolicy" + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Claims Mapping Policy with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Claims Mapping Policy with Id {$Id} and DisplayName {$DisplayName} was found" + + $complexDefinition = @() + foreach($getDefinitionJson in $getValue.Definition) + { + $getDefinition = ($getDefinitionJson | ConvertFrom-Json) + $ClaimsSchema = @() + foreach ($claimschema in $getDefinition.ClaimsMappingPolicy.ClaimsSchema) + { + $ClaimsSchema += @{ + Source = $claimschema.Source + Id = $claimschema.Id + SamlClaimType = $claimschema.SamlClaimType + } + } + + $ClaimsTransformation = @() + foreach ($claimtransformation in $getDefinition.ClaimsMappingPolicy.ClaimsTransformation) + { + $inputparams = @() + foreach ($inputparam in $claimtransformation.InputParameters) + { + $inputparams += @{ + Value = $inputparam.Value + Id = $inputparam.Id + DataType = $inputparam.DataType + } + } + + $outputClaimsObj = @() + foreach ($outclaim in $claimtransformation.OutputClaims) + { + $outputClaimsObj += @{ + ClaimTypeReferenceId = $outclaim.ClaimTypeReferenceId + TransformationClaimType = $outclaim.TransformationClaimType + } + } + $ClaimsTransformation += @{ + Id = $claimtransformation.Id + TransformationMethod = $claimtransformation.TransformationMethod + InputParameters = $inputparams + OutputClaims = $outputClaimsObj + } + } + + $complexDefinition += @{ + ClaimsMappingPolicy = @{ + Version = $getDefinition.ClaimsMappingPolicy.Version + IncludeBasicClaimSet = [bool]$getDefinition.ClaimsMappingPolicy.IncludeBasicClaimSet + ClaimsSchema = $ClaimsSchema + ClaimsTransformation = $ClaimsTransformation + } + } + } + + $results = @{ + #region resource generator code + Definition = $complexDefinition + IsOrganizationDefault = $getValue.IsOrganizationDefault + Description = $getValue.Description + DisplayName = $getValue.DisplayName + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Claims Mapping Policy with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$createParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*') + { + $createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key + } + } + + $complexDefinitions = $createParameters.Definition + $createParameters.Remove('Definition') | Out-Null + + $createParameters.Definition = $complexDefinitions | ConvertTo-Json -Depth 10 -Compress:$true + + $policy = New-MgBetaPolicyClaimMappingPolicy -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Claims Mapping Policy with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$updateParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $pdateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*') + { + $updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.ClaimsMappingPolicyId + } + } + + $complexDefinitions = $UpdateParameters.Definition + $UpdateParameters.Remove('Definition') | Out-Null + + $UpdateParameters.Definition = $complexDefinitions | ConvertTo-Json -Depth 10 -Compress:$true + + #region resource generator code + Update-MgBetaPolicyClaimMappingPolicy ` + -ClaimsMappingPolicyId $currentInstance.Id ` + -BodyParameter $UpdateParameters + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Claims Mapping Policy with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaPolicyClaimMappingPolicy -ClaimsMappingPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Claims Mapping Policy with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaPolicyClaimMappingPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.Definition) + { + $complexMapping = @( + @{ + Name = 'ClaimsMappingPolicy' + CimInstanceName = 'MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy' + IsRequired = $False + }, + @{ + Name = 'ClaimsSchema' + CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema' + IsRequired = $False + }, + @{ + Name = 'ClaimsTransformation' + CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation' + IsRequired = $False + }, + @{ + Name = 'InputParameters' + CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter' + IsRequired = $False + }, + @{ + Name = 'OutputClaims' + CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Definition ` + -CIMInstanceName 'MSFT_AADClaimsMappingPolicyDefinition' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Definition = $complexTypeStringResult + } + else + { + $Results.Remove('Definition') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Definition) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Definition' -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.schema.mof new file mode 100644 index 0000000000..1639436881 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.schema.mof @@ -0,0 +1,64 @@ +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter +{ + [Write, Description("The value of the input parameters of the claims transformation in the claims mapping policy.")] String Value; + [Write, Description("The object identifier of the input parameters of the claims transformation in the claims mapping policy.")] String Id; + [Write, Description("The data type of the input parameters of the claims transformation in the claims mapping policy.")] String DataType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims +{ + [Write, Description("The claim type reference ID of the output claims of the claims transformation in the claims mapping policy.")] String ClaimTypeReferenceId; + [Write, Description("The transformation type of the output claims of the claims transformation in the claims mapping policy.")] String TransformationClaimType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation +{ + [Write, Description("The object identifier of the claims transformation in the claims mapping policy.")] String Id; + [Write, Description("The transformation method of the claims transformation in the claims mapping policy.")] String TransformationMethod; + [Write, Description("The list of input parameters of the claims transformation in the claims mapping policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter")] String InputParameters[]; + [Write, Description("The list of output claims of the claims transformation in the claims mapping policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims")] String OutputClaims[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema +{ + [Write, Description("The source name of the claims schema in the claims mapping policy.")] String Source; + [Write, Description("The object identifier of the claims schema in the claims mapping policy.")] String Id; + [Write, Description("The SAML claims type of the claims schema in the claims mapping policy.")] String SamlClaimType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy +{ + [Write, Description("Set value of 1. Required.")] uint32 Version; + [Write, Description("If set to true, all claims in the basic claim set are emitted in tokens affected by the policy. If set to false, claims in the basic claim set are not in the tokens, unless they are individually added in the ClaimsSchema property of the same policy.")] Boolean IncludeBasicClaimSet; + [Write, Description("Defines which claims are present in the tokens affected by the policy, in addition to the basic claim set and the core claim set."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema")] String ClaimsSchema[]; + [Write, Description("Defines common transformations that can be applied to source data, to generate the output data for claims specified in the ClaimsSchema."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation")] String ClaimsTransformation[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADClaimsMappingPolicyDefinition +{ + [Write, Description("Rules and settings of the policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy")] String ClaimsMappingPolicy; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADClaimsMappingPolicy")] +class MSFT_AADClaimsMappingPolicy : OMI_BaseResource +{ + [Write, Description("A string collection containing a JSON string that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinition")] String Definition[]; + [Write, Description("If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.")] Boolean IsOrganizationDefault; + [Write, Description("Description for this policy. Required.")] String Description; + [Key, Description("Display name for this policy. Required.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/readme.md new file mode 100644 index 0000000000..2c3264b2f5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADClaimsMappingPolicy + +## Description + +Azure AD Claims Mapping Policy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/settings.json new file mode 100644 index 0000000000..65ae94f99c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "AADClaimsMappingPolicy", + "description": "This resource configures an Azure AD Claims Mapping Policy.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 1db024c015..2e9cfd805b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -92,6 +92,23 @@ function Get-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] @@ -202,6 +219,10 @@ function Get-TargetResource [System.String] $TransferMethods, + [Parameter()] + [System.String] + $InsiderRiskLevels, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] @@ -642,6 +663,11 @@ function Get-TargetResource ExcludeExternalTenantsMembershipKind = [System.String]$Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind ExcludeExternalTenantsMembers = [System.String[]](@() + $Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.AdditionalProperties.members) + IncludeServicePrincipals = $Policy.Conditions.ClientApplications.IncludeServicePrincipals + ExcludeServicePrincipals = $Policy.Conditions.ClientApplications.ExcludeServicePrincipals + ServicePrincipalFilterMode = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Mode + ServicePrincipalFilterRule = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Rule + IncludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.IncludePlatforms) #no translation needed, return empty string array if undefined ExcludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.ExcludePlatforms) @@ -687,6 +713,7 @@ function Get-TargetResource TransferMethods = [System.String]$Policy.Conditions.AuthenticationFlows.TransferMethods #Standard part TermsOfUse = $termOfUseName + InsiderRiskLevels = $Policy.Conditions.InsiderRiskLevels Ensure = 'Present' Credential = $Credential ApplicationSecret = $ApplicationSecret @@ -794,6 +821,23 @@ function Set-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] @@ -904,6 +948,10 @@ function Set-TargetResource [System.String] $TransferMethods, + [Parameter()] + [System.String] + $InsiderRiskLevels, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] @@ -1340,6 +1388,49 @@ function Set-TargetResource $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers) } + Write-Verbose -Message 'Set-Targetresource: process includeServicePrincipals' + if ($currentParameters.ContainsKey('IncludeServicePrincipals')) + { + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('includeServicePrincipals', $IncludeServicePrincipals) + } + + Write-Verbose -Message 'Set-Targetresource: process excludeServicePrincipals' + if ($currentParameters.ContainsKey('ExcludeServicePrincipals')) + { + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('excludeServicePrincipals', $ExcludeServicePrincipals) + } + + Write-Verbose -Message 'Set-Targetresource: process servicePrincipalFilter' + if ($currentParameters.ContainsKey('ServicePrincipalFilterMode') -and $currentParameters.ContainsKey('ServicePrincipalFilterRule')) + { + #check if the custom attribute exist. + $customattribute = Invoke-MgGraphRequest -Method GET -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directory/customSecurityAttributeDefinitions" + $ServicePrincipalFilterRule -match "CustomSecurityAttribute.(?.*) -.*" + $attrinrule = $matches.attribute + if ($customattribute.value.id -contains $attrinrule){ + if (-not $conditions.ContainsKey('clientApplications')) { + $conditions.Add('clientApplications', @{}) + } + $conditions.clientApplications.Add('servicePrincipalFilter', @{}) + $conditions.clientApplications.servicePrincipalFilter.Add('mode', $ServicePrincipalFilterMode) + $conditions.clientApplications.servicePrincipalFilter.Add('rule', $ServicePrincipalFilterRule) + } + else{ + $message = "Couldn't find the custom attribute $attrinrule in the tenant, couldn't add the filter to policy $DisplayName" + Write-Verbose -Message $message + New-M365DSCLogEntry -Message $message ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } + } + Write-Verbose -Message 'Set-Targetresource: process platform condition' if ($currentParameters.ContainsKey('IncludePlatforms') -or $currentParameters.ContainsKey('ExcludePlatforms')) { @@ -1495,6 +1586,11 @@ function Set-TargetResource } } + if ($null -ne $InsiderRiskLevels) + { + $conditions.Add("insiderRiskLevels", $InsiderRiskLevels) + } + Write-Verbose -Message 'Set-Targetresource: process risk levels and app types' Write-Verbose -Message "Set-Targetresource: UserRiskLevels: $UserRiskLevels" If ($currentParameters.ContainsKey('UserRiskLevels')) @@ -1661,6 +1757,9 @@ function Set-TargetResource $NewParameters.Add('sessionControls', $sessioncontrols) #add SessionControls to the parameter list } + + Write-Host "newparameters: $($NewParameters | ConvertTo-Json -Depth 5)" + if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Set-Targetresource: Change policy $DisplayName" @@ -1668,7 +1767,9 @@ function Set-TargetResource try { Write-Verbose -Message "Updating existing policy with values: $(Convert-M365DscHashtableToString -Hashtable $NewParameters)" - Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($currentPolicy.Id)" -Body $NewParameters + + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/conditionalAccess/policies/$($currentPolicy.Id)" + Invoke-MgGraphRequest -Method PATCH -Uri $Uri -Body $NewParameters } catch { @@ -1691,7 +1792,8 @@ function Set-TargetResource { try { - Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -Body $NewParameters + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/conditionalAccess/policies" + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $NewParameters } catch { @@ -1829,6 +1931,23 @@ function Test-TargetResource [System.String[]] $ExcludeExternalTenantsMembers, + [Parameter()] + [System.String[]] + $IncludeServicePrincipals, + + [Parameter()] + [System.String[]] + $ExcludeServicePrincipals, + + [Parameter()] + [ValidateSet('include', 'exclude')] + [System.String] + $ServicePrincipalFilterMode, + + [Parameter()] + [System.String] + $ServicePrincipalFilterRule, + #ConditionalAccessPlatformCondition [Parameter()] [System.String[]] @@ -1939,6 +2058,10 @@ function Test-TargetResource [System.String] $TransferMethods, + [Parameter()] + [System.String] + $InsiderRiskLevels, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index c1f6d5283f..14e50047dc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -21,6 +21,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[]; [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind; [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[]; + [Write, Description("Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed.")] String IncludeServicePrincipals[]; + [Write, Description("Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed.")] String ExcludeServicePrincipals[]; + [Write, Description("Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ServicePrincipalFilterMode; + [Write, Description("Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.")] String ServicePrincipalFilterRule; [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[]; [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[]; [Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[]; @@ -46,6 +50,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods; [Write, Description("Authentication context class references.")] String AuthenticationContexts[]; + [Write, Description("Insider risk levels conditions.")] String InsiderRiskLevels; [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json index bf18ad856d..939c56e122 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json @@ -27,6 +27,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ], "update": [ @@ -47,6 +50,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ] }, @@ -69,6 +75,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ], "update": [ @@ -92,6 +101,9 @@ }, { "name": "User.Read.All" + }, + { + "name": "CustomSecAttributeDefinition.Read.All" } ] } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 new file mode 100644 index 0000000000..8cb16f56e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.psm1 @@ -0,0 +1,669 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + Write-Verbose -Message "Fetching result...." + try + { + # check for export. + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + # check with Id first + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + # check with display name next. + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id ` + -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + $instance = Get-MgBetaIdentityCustomAuthenticationExtension -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + if ($null -eq $instance) + { + return $nullResult + } + + Write-Verbose "Instance found for the resource. Calculating result...." + + $results = @{ + DisplayName = $instance.DisplayName + Id = $instance.Id + Description = $instance.Description + Ensure = 'Present' + } + + if ($instance.AdditionalProperties -ne $null) + { + $results.Add('CustomAuthenticationExtensionType', $instance.AdditionalProperties["@odata.type"]) + } + + if ($instance.AuthenticationConfiguration -ne $null) + { + $results.Add('AuthenticationConfigurationType', $instance.AuthenticationConfiguration["@odata.type"]) + $results.Add('AuthenticationConfigurationResourceId', $instance.AuthenticationConfiguration["resourceId"]) + } + + if ($instance.ClientConfiguration -ne $null) + { + $results.Add('ClientConfigurationTimeoutMilliseconds', $instance.ClientConfiguration.TimeoutInMilliseconds) + $results.Add('ClientConfigurationMaximumRetries', $instance.ClientConfiguration.MaximumRetries) + } + + $endpointConfigurationInstance = @{} + if ($instance.EndPointConfiguration -ne $null -and $instance.EndPointConfiguration.AdditionalProperties -ne $null) + { + $endpointConfigurationInstance.Add("EndpointType", $instance.EndPointConfiguration.AdditionalProperties["@odata.type"]) + + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.httpRequestEndpoint') + { + $endpointConfigurationInstance.Add("TargetUrl", $instance.EndPointConfiguration.AdditionalProperties["targetUrl"]) + } + + if ($endpointConfigurationInstance["EndpointType"] -eq '#microsoft.graph.logicAppTriggerEndpointConfiguration') + { + $endpointConfigurationInstance.Add("SubscriptionId", $instance.EndPointConfiguration.AdditionalProperties["subscriptionId"]) + $endpointConfigurationInstance.Add("ResourceGroupName", $instance.EndPointConfiguration.AdditionalProperties["resourceGroupName"]) + $endpointConfigurationInstance.Add("LogicAppWorkflowName", $instance.EndPointConfiguration.AdditionalProperties["logicAppWorkflowName"]) + } + } + + $ClaimsForTokenConfigurationInstance = @() + if ($instance.AdditionalProperties -ne $null -and $instance.AdditionalProperties["claimsForTokenConfiguration"] -ne $null) + { + foreach ($claim in $instance.AdditionalProperties["claimsForTokenConfiguration"]) + { + $c = @{ + ClaimIdInApiResponse = $claim.claimIdInApiResponse + } + + $ClaimsForTokenConfigurationInstance += $c + } + } + + $results.Add('EndPointConfiguration', $endpointConfigurationInstance) + $results.Add('ClaimsForTokenConfiguration', $ClaimsForTokenConfigurationInstance) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $params = @{ + "@odata.type" = $setParameters.CustomAuthenticationExtensionType + displayName = $setParameters.DisplayName + description = $setParameters.Description + endpointConfiguration = @{ + "@odata.type" = $setParameters.EndPointConfiguration.EndpointType + } + authenticationConfiguration = @{ + "@odata.type" = $setParameters.AuthenticationConfigurationType + resourceId = $setParameters.AuthenticationConfigurationResourceId + } + clientConfiguration = @{ + timeoutInMilliseconds = $setParameters["ClientConfigurationTimeoutMilliseconds"] + maximumRetries = $setParameters["ClientConfigurationMaximumRetries"] + } + } + + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.httpRequestEndpoint") + { + Write-Verbose -Message "{$setParameters.EndPointConfiguration.TargetUrl}" + $params.endpointConfiguration["targetUrl"] = $setParameters.EndPointConfiguration.TargetUrl + } + + if ($params.endpointConfiguration["@odata.type"] -eq "#microsoft.graph.logicAppTriggerEndpointConfiguration") + { + $params.endpointConfiguration["subscriptionId"] = $setParameters.EndPointConfiguration["SubscriptionId"] + $params.endpointConfiguration["resourceGroupName"] = $setParameters.EndPointConfiguration["ResourceGroupName"] + $params.endpointConfiguration["logicAppWorkflowName"] = $setParameters.EndPointConfiguration["LogicAppWorkflowName"] + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $params.Add("claimsForTokenConfiguration", @()) + foreach ($claim in $setParameters.claimsForTokenConfiguration) + { + $val = $claim.claimIdInApiResponse + Write-Verbose -Message "{$val}" + $c = @{ + "claimIdInApiResponse" = $claim.claimIdInApiResponse + } + + $params.claimsForTokenConfiguration += $c + } + + $params.Remove('Id') | Out-Null + $type = $params["@odata.type"] + Write-Verbose -Message "Creating new Custom authentication extension with display name {$DisplayName} and type {$type}" + New-MgBetaIdentityCustomAuthenticationExtension -BodyParameter $params + } + + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating custom authentication extension {$DisplayName}" + $params.Add('CustomAuthenticationExtensionId', $currentInstance.Id) + $params.Remove('Id') | Out-Null + + $params.Add("AdditionalProperties", @{}) + $params["AdditionalProperties"].Add("ClaimsForTokenConfiguration", @()) + + foreach ($claim in $setParameters["ClaimsForTokenConfiguration"]) + { + $c = @{ + "claimIdInApiResponse" = $claim["ClaimIdInApiResponse"] + } + + $params["AdditionalProperties"]["claimsForTokenConfiguration"] += $c + } + + Write-Verbose -Message "{$params['@odata.type']}" + Update-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $Id -BodyParameter $params + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing custom authentication extension {$DisplayName}." + Remove-MgBetaIdentityCustomAuthenticationExtension -CustomAuthenticationExtensionId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.onTokenIssuanceStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension', + '#microsoft.graph.onAttributeCollectionStartCustomExtension' + )] + $CustomAuthenticationExtensionType, + + [Parameter()] + [System.String] + [ValidateSet( + '#microsoft.graph.azureAdTokenAuthentication', + '#microsoft.graph.azureAdPopTokenAuthentication' + )] + $AuthenticationConfigurationType, + + [Parameter()] + [System.String] + $AuthenticationConfigurationResourceId, + + [Parameter()] + [System.Int32] + $ClientConfigurationTimeoutMilliseconds, + + [Parameter()] + [System.Int32] + $ClientConfigurationMaximumRetries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndPointConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ClaimsForTokenConfiguration, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityCustomAuthenticationExtension -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + $endpointConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EndpointConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionEndPointConfiguration' + + $ClaimsForTokenConfigurationCimString = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ClaimsForTokenConfiguration ` + -CIMInstanceName 'MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration' + + $Results.EndPointConfiguration = $endpointConfigurationCimString + $Results.ClaimsForTokenConfiguration = $ClaimsForTokenConfigurationCimString + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EndPointConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "EndPointConfiguration" + } + + if ($Results.ClaimsForTokenConfiguration -ne $null) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ClaimsForTokenConfiguration" -IsCIMArray $true + } + + $dscContent += $currentDSCBlock + + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof new file mode 100644 index 0000000000..6382d10037 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/MSFT_AADCustomAuthenticationExtension.schema.mof @@ -0,0 +1,38 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionEndPointConfiguration +{ + [Write, Description("Defines the type of the endpoint configuration")] String EndpointType; + [Write, Description("Defines the workflow name for the logic app")] String LogicAppWorkflowName; + [Write, Description("Defines the resource group name for the logic app")] String ResourceGroupName; + [Write, Description("Defines the subscription id for the logic app")] String SubscriptionId; + [Write, Description("Defines the target url for the http endpoint")] String TargetUrl; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration +{ + [Write, Description("Defines the claim id in api response.")] String ClaimIdInApiResponse; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomAuthenticationExtension")] +class MSFT_AADCustomAuthenticationExtension : OMI_BaseResource +{ + [Key, Description("Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive.")] String DisplayName; + [Write, Description("Unique identifier of the Attribute Definition.")] String Id; + [Write, Description("Defines the custom authentication extension type.")] String CustomAuthenticationExtensionType; + [Write, Description("Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. ")] String Description; + [Write, Description("Defines the authentication configuration type")] String AuthenticationConfigurationType; + [Write, Description("Defines the authentication configuration resource id")] String AuthenticationConfigurationResourceId; + [Write, Description("Defines the client configuration timeout in milliseconds")] UInt32 ClientConfigurationTimeoutMilliseconds; + [Write, Description("Defines the client configuration max retries")] UInt32 ClientConfigurationMaximumRetries; + [Write, Description("Defines the endpoint configuration"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionEndPointConfiguration")] String EndpointConfiguration; + [Write, Description("Defines the list of claims for token configurations"), EmbeddedInstance("MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration")] String ClaimsForTokenConfiguration[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md new file mode 100644 index 0000000000..d22077d7e6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/readme.md @@ -0,0 +1,6 @@ + +# AADCustomAuthenticationExtension + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json new file mode 100644 index 0000000000..ae6d5a8707 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomAuthenticationExtension/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADCustomAuthenticationExtension", + "description": "Custom authentication extensions define interactions with external systems during a user authentication session. ", + "roles": { + "read": [ + "Attribute Definition Reader" + ], + "update": [ + "Attribute Definition Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 index e8090ba85e..1e7e5822ab 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 @@ -57,6 +57,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -132,6 +136,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -209,6 +214,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -325,6 +334,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -447,6 +460,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof index f440bccc52..566b9bfcfb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof @@ -10,11 +10,11 @@ class MSFT_AADCustomSecurityAttributeDefinition : OMI_BaseResource [Write, Description("Specifies whether the custom security attribute is active or deactivated. Acceptable values are Available and Deprecated. Can be changed later.")] String Status; [Write, Description("Data type for the custom security attribute values. Supported types are: Boolean, Integer, and String. Can't be changed later.")] String Type; [Write, Description("Indicates whether only predefined values can be assigned to the custom security attribute. If set to false, free-form values are allowed. Can later be changed from true to false, but can't be changed from false to true. If type is set to Boolean, usePreDefinedValuesOnly can't be set to true.")] Boolean UsePreDefinedValuesOnly; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json index 9381adbf42..a35e974098 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json @@ -12,8 +12,16 @@ "permissions": { "graph": { "delegated": { - "read": [], - "update": [] + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] }, "application": { "read": [ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 index 6237de9617..eff7ae01fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 @@ -61,6 +61,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -114,6 +118,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -195,6 +200,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -342,6 +351,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -462,6 +475,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof index bef859a557..c2b6cab026 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof @@ -11,11 +11,11 @@ class MSFT_AADDomain : OMI_BaseResource [Write, Description("Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.")] UInt32 PasswordNotificationWindowInDays; [Write, Description("Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.")] UInt32 PasswordValidityPeriodInDays; [Write, Description("The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.")] String SupportedServices[]; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 new file mode 100644 index 0000000000..ebfea0969a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 @@ -0,0 +1,349 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + $nullResults = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingEnrichedAuditLog + + $results = @{ + IsSingleInstance = 'Yes' + Exchange = $instance.Exchange.Status + SharePoint = $instance.SharePoint.Status + Teams = $instance.Teams.Status + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Updating Enriched Audit Logs settings' + + $values = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogs" + exchange = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $ExchangeOnline + } + sharepoint = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $SharePoint + } + teams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings" + status = $Teams + } + } + $body = ConvertTo-Json $values -Depth 10 -Compress + Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/networkAccess/settings/enrichedAuditLogs' -Method PATCH -Body $body +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.String] + $Exchange, + + [Parameter()] + [System.String] + $SharePoint, + + [Parameter()] + [System.String] + $Teams, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $i = 1 + $dscContent = '' + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof new file mode 100644 index 0000000000..3cfbbe13a0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof @@ -0,0 +1,14 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADEnrichedAuditLogs")] +class MSFT_AADEnrichedAuditLogs : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Accepted values are enabled or disabled.")] String Exchange; + [Write, Description("Accepted values are enabled or disabled.")] String SharePoint; + [Write, Description("Accepted values are enabled or disabled.")] String Teams; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md new file mode 100644 index 0000000000..c4449028ef --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md @@ -0,0 +1,6 @@ + +# AADEnrichedAuditLogs + +## Description + +Configures advanced audit logs for Global Secure Access in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json new file mode 100644 index 0000000000..4aac873820 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADEnrichedAuditLogs", + "description": "Configures advanced audit logs for Global Secure Access in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 index 96b4b6e29d..7f6b0dc6de 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1 @@ -355,7 +355,7 @@ function Set-TargetResource foreach ($incompatibleAccessPackage in $IncompatibleAccessPackages) { $ref = @{ - '@odata.id' = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage" } New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef ` @@ -368,7 +368,7 @@ function Set-TargetResource foreach ($IncompatibleGroup in $IncompatibleGroups) { $ref = @{ - '@odata.id' = "https://graph.microsoft.com/beta/groups/$IncompatibleGroup" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/groups/$IncompatibleGroup" } New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef ` @@ -485,7 +485,7 @@ function Set-TargetResource foreach ($incompatibleAccessPackage in $toBeAdded.InputObject) { $ref = @{ - '@odata.id' = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage" } New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef ` @@ -522,7 +522,7 @@ function Set-TargetResource { $ref = @{ - '@odata.id' = "https://graph.microsoft.com/beta/groups/$incompatibleGroup" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/groups/$incompatibleGroup" } New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 index 3927d922f8..1c0587dc95 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1 @@ -446,7 +446,7 @@ function Set-TargetResource $directoryObjectType=$directoryObject.AdditionalProperties."@odata.type" $directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1 $directoryObjectRef=@{ - "@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)" } New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef ` @@ -459,7 +459,7 @@ function Set-TargetResource $directoryObject = Get-MgBetaDirectoryObject -DirectoryObjectId $sponsor $directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1 $directoryObjectRef=@{ - "@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)" } New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef ` @@ -515,7 +515,7 @@ function Set-TargetResource $directoryObjectType=$directoryObject.AdditionalProperties."@odata.type" $directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1 $directoryObjectRef=@{ - "@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)" } New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef ` @@ -553,7 +553,7 @@ function Set-TargetResource $directoryObjectType=$directoryObject.AdditionalProperties."@odata.type" $directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1 $directoryObjectRef=@{ - "@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)" + "@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)" } New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.psm1 new file mode 100644 index 0000000000..4834867c3f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.psm1 @@ -0,0 +1,485 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $IssuerUri, + + [Parameter()] + [System.String] + $MetadataExchangeUri, + + [Parameter()] + [System.String] + $SigningCertificate, + + [Parameter()] + [System.String] + $PassiveSignInUri, + + [Parameter()] + [System.String] + $PreferredAuthenticationProtocol, + + [Parameter()] + [System.String[]] + $Domains, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation' + $instances = Invoke-MgGraphRequest $uri -Method Get + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $instances.value | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $instances.value | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Id = $instance.id + DisplayName = $instance.displayName + IssuerUri = $instance.issuerUri + MetadataExchangeUri = $instance.metadataExchangeUri + PassiveSignInUri = $instance.passiveSignInUri + PreferredAuthenticationProtocol = $instance.preferredAuthenticationProtocol + Domains = $instance.domains.id + SigningCertificate = $instance.signingCertificate + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $IssuerUri, + + [Parameter()] + [System.String] + $MetadataExchangeUri, + + [Parameter()] + [System.String] + $SigningCertificate, + + [Parameter()] + [System.String] + $PassiveSignInUri, + + [Parameter()] + [System.String] + $PreferredAuthenticationProtocol, + + [Parameter()] + [System.String[]] + $Domains, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + "@odata.type" = "microsoft.graph.samlOrWsFedExternalDomainFederation" + displayName = $DisplayName + metadataExchangeUri = $MetadataExchangeUri + issuerUri = $IssuerUri + preferredAuthenticationProtocol = $PreferredAuthenticationProtocol + passiveSignInUri = $PassiveSignInUri + signingCertificate = $SigningCertificate + domains = @() + } + foreach ($domain in $domains) + { + $instanceParams.domains += @{ + "@odata.type" = "microsoft.graph.externalDomainName" + id = $domain + } + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation' + Write-Verbose -Message "Creating federation configuration {$DisplayName}" + $body = ConvertTo-Json $instanceParams -Depth 10 -Compress + Invoke-MgGraphRequest -Uri $uri -Method POST -Body $body + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/$currentInstance.Id' + Write-Verbose -Message "Updating federation configuration {$DisplayName}" + $body = ConvertTo-Json $instanceParams -Depth 10 -Compress + Invoke-MgGraphRequest -Uri $uri -Method PATCH -Body $body + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/$currentInstance.Id' + Write-Verbose -Message "Removing federation configuration {$DisplayName}" + Invoke-MgGraphRequest -Uri $uri -Method DELETE + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $IssuerUri, + + [Parameter()] + [System.String] + $MetadataExchangeUri, + + [Parameter()] + [System.String] + $SigningCertificate, + + [Parameter()] + [System.String] + $PassiveSignInUri, + + [Parameter()] + [System.String] + $PreferredAuthenticationProtocol, + + [Parameter()] + [System.String[]] + $Domains, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation' + [array] $Script:exportedInstances = Invoke-MgGraphRequest $uri -Method Get + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances.value) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.displayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.displayName + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.schema.mof new file mode 100644 index 0000000000..4f1ed6de22 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.schema.mof @@ -0,0 +1,19 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADFederationConfiguration")] +class MSFT_AADFederationConfiguration : OMI_BaseResource +{ + [Key, Description("The display name of the SAML/WS-Fed based identity provider. Inherited from identityProviderBase.")] String DisplayName; + [Write, Description("Issuer URI of the federation server. Inherited from samlOrWsFedProvider.")] String IssuerUri; + [Write, Description("URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.")] String MetadataExchangeUri; + [Write, Description("URI that web-based clients are directed to when signing in to Microsoft Entra services. Inherited from samlOrWsFedProvider.")] String PassiveSignInUri; + [Write, Description("Preferred authentication protocol. The possible values are: wsFed, saml. Inherited from samlOrWsFedProvider.")] String PreferredAuthenticationProtocol; + [Write, Description("Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class.")] String SigningCertificate; + [Write, Description("List of associated domains.")] String Domains[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/readme.md new file mode 100644 index 0000000000..550fce9e7a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/readme.md @@ -0,0 +1,6 @@ + +# AADFederationConfiguration + +## Description + +Configures federation in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/settings.json new file mode 100644 index 0000000000..e343649e6d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFederationConfiguration", + "description": "Configures federation in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Domain.Read.All" + } + ], + "update": [ + { + "name": "IdentityProvider.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 new file mode 100644 index 0000000000..5727a13f23 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 @@ -0,0 +1,419 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving policy by id {$Id}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving policy by name {$Name}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving policy by id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving policy by name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Name = $instance.Name + Id = $instance.Id + Description = $instance.Description + Action = $instance.Action + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + name = $Name + action = $Action + description = $Description + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new filtering policy {$Name}" + New-MgBetaNetworkAccessFilteringPolicy -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating filtering policy {$Name}" + Update-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id ` + -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing filtering policy {$Name}" + Remove-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof new file mode 100644 index 0000000000..eebd9161ae --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicy")] +class MSFT_AADFilteringPolicy : OMI_BaseResource +{ + [Key, Description("Name of the policy.")] String Name; + [Write, Description("Unique identifier of the policy.")] String Id; + [Write, Description("Description for the policy.")] String Description; + [Write, Description("Action associated with the policy.")] String Action; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md new file mode 100644 index 0000000000..80f4aa8ee0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringPolicy + +## Description + +Configures filtering policies in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json new file mode 100644 index 0000000000..7f973ccc72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringPolicy", + "description": "Configures filtering policies in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 new file mode 100644 index 0000000000..861197e4f2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 @@ -0,0 +1,535 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy} + if ($null -ne $policyInstance) + { + Write-Verbose -Message "Found existing Policy {$Policy}" + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving Filtering Policy Rule by Id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving Filtering Policy Rule by Name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $DestinationsValue = @() + foreach ($destination in $instance.AdditionalProperties.destinations) + { + if ($instance.AdditionalProperties.ruleType -eq 'fqdn') + { + $DestinationsValue += @{ + value = $destination.value + } + } + elseif ($instance.AdditionalProperties.ruleType -eq 'webCategory') + { + $DestinationsValue += @{ + name = $destination.name + } + } + } + + $results = @{ + Name = $instance.Name + Policy = $Policy + Id = $instance.Id + RuleType = $instance.AdditionalProperties.ruleType + Destinations = $DestinationsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Entering the Set-TargetResource function" + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy} + + if ($RuleType -eq 'webCategory') + { + $instanceParams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.webCategoryFilteringRule" + name = $Name + ruleType = $RuleType + destinations = @() + } + + foreach ($destination in $Destinations) + { + $instanceParams.destinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess.webCategory" + name = $destination.name + } + } + } + elseif ($RuleType -eq 'fqdn') + { + $instanceParams = @{ + "@odata.type" = "#microsoft.graph.networkaccess.fqdnFilteringRule" + name = $Name + ruleType = $RuleType + destinations = @() + } + + foreach ($destination in $Destinations) + { + $instanceParams.destinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess.fqdn" + value = $destination.value + } + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Filtering Policy Rule {$Name}" + New-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Filtering Policy Rule {$Name}" + $instanceParams.Remove('ruleType') | Out-Null + Update-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId $currentInstance.Id ` + -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Filtering Policy Rule {$Name}" + Remove-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id ` + -PolicyRuleId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $Policy, + + [Parameter()] + [System.String] + $RuleType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Destinations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $policies = Get-MgBetaNetworkAccessFilteringPolicy + + $i = 1 + $dscContent = '' + if ($policies.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($policy in $policies) + { + $displayedKey = $policy.Name + Write-Host " |---[$i/$($policies.Count)] $displayedKey" -NoNewline + $rules = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policy.Id ` + -ErrorAction SilentlyContinue + if ($rules.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $j = 1 + foreach ($rule in $rules) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $rule.Name + Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $rule.Name + Policy = $policy.Name + Id = $rule.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Destinations) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Destinations -CIMInstanceName 'AADFilteringPolicyRuleDestination' + if ($complexTypeStringResult) + { + $Results.Destinations = $complexTypeStringResult + } + else + { + $Results.Remove('Destinations') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Destinations) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Destinations' -IsCIMArray:$false + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof new file mode 100644 index 0000000000..7a35e43160 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof @@ -0,0 +1,24 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADFilteringPolicyRuleDestination +{ + [Write, Description("Name of the destination.")] String name; + [Write, Description("FQDN value for the destination.")] String value; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicyRule")] +class MSFT_AADFilteringPolicyRule : OMI_BaseResource +{ + [Key, Description("Name of the rule.")] String Name; + [Key, Description("Name of the associated policy.")] String Policy; + [Write, Description("Unique Id for the rule.")] String Id; + [Write, Description("Type of rule.")] String RuleType; + [Write, Description("List of associated destinations with the rule."), EmbeddedInstance("MSFT_AADFilteringPolicyRuleDestination")] String Destinations[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md new file mode 100644 index 0000000000..dcfb67c298 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringPolicyRule + +## Description + +Configures filtering rules in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json new file mode 100644 index 0000000000..8bbc6f8277 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringPolicyRule", + "description": "Configures filtering rules in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 new file mode 100644 index 0000000000..0735e28f72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 @@ -0,0 +1,530 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving profile by Id {$Id}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving profile by Name {$Name}" + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving profile by Id {$Id}" + $instance = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -FilteringProfileId $Id -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving profile by Name {$Name}" + $instance = Get-MgBetaNetworkAccessFilteringProfile -All -ExpandProperty Policies | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $PolicyValue = @() + if ($null -ne $instance.Policies -and $instance.Policies.Length -gt 0) + { + $policyLinks = Get-MgBetaNetworkAccessFilteringProfilePolicy -FilteringProfileId $instance.Id -ExpandProperty Policy + foreach ($link in $policyLinks) + { + $policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $link.Policy.Id + if ($null -ne $policyInfo) + { + $entry = @{ + State = $link.State + Priority = $link.AdditionalProperties.priority + LoggingState = $link.AdditionalProperties.loggingState + PolicyName = $policyInfo.Name + } + $PolicyValue += $entry + } + } + } + + $results = @{ + Name = $instance.Name + Id = $instance.Id + Description = $instance.Description + State = $instance.State + Priority = $instance.Priority + Policies = $PolicyValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + description = $Description + name = $Name + priority = $Priority + state = $State + policies = @() + } + + foreach ($policy in $Policies) + { + $policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $policy.PolicyName} + if ($null -ne $policyInfo) + { + $entry = @{ + "@odata.type" = "#microsoft.graph.networkaccess.filteringPolicyLink" + loggingState = $policy.LoggingState + priority = $policy.Priority + state = $policy.State + policy = @{ + "@odata.type" = "#microsoft.graph.networkaccess.filteringPolicy" + id = $policyInfo.Id + } + } + $instanceParams.policies += $entry + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new filtering profile {$Name}" + New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating filtering profile {$Name} by removing and recreating" + Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id + New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing filtering profile {$Name}" + Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.UInt32] + $Priority, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -All -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Policies) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Policies -CIMInstanceName AADFilteringProfilePolicyLink + if ($complexTypeStringResult) + { + $Results.Policies = $complexTypeStringResult + } + else + { + $Results.Remove('Policies') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Policies) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Policies' -IsCIMArray:$true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof new file mode 100644 index 0000000000..40d40b0a4c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof @@ -0,0 +1,27 @@ +[ClassVersion("1.0.0.0")] +class MSFT_AADFilteringProfilePolicyLink +{ + [Write, Description("Logging state for the associated policy.")] String LoggingState; + [Write, Description("Priority of the associated policy.")] UInt32 Priority; + [Write, Description("State of the associated policy.")] String State; + [Write, Description("Name of the associated policy.")] String PolicyName; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringProfile")] +class MSFT_AADFilteringProfile : OMI_BaseResource +{ + [Key, Description("Profile name.")] String Name; + [Write, Description("Unique identifier for the profile.")] String Id; + [Write, Description("Description of the profile.")] String Description; + [Write, Description("State of the profile.")] String State; + [Write, Description("Priority level for the profile.")] UInt32 Priority; + [Write, Description("List of filtering policy names associated with the profile."), EmbeddedInstance("MSFT_AADFilteringProfilePolicyLink")] String Policies[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md new file mode 100644 index 0000000000..8f174e58ff --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md @@ -0,0 +1,6 @@ + +# AADFilteringProfile + +## Description + +Configures filtering profiles in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json new file mode 100644 index 0000000000..0b85fa3e50 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADFilteringProfile", + "description": "Configures filtering profiles in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 92e1614b52..cac6b9daf2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -256,20 +256,19 @@ function Get-TargetResource if ($Group.IsAssignableToRole -eq $true) { $AssignedToRoleValues = @() - # Note: only process directory roles and not group membership (if any) - foreach ($role in $($memberOf | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.directoryRole' })) + $roleAssignments = Get-MgBetaRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '$($Group.Id)'" + foreach ($assignment in $roleAssignments) { - if ($null -ne $role.AdditionalProperties.displayName) - { - $AssignedToRoleValues += $role.AdditionalProperties.displayName - } + $roleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $assignment.RoleDefinitionId + $AssignedToRoleValues += $roleDefinition.DisplayName } } # Licenses $assignedLicensesValues = $null + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/groups/$($Group.Id)/assignedLicenses" $assignedLicensesRequest = Invoke-MgGraphRequest -Method 'GET' ` - -Uri "https://graph.microsoft.com/v1.0/groups/$($Group.Id)/assignedLicenses" + -Uri $uri if ($assignedLicensesRequest.value.Length -gt 0) { @@ -912,13 +911,7 @@ function Set-TargetResource { try { - $role = Get-MgBetaDirectoryRole -Filter "DisplayName eq '$($diff.InputObject)'" - # If the role hasn't been activated, we need to get the role template ID to first activate the role - if ($null -eq $role) - { - $adminRoleTemplate = Get-MgBetaDirectoryRoleTemplate -All | Where-Object { $_.DisplayName -eq $diff.InputObject } - $role = New-MgBetaDirectoryRole -RoleTemplateId $adminRoleTemplate.Id - } + $role = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$($diff.InputObject)'" } catch { @@ -933,15 +926,15 @@ function Set-TargetResource if ($diff.SideIndicator -eq '=>') { Write-Verbose -Message "Assigning AAD group {$($currentGroup.DisplayName)} to Directory Role {$($diff.InputObject)}" - $DirObject = @{ - '@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($currentGroup.Id)" - } - New-MgBetaDirectoryRoleMemberByRef -DirectoryRoleId ($role.Id) -BodyParameter $DirObject | Out-Null + New-MgBetaRoleManagementDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $currentGroup.Id -DirectoryScopeId '/' } elseif ($diff.SideIndicator -eq '<=') { Write-Verbose -Message "Removing AAD group {$($currentGroup.DisplayName)} from Directory Role {$($role.DisplayName)}" - Remove-MgBetaDirectoryRoleMemberDirectoryObjectByRef -DirectoryRoleId ($role.Id) -DirectoryObjectId ($currentGroup.Id) | Out-Null + Write-Verbose "GroupId = $($currentGroup.Id)" + Write-Verbose "RoleDefinitionId = $($role.Id)" + $roleAssignment = Get-MgBetaRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '$($currentGroup.Id)' and RoleDefinitionId eq '$($role.Id)'" + Remove-MgBetaRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $roleAssignment.Id } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupsSettings/MSFT_AADGroupsSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupsSettings/MSFT_AADGroupsSettings.psm1 index 91ece280a4..6f20b8aabf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupsSettings/MSFT_AADGroupsSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupsSettings/MSFT_AADGroupsSettings.psm1 @@ -138,7 +138,6 @@ function Get-TargetResource GuestUsageGuidelinesUrl = $valueGuestUsageGuidelinesUrl.Value AllowToAddGuests = [Boolean]::Parse($valueAllowToAddGuests.Value) UsageGuidelinesUrl = $valueUsageGuidelinesUrl.Value - NewUnifiedGroupWritebackDefault = [Boolean]::Parse($valueNewUnifiedGroupWritebackDefault.Value) Ensure = 'Present' ApplicationId = $ApplicationId TenantId = $TenantId @@ -148,7 +147,11 @@ function Get-TargetResource Managedidentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } - + if (-not [System.String]::IsNullOrEmpty($valueNewUnifiedGroupWritebackDefault.Value)) + { + $result.Add('NewUnifiedGroupWritebackDefault', [Boolean]::Parse($valueNewUnifiedGroupWritebackDefault.Value)) + } + if (-not [System.String]::IsNullOrEmpty($AllowedGroupName)) { $result.Add('GroupCreationAllowedGroupName', $AllowedGroupName) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 new file mode 100644 index 0000000000..bd3c930dee --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 @@ -0,0 +1,567 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter "DisplayName eq '$DisplayName'" + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}." + return $nullResult + } + # if multiple objects with same name exist + if ($getValue -is [array]) { + Write-Verbose -Message "Multiple Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} found. Skipping Operation." + return $nullResult + } + + Write-Verbose -Message "An Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} was found" + + $DefinitionArray = @() + foreach ($definitionValue in $getValue.definition) { + $value = ConvertFrom-Json $definitionValue + $DefinitionArray += @{ + AccelerateToFederatedDomain = $value.HomeRealmDiscoveryPolicy.AccelerateToFederatedDomain + AllowCloudPasswordValidation = $value.HomeRealmDiscoveryPolicy.AllowCloudPasswordValidation + PreferredDomain = $value.HomeRealmDiscoveryPolicy.PreferredDomain + AlternateIdLogin = @{ + Enabled = $value.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled + } + } + } + + $results = @{ + #region resource generator code + Definition = [Array]$DefinitionArray + IsOrganizationDefault = $getValue.isOrganizationDefault + Description = $getValue.description + DisplayName = $getValue.displayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # to get the id parameter + $getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter "DisplayName eq '$DisplayName'" + + $newDefinitions = @() + foreach ($Def in $Definition) { + $HomeRealmDiscoveryPolicy = @{} + if ($null -ne $Def.AccelerateToFederatedDomain){ + $HomeRealmDiscoveryPolicy.Add('AccelerateToFederatedDomain', $Def.AccelerateToFederatedDomain) + } + if ($null -ne $Def.AllowCloudPasswordValidation){ + $HomeRealmDiscoveryPolicy.Add('AllowCloudPasswordValidation', $Def.AllowCloudPasswordValidation) + } + if ($null -ne $Def.PreferredDomain){ + $HomeRealmDiscoveryPolicy.Add('PreferredDomain', $Def.PreferredDomain) + } + if ($null -ne $Def.AlternateIdLogin.Enabled){ + $HomeRealmDiscoveryPolicy.Add('AlternateIdLogin', @{Enabled = $Def.AlternateIdLogin.Enabled}) + } + $temp = @{ + HomeRealmDiscoveryPolicy = $HomeRealmDiscoveryPolicy + } + $newDefinitions += ConvertTo-Json $temp -Depth 10 -Compress + } + + $BoundParameters.Definition = $newDefinitions + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + + #region resource generator code + $policy = New-MgBetaPolicyHomeRealmDiscoveryPolicy -BodyParameter $createParameters + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + #region resource generator code + Update-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -HomeRealmDiscoveryPolicyId $getValue.Id ` + -BodyParameter $UpdateParameters + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}" + #region resource generator code + Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId $getValue.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Definition, + + [Parameter()] + [System.Boolean] + $IsOrganizationDefault, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.DisplayName + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.Definition) + { + $Results.Definition = Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString $Results.Definition + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.Definition) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'Definition' + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Definitions + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($definition in $Definitions) + { + $StringContent.Append("`n MSFT_AADHomeRealDiscoveryPolicyDefinition {`r`n") | Out-Null + $StringContent.Append(" PreferredDomain = '" + $definition.PreferredDomain + "'`r`n") | Out-Null + if ($null -ne $definition.AccelerateToFederatedDomain) { + $StringContent.Append(" AccelerateToFederatedDomain = $" + $definition.AccelerateToFederatedDomain + "`r`n") | Out-Null + } + if ($null -ne $definition.AllowCloudPasswordValidation) { + $StringContent.Append(" AllowCloudPasswordValidation = $" + $definition.AllowCloudPasswordValidation + "`r`n") | Out-Null + } + $StringContent.Append(" AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin {`r`n") | Out-Null + $StringContent.Append(" Enabled = $" + $definition.AlternateIdLogin.Enabled + "`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof new file mode 100644 index 0000000000..b352209efe --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof @@ -0,0 +1,33 @@ +[ClassVersion("1.0.0")] +class MSFT_AADHomeRealDiscoveryPolicyDefinition +{ + [Write, Description("Accelerate to Federated Domain.")] Boolean AccelerateToFederatedDomain; + [Write, Description("Allow cloud password validation.")] Boolean AllowCloudPasswordValidation; + [Write, Description("AlternateIdLogin complex object."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin")] String AlternateIdLogin; + [Write, Description("Preffered Domain value.")] String PreferredDomain; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin +{ + [Write, Description("Boolean for whether AlternateIdLogin is enabled.")] Boolean Enabled; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADHomeRealmDiscoveryPolicy")] +class MSFT_AADHomeRealmDiscoveryPolicy : OMI_BaseResource +{ + [Key, Description("Display name for this policy. Required.")] String DisplayName; + [Write, Description("A string collection containing a complex object array that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinition")] String Definition[]; + [Write, Description("If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.")] Boolean IsOrganizationDefault; + [Write, Description("Description for this policy. Required.")] String Description; + + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md new file mode 100644 index 0000000000..97b2da84f0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADHomeRealmDiscoveryPolicy + +## Description + +Azure AD Home Realm Discovery Policy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json new file mode 100644 index 0000000000..b3c6ae18bd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "AADHomeRealmDiscoveryPolicy", + "description": "This resource configures an Azure AD Home Realm Discovery Policy.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ApplicationConfiguration" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 new file mode 100644 index 0000000000..04f48ad77f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.psm1 @@ -0,0 +1,732 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityAPIConnector -IdentityApiConnectorId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity A P I Connector with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaIdentityAPIConnector ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity API Connector with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity API Connector with Id {$Id} and DisplayName {$DisplayName} was found" + + #region resource generator code + $complexAuthenticationConfiguration = @{} + + if($null -ne $getValue.AuthenticationConfiguration.AdditionalProperties.password) { + $securePassword = ConvertTo-SecureString $getValue.AuthenticationConfiguration.AdditionalProperties.password -AsPlainText -Force + + $Password = New-Object System.Management.Automation.PSCredential ('Password', $securePassword) + } + + + $complexCertificates = @() + foreach ($currentCertificate in $getValue.AuthenticationConfiguration.AdditionalProperties.certificateList) + { + $myCertificate= @{} + $myCertificate.Add('Pkcs12Value', "Please insert a valid Pkcs12Value") + $myCertificate.Add('Thumbprint', $currentCertificate.thumbprint) + $myCertificate.Add('Password', "Please insert a valid Password for the certificate") + $myCertificate.Add('IsActive', $currentCertificate.isActive) + + if ($myCertificate.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificates += $myCertificate + } + } + #endregion + + $results = @{ + #region resource generator code + DisplayName = $getValue.DisplayName + TargetUrl = $getValue.TargetUrl + Id = $getValue.Id + Username = $getValue.AuthenticationConfiguration.AdditionalProperties.username + Password = $Password + Certificates = $complexCertificates + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # If the certificates array is not empty, then we need to create a new instance of New-MgBetaAADIdentityAPIConnector + + $needToUpdateCertificates = $false + if($null -ne $Certificates -and $Certificates.Count -gt 0) { + $needToUpdateCertificates = $true + } + + if($needToUpdateCertificates -eq $false) { + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + if($username -ne $null) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + } + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $updateParameters.Remove('Password') | Out-Null + $updateParameters.Remove('Pkcs12Value') | Out-Null + + $updateParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.basicAuthentication" + "password" = $Password.GetNetworkCredential().Password + "username" = $Username + }) + + $UpdateParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + Update-MgBetaIdentityAPIConnector ` + -IdentityApiConnectorId $currentInstance.Id ` + -BodyParameter $UpdateParameters + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } + } + else { + + # Remove the existing instance if already present + if($currentInstance.Ensure -ne 'Absent') { + Write-Verbose -Message "Removing the Azure AD Identity API Connector with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityAPIConnector -IdentityApiConnectorId $currentInstance.Id + } + + # Create a new instance with the certificates + Write-Verbose -Message "Creating an Azure AD Identity API Connector with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + $createParameters.Remove('Password') | Out-Null + $createParameters.Remove('Pkcs12Value') | Out-Null + + # Get the active and inactive certificates + $activeCertificates = @() + $inactiveCertificates = @() + foreach ($currentCertificate in $Certificates) + { + $myCertificate = @{} + $myCertificate.Add('Pkcs12Value', ($currentCertificate.Pkcs12Value).Password) + $myCertificate.Add('Password', ($currentCertificate.Password).Password) + + if($currentCertificate.IsActive -eq $true) { + $activeCertificates += $myCertificate + } + else { + $inactiveCertificates += $myCertificate + } + } + + # Only one certificate can be active + if($activeCertificates.Count -ne 1) { + Write-Error "There should be one active certificate" + throw + } + + if($inactiveCertificates.Count -eq 0) { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $activeCertificates[0].Password + "pkcs12Value" = $activeCertificates[0].Pkcs12Value + }) + $activeCertificates = $activeCertificates[1..$activeCertificates.Count] + } + else { + $createParameters.Add("AuthenticationConfiguration", @{ + '@odata.type' = "microsoft.graph.pkcs12Certificate" + "password" = $inactiveCertificates[0].Password + "pkcs12Value" = $inactiveCertificates[0].Pkcs12Value + }) + # remove the first element from the inactive certificates + $inactiveCertificates = $inactiveCertificates[1..$inactiveCertificates.Count] + } + + $createParameters.Add("@odata.type", "#microsoft.graph.IdentityApiConnector") + $policy = New-MgBetaIdentityAPIConnector -BodyParameter $createParameters + + + # Upload the inactive certificates + foreach ($currentCertificate in $inactiveCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + + # Upload active certificate + foreach ($currentCertificate in $activeCertificates) + { + $params = @{ + pkcs12Value = $currentCertificate.Pkcs12Value + password = $currentCertificate.Password + } + + Invoke-MgBetaUploadIdentityApiConnectorClientCertificate -IdentityApiConnectorId $policy.Id -BodyParameter $params + } + + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Username, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Password, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Certificates, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity A P I Connector with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + + # create a list of thumbprints from the source list + $sourceThumbprints = @() + foreach ($item in $source) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $sourceThumbprints += $myCertificate + } + + # create a list of thumbprints from the target list + $targetThumbprints = @() + foreach ($item in $target) + { + $myCertificate = @{} + $myCertificate.Add('Thumbprint', $item.Thumbprint) + $myCertificate.Add('IsActive', $item.IsActive) + $targetThumbprints += $myCertificate + } + # sort the lists + $sourceThumbprints = $sourceThumbprints | Sort-Object -Property { $_.Thumbprint } + $targetThumbprints = $targetThumbprints | Sort-Object -Property { $_.Thumbprint } + + # print the list in verbose logs + foreach ($item in $sourceThumbprints) + { + Write-Verbose -Message "Source Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } + + foreach ($item in $targetThumbprints) + { + Write-Verbose -Message "Target Thumbprints: $(Convert-M365DscHashtableToString -Hashtable $item)" + } + + # check if the lists are identical + $compareResult = $true + if ($sourceThumbprints.Count -ne $targetThumbprints.Count) + { + $compareResult = $false + } + else + { + for ($i = 0; $i -lt $sourceThumbprints.Count; $i++) + { + if ($sourceThumbprints[$i].Thumbprint -ne $targetThumbprints[$i].Thumbprint) + { + $compareResult = $false + Write-Verbose -Message "Thumbprint mismatch: $($sourceThumbprints[$i].Thumbprint) - $($targetThumbprints[$i].Thumbprint)" + break + } + } + } + + if($compareResult -eq $true) + { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Remove('Password') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityAPIConnector ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results.Password = "Please insert a valid Password" + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + + if ($null -ne $Results.Certificates) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Certificates` + -CIMInstanceName 'AADIdentityAPIConnectionCertificate' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Certificates = $complexTypeStringResult + } + else + { + $Results.Remove('Certificates') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + + if ($Results.Certificates) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Certificates" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof new file mode 100644 index 0000000000..447b39d00d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/MSFT_AADIdentityAPIConnector.schema.mof @@ -0,0 +1,28 @@ +[ClassVersion("1.0.0")] +class MSFT_AADIdentityAPIConnectionCertificate +{ + [Write, Description("Pkcs12Value of the certificate as a secure string in Base64 encoding"), EmbeddedInstance("MSFT_Credential")] String Pkcs12Value; + [Write, Description("Thumbprint of the certificate in Base64 encoding")] String Thumbprint; + [Write, Description("Password of the certificate as a secure string"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("Tells if the certificate is in use or not")] Boolean IsActive; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityAPIConnector")] +class MSFT_AADIdentityAPIConnector : OMI_BaseResource +{ + [Required, Description("The name of the API connector.")] String DisplayName; + [Write, Description("The URL of the API endpoint to call.")] String TargetUrl; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The username of the password")] String Username; + [Write, Description("The password of certificate/basic auth"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("List of certificates to be used in the API connector"), EmbeddedInstance("MSFT_AADIdentityAPIConnectionCertificate")] String Certificates[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md new file mode 100644 index 0000000000..cfafce7110 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityAPIConnector + +## Description + +Azure AD Identity API Connector diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json new file mode 100644 index 0000000000..327fd87153 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityAPIConnector/settings.json @@ -0,0 +1,25 @@ +{ + "resourceName": "AADIdentityAPIConnector", + "description": "This resource configures an Azure AD Identity A P I Connector.", + "permissions": { + "graph": { + "delegated": { + "read": [ + + ], + "update": [ + + ] + }, + "application": { + "read": [ + + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 new file mode 100644 index 0000000000..c6dac92a02 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.psm1 @@ -0,0 +1,719 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity B2 X User Flow with Id {$Id}" + return $nullResult + } + #endregion + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity B2 X User Flow with Id {$Id} was found" + + #region Get ApiConnectorConfiguration + $connectorConfiguration = Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -B2xIdentityUserFlowId $Id -ExpandProperty "postFederationSignup,postAttributeCollection" + + $complexApiConnectorConfiguration = @{ + postFederationSignupConnectorName = Get-ConnectorName($connectorConfiguration.PostFederationSignup.DisplayName) + postAttributeCollectionConnectorName = Get-ConnectorName($connectorConfiguration.PostAttributeCollection.DisplayName) + } + #endregion + + #region Get IdentityProviders + $getIdentityProviders = (Get-MgBetaIdentityB2XUserFlowIdentityProvider -B2XIdentityUserFlowId $Id).id + if ($getIdentityProviders.Count -eq 0) + { + $getIdentityProviders = @() + } + #endregion + + $complexUserAttributeAssignments = @() + $getUserAttributeAssignments = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $Id -ExpandProperty UserAttribute + foreach ($getUserAttributeAssignment in $getUserAttributeAssignments) + { + $getuserAttributeValues = @() + foreach ($getUserAttributeAssignmentAttributeValue in $getUserAttributeAssignment.UserAttributeValues) + { + $getuserAttributeValues += @{ + Name = $getUserAttributeAssignmentAttributeValue.Name + Value = $getUserAttributeAssignmentAttributeValue.Value + IsDefault = $getUserAttributeAssignmentAttributeValue.IsDefault + } + } + $complexUserAttributeAssignments += @{ + Id = $getUserAttributeAssignment.Id + DisplayName = $getUserAttributeAssignment.DisplayName + IsOptional = $getUserAttributeAssignment.IsOptional + UserInputType = $getUserAttributeAssignment.UserInputType + UserAttributeValues = $getuserAttributeValues + } + } + + $results = @{ + #region resource generator code + ApiConnectorConfiguration = $complexApiConnectorConfiguration + Id = $getValue.Id + IdentityProviders = $getIdentityProviders + UserAttributeAssignments = $complexUserAttributeAssignments + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity B2 X User Flow with Id {$Id}" + + #region Create ApiConnectorConfiguration object + $newApiConnectorConfiguration = @{} + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $newApiConnectorConfiguration['PostFederationSignup'] = @{ + 'Id' = $getConnector.Id + } + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $newApiConnectorConfiguration['PostAttributeCollection'] = @{ + 'Id' = $getConnector.Id + } + } + #endregion + + $params = @{ + id = $Id + userFlowType = "signUpOrSignIn" + userFlowTypeVersion = 1 + apiConnectorConfiguration = $newApiConnectorConfiguration + } + + $newObj = New-MgBetaIdentityB2XUserFlow -BodyParameter $params + + #region Add IdentityProvider objects to the newly created object + foreach ($provider in $IdentityProviders) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + + #region Add UserAtrributeAssignments to the newly created object + $currentAttributes = Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id | Select-Object -ExpandProperty Id + $attributesToAdd = $UserAttributeAssignments | Where-Object {$_.Id -notin $currentAttributes} + + foreach ($userAttributeAssignment in $attributesToAdd) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + userAttribute = @{ + id = $userAttributeAssignment.Id + } + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the newly created Azure AD Identity B2X User Flow with Id {$($newObj.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $newObj.Id -BodyParameter $params + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + #region Update ApiConnectorConfiguration object + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postFederationSignupConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postFederationSignupConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Federation Signup connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + if (-not [string]::IsNullOrEmpty($ApiConnectorConfiguration.postAttributeCollectionConnectorName)) + { + $getConnector = Get-MgBetaIdentityApiConnector -Filter "DisplayName eq '$($ApiConnectorConfiguration.postAttributeCollectionConnectorName)'" + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identity/apiConnectors/$($getConnector.Id)" + } + + Write-Verbose -Message "Updating the Post Attribute Collection connector for Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -B2xIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + #endregion + + #region Add or Remove Identity Providers on the current instance + $providersToAdd = $IdentityProviders | Where-Object {$_ -notin $currentInstance.IdentityProviders} + foreach ($provider in $providersToAdd) + { + $params = @{ + "@odata.id" = "https://graph.microsoft.com/beta/identityProviders/$($provider)" + } + + Write-Verbose -Message "Adding the Identity Provider with Id {$provider} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + + $providersToRemove = $currentInstance.IdentityProviders | Where-Object {$_ -notin $IdentityProviders} + foreach ($provider in $providersToRemove) + { + Write-Verbose -Message "Removing the Identity Provider with Id {$provider} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -B2XIdentityUserFlowId $currentInstance.Id -IdentityProviderBaseId $provider + } + #endregion + + #region Add, remove or update User Attribute Assignments on the current instance + $attributesToRemove = $currentInstance.UserAttributeAssignments | Where-Object {$_.Id -notin $UserAttributeAssignments.Id} + + #Remove + foreach ($userAttributeAssignment in $attributesToRemove) + { + Write-Verbose -Message "Removing the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} from the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id + } + + #Add/Update + foreach ($userAttributeAssignment in $UserAttributeAssignments) + { + $params = @{ + displayName = $userAttributeAssignment.DisplayName + isOptional = $userAttributeAssignment.IsOptional + userInputType = $userAttributeAssignment.UserInputType + userAttributeValues = @() + } + + foreach ($userAttributeValue in $userAttributeAssignment.UserAttributeValues) + { + $params['userAttributeValues'] += @{ + "Name" = $userAttributeValue.Name + "Value" = $userAttributeValue.Value + "IsDefault" = $userAttributeValue.IsDefault + } + } + + if ($userAttributeAssignment.Id -notin $currentInstance.UserAttributeAssignments.Id) + { + $params["userAttribute"] = @{ + id = $userAttributeAssignment.Id + } + + Write-Verbose -Message "Adding the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} to the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2XIdentityUserFlowId $currentInstance.Id -BodyParameter $params + } + else + { + Write-Verbose -Message "Updating the User Attribute Assignment with Id {$($userAttributeAssignment.Id)} in the Azure AD Identity B2X User Flow with Id {$($currentInstance.Id)}" + + Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -B2xIdentityUserFlowId $currentInstance.Id -IdentityUserFlowAttributeAssignmentId $userAttributeAssignment.Id -BodyParameter $params + } + } + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity B2 X User Flow with Id {$($currentInstance.Id)}" + Remove-MgBetaIdentityB2XUserFlow -B2XIdentityUserFlowId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ApiConnectorConfiguration, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $IdentityProviders, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UserAttributeAssignments, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity B2 X User Flow with Id {$Id}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($ValuesToCheck.Count -gt 0 -and $testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaIdentityB2XUserFlow ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.ApiConnectorConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ApiConnectorConfiguration ` + -CIMInstanceName 'MicrosoftGraphuserFlowApiConnectorConfiguration' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ApiConnectorConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('ApiConnectorConfiguration') | Out-Null + } + } + + if ($null -ne $Results.UserAttributeAssignments) + { + $complexMapping = @( + @{ + Name = 'UserAttributeValues' + CimInstanceName = 'MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserAttributeAssignments ` + -CIMInstanceName 'MicrosoftGraphuserFlowUserAttributeAssignment' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserAttributeAssignments = $complexTypeStringResult + } + else + { + $Results.Remove('UserAttributeAssignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ApiConnectorConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "ApiConnectorConfiguration" -IsCIMArray:$False + } + if ($Results.UserAttributeAssignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserAttributeAssignments" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-ConnectorName($connectorName) { + if ($null -ne $connectorName) { + return $connectorName + } else { + return "" + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof new file mode 100644 index 0000000000..4ea315f134 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/MSFT_AADIdentityB2XUserFlow.schema.mof @@ -0,0 +1,41 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration +{ + [Write, Description("The name of the connector used for post federation signup step.")] String postFederationSignupConnectorName; + [Write, Description("The name of the connector used for post attribute collection step.")] String postAttributeCollectionConnectorName; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues +{ + [Write, Description("The display name of the property displayed to the end user in the user flow.")] String Name; + [Write, Description("The value that is set when this item is selected.")] String Value; + [Write, Description("Used to set the value as the default.")] Boolean IsDefault; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphuserFlowUserAttributeAssignment +{ + [Write, Description("The unique identifier of identityUserFlowAttributeAssignment.")] String Id; + [Write, Description("The display name of the identityUserFlowAttribute within a user flow.")] String DisplayName; + [Write, Description("Determines whether the identityUserFlowAttribute is optional.")] Boolean IsOptional; + [Write, Description("User Flow Attribute Input Type."), ValueMap{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}, Values{"textBox","dateTimeDropdown","radioSingleSelect","dropdownSingleSelect","emailBox","checkboxMultiSelect"}] String UserInputType; + [Write, Description("The list of user attribute values for this assignment."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues")] String UserAttributeValues[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityB2XUserFlow")] +class MSFT_AADIdentityB2XUserFlow : OMI_BaseResource +{ + [Write, Description("Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration")] String ApiConnectorConfiguration; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The identity providers included in the user flow.")] String IdentityProviders[]; + [Write, Description("The user attribute assignments included in the user flow."), EmbeddedInstance("MSFT_MicrosoftGraphuserFlowUserAttributeAssignment")] String UserAttributeAssignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md new file mode 100644 index 0000000000..c81de81f9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityB2XUserFlow + +## Description + +Azure AD Identity B2 X User Flow diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json new file mode 100644 index 0000000000..d6df4d957a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityB2XUserFlow/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADIdentityB2XUserFlow", + "description": "This resource configures an Azure AD Identity B2 X User Flow.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 index 1e3a213421..1995d3719c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 @@ -49,6 +49,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -112,6 +116,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -181,6 +186,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -346,6 +355,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -494,6 +507,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof index 6af12f51bb..1fd0221206 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof @@ -56,6 +56,7 @@ class MSFT_AADIdentityGovernanceLifecycleWorkflow : OMI_BaseResource [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 new file mode 100644 index 0000000000..7837cbb294 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 @@ -0,0 +1,589 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $Id + } + if ($null -eq $instance) + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Filter "DisplayName eq '$($DisplayName)'" + } + } + if ($null -eq $instance) + { + return $nullResult + } + + # Callback Configuration + $CallbackConfigurationValue = $null + if ($null -ne $instance.CallbackConfiguration.TimeoutDuration) + { + $CallbackConfigurationValue = @{ + TimeoutDuration = "PT$($instance.CallbackConfiguration.TimeoutDuration.Minutes.ToString())M" + AuthorizedApps = @() + } + + foreach ($app in $instance.CallbackConfiguration.AdditionalProperties.authorizedApps) + { + $appInstance = Get-MgApplication -Filter "AppId eq '$($app['id'])'" -ErrorAction SilentlyContinue + if ($null -ne $appInstance) + { + $CallbackConfigurationValue.AuthorizedApps += $appInstance.DisplayName + } + } + } + + # Client Configuration + $ClientConfigurationValue = @{ + MaximumRetries = $instance.ClientConfiguration.MaximumRetries + TimeoutInMilliseconds = $instance.ClientConfiguration.TimeoutInMilliseconds + } + + # EndpointConfiguration + $EndpointConfigurationValue = @{ + SubscriptionId = $instance.EndpointConfiguration.AdditionalProperties.subscriptionId + resourceGroupName = $instance.EndpointConfiguration.AdditionalProperties.resourceGroupName + logicAppWorkflowName = $instance.EndpointConfiguration.AdditionalProperties.logicAppWorkflowName + url = $instance.EndpointConfiguration.AdditionalProperties.url + } + + $results = @{ + DisplayName = $DisplayName + Id = $instance.Id + Description = $instance.Description + CallbackConfiguration = $CallbackConfigurationValue + ClientConfiguration = $ClientConfigurationValue + EndpointConfiguration = $EndpointConfigurationValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + displayName = $DisplayName + description = $Description + endpointConfiguration = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = $EndpointConfiguration.subscriptionId + resourceGroupName = $EndpointConfiguration.resourceGroupName + logicAppWorkflowName = $EndpointConfiguration.logicAppWorkflowName + url = $EndpointConfiguration.url + } + clientConfiguration = @{ + "@odata.type" = "#microsoft.graph.customExtensionClientConfiguration" + maximumRetries = $clientConfiguration.maximumRetries + timeoutInMilliseconds = $clientConfiguration.timeoutInMilliseconds + } + authenticationConfiguration = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + + if ($null -ne $CallbackConfiguration) + { + $instanceParams.Add('callbackConfiguration', @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + timeoutDuration = $CallbackConfiguration.timeoutDuration + }) + + if ($null -ne $CallbackConfiguration.AuthorizedApps) + { + $appsValue = @() + foreach ($app in $CallbackConfiguration.AuthorizedApps) + { + $appInfo = Get-MgApplication -Filter "DisplayName eq '$app'" -ErrorAction SilentlyContinue + if ($null -ne $appInfo) + { + $appsValue += $appInfo.Id + } + } + $instanceParams.callbackConfiguration.Add('authorizedApps', $appsValue) + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)" + New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -BodyParameter $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)" + Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id -BodyParameter $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Workflow Custom Task Extension {$DisplayName}" + Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CallbackConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ClientConfiguration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EndpointConfiguration, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.EndpointConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EndpointConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EndpointConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('EndpointConfiguration') | Out-Null + } + } + + if ($null -ne $Results.ClientConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ClientConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ClientConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('ClientConfiguration') | Out-Null + } + } + + if ($null -ne $Results.CallbackConfiguration) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CallbackConfiguration ` + -CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CallbackConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('CallbackConfiguration') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EndpointConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EndpointConfiguration' -IsCIMArray:$False + } + if ($Results.ClientConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ClientConfiguration' -IsCIMArray:$False + } + if ($Results.CallbackConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CallbackConfiguration' -IsCIMArray:$False + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof new file mode 100644 index 0000000000..28ae9aea30 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof @@ -0,0 +1,41 @@ +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration +{ + [Write, Description("The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between 200 and 2000 milliseconds. Default duration is 1000.")] UInt32 timeoutInMilliseconds; + [Write, Description("The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If null, the default for the service applies.")] UInt32 maximumRetries; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration +{ + [Write, Description("The name of the logic app.")] String logicAppWorkflowName; + [Write, Description("The Azure resource group name for the logic app.")] String resourceGroupName; + [Write, Description("Identifier of the Azure subscription for the logic app.")] String subscriptionId; + [Write, Description("Url of the logic app.")] String url; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration +{ + [Write, Description("Callback time out in ISO 8601 time duration. Accepted time durations are between five minutes to three hours. For example, PT5M for five minutes and PT3H for three hours. Inherited from customExtensionCallbackConfiguration.")] String timeoutDuration; + [Write, Description("List of apps names that are allowed to resume a task processing result.")] String authorizedApps[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension")] +class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension : OMI_BaseResource +{ + [Key, Description("Display name of the custom extension.")] String DisplayName; + [Write, Description("Unique Id of the extension.")] String Id; + [Write, Description("Description of the extension.")] String Description; + [Write, Description("Client configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration")] String ClientConfiguration; + [Write, Description("Endpoint configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration")] String EndpointConfiguration; + [Write, Description("Callback configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration")] String CallbackConfiguration; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md new file mode 100644 index 0000000000..d49730fec1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + +## Description + +Configures custom extensions for Lifecycle workflows in Entra id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json new file mode 100644 index 0000000000..77f6457772 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension", + "description": "Configures custom extensions for Lifecycle workflows in Entra id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "LifecycleWorkflows.Read.All" + } + ], + "update": [ + { + "name": "LifecycleWorkflows.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.psm1 new file mode 100644 index 0000000000..c23efd0d87 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.psm1 @@ -0,0 +1,442 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $getValue = Get-MgBetaProgram -ProgramId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity Governance Program with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaProgram ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + + if ($null -ne $getValue -and $getValue.Count -gt 1) + { + Throw "Multiple AAD Identity Governance Programs with the Displayname $($DisplayName) exist in the tenant." + } + } + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Identity Governance Program with DisplayName {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Identity Governance Program with Id {$Id} and DisplayName {$DisplayName} was found" + + $results = @{ + Description = $getValue.Description + DisplayName = $getValue.DisplayName + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Identity Governance Program with DisplayName {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters.Remove('Id') | Out-Null + + New-MgBetaProgram -BodyParameter $createParameters + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Identity Governance Program with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters.Remove('Id') | Out-Null + + Update-MgBetaProgram ` + -ProgramId $currentInstance.Id ` + -BodyParameter $UpdateParameters + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Identity Governance Program with Id {$($currentInstance.Id)}" + Remove-MgBetaProgram -ProgramId $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Identity Governance Program with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testResult = $true + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Add('Ensure', $Ensure) + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaProgram ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.schema.mof new file mode 100644 index 0000000000..9f855c062c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/MSFT_AADIdentityGovernanceProgram.schema.mof @@ -0,0 +1,16 @@ + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityGovernanceProgram")] +class MSFT_AADIdentityGovernanceProgram: OMI_BaseResource +{ + [Write, Description("A description for this identity governance program.")] String Description; + [Key, Description("The display name for this identity governance program.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/readme.md new file mode 100644 index 0000000000..35a7c419f5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/readme.md @@ -0,0 +1,5 @@ + +# AADIdentityGovernanceProgram +## Description + +Azure AD Identity Governance Program. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/settings.json new file mode 100644 index 0000000000..2631cfd801 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceProgram/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADIdentityGovernanceProgram", + "description": "This resource configures an Azure AD Identity Governance Program.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "ProgramControl.Read.All" + } + ], + "update": [ + { + "name": "ProgramControl.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "ProgramControl.Read.All" + } + ], + "update": [ + { + "name": "ProgramControl.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 new file mode 100644 index 0000000000..6839f70e99 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 @@ -0,0 +1,336 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + $instance = Invoke-MgGraphRequest -Method Get -Uri $url + + if ($null -eq $instance) + { + throw 'Could not retrieve the AAD Identity Protection Policy settings.' + } + + $results = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $instance.IsUserRiskClearedOnPasswordReset + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $updateParameters = @{ + IsUserRiskClearedOnPasswordReset = $IsUserRiskClearedOnPasswordReset + } + + $updateJSON = ConvertTo-Json $updateParameters + Write-Verbose -Message "Updating the AAD Identity Protection Policy settings with values: $updateJSON" + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + + Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $updateJSON +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsUserRiskClearedOnPasswordReset, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy" + [array] $Script:exportedInstances = Invoke-MgGraphRequest -Method Get -Uri $url + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = 'AAD Identity Protection Policy Settings' + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof new file mode 100644 index 0000000000..e4beabfe26 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityProtectionPolicySettings")] +class MSFT_AADIdentityProtectionPolicySettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("If true, user risk is cleared on password reset.")] Boolean IsUserRiskClearedOnPasswordReset; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md new file mode 100644 index 0000000000..40bedfad33 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityProtectionPolicySettings + +## Description + +Use this resource to monitor the identity protection policy settings in AAD. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json new file mode 100644 index 0000000000..baab496c16 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json @@ -0,0 +1,36 @@ +{ + "resourceName": "AADIdentityProtectionPolicySettings", + "description": "Use this resource to monitor the identity protection policy settings in AAD", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Policy.Read.IdentityProtection" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.IdentityProtection" + } + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.IdentityProtection" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.IdentityProtection" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 index b395185678..afd4aabf68 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 @@ -121,6 +121,8 @@ function Get-TargetResource -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential + + return $nullReturn } } if ($null -eq $NamedLocation) @@ -252,6 +254,26 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + try + { + if ($Id) + { + $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -NamedLocationId $Id -ErrorAction Stop + } + } + catch + { + Write-Verbose -Message "Could not retrieve AAD Named Location by ID {$Id}" + } + if ($null -eq $NamedLocation) + { + $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName } + if ($NamedLocation.Length -gt 1) + { + throw "More than one instance of a Named Location Policy with name {$DisplayName} was found. Please provide the ID parameter." + } + } + $currentAADNamedLocation = Get-TargetResource @PSBoundParameters $desiredValues = @{ @@ -293,7 +315,7 @@ function Set-TargetResource Write-Verbose -Message "Creating New AAD Named Location {$Displayname)} with attributes: $VerboseAttributes" $JSONValue = ConvertTo-Json $desiredValues | Out-String Write-Verbose -Message "JSON: $JSONValue" - $APIUrl = 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations' + $APIUrl = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/identity/conditionalAccess/namedLocations" Invoke-MgGraphRequest -Method POST ` -Uri $APIUrl ` -Body $JSONValue | Out-Null @@ -308,7 +330,7 @@ function Set-TargetResource Write-Verbose -Message "Updating AAD Named Location {$Displayname)} with attributes: $VerboseAttributes" $JSONValue = ConvertTo-Json $desiredValues | Out-String Write-Verbose -Message "JSON: $JSONValue" - $APIUrl = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations/$($currentAADNamedLocation.Id)" + $APIUrl = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/identity/conditionalAccess/namedLocations/$($currentAADNamedLocation.Id)" Invoke-MgGraphRequest -Method PATCH ` -Uri $APIUrl ` -Body $JSONValue | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 new file mode 100644 index 0000000000..013069fc76 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 @@ -0,0 +1,493 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + else + { + $instance = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name } + } + if ($null -eq $instance) + { + throw "Could not retrieve the Forwarding Policy with name: $Name" + } + + $complexPolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules $instance.PolicyRules + + $results = @{ + Name = $instance.name + PolicyRules = $complexPolicyRules + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $currentPolicy = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $setParameters.Name } + if ($Name -eq "Custom Bypass") { + foreach ($rule in $currentPolicy.PolicyRules) { + Remove-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -PolicyRuleId $rule.Id + } + + foreach ($rule in $setParameters.PolicyRules) { + $complexDestinations = @() + foreach ($destination in $rule.Destinations) { + $complexDestinations += @{ + "@odata.type" = "#microsoft.graph.networkaccess." + $rule.RuleType + value = $destination + } + } + $params = @{ + "@odata.type" = "#microsoft.graph.networkaccess.internetAccessForwardingRule" + name = $rule.Name + action = $rule.ActionValue + ruleType = $rule.RuleType + ports = ($rule.Ports | ForEach-Object { $_.ToString() }) + protocol = $rule.Protocol + destinations = $complexDestinations + } + + New-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -BodyParameter $params + } + } elseif ($currentPolicy.TrafficForwardingType -eq "m365") { + $rulesParam = @() + foreach ($desiredRule in $setParameters.PolicyRules) { + $desiredRuleHashtable = Convert-M365DSCDRGComplexTypeToHashtable $desiredRule + $desiredRuleHashtable.Remove('actionValue') + $testResult = $false + foreach ($currentRule in $currentPolicy.PolicyRules) { + $currentRuleHashtable = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules @($currentRule) + $currentRuleHashtable.Remove('ActionValue'); + $testResult = Compare-M365DSCComplexObject ` + -Source ($currentRuleHashtable) ` + -Target ($desiredRuleHashtable) + if ($testResult) { + Write-Verbose "Updating: $($currentRule.Name), $($currentRule.Id)" + $rulesParam += @{ + ruleId = $currentRule.Id + action = $desiredRule.ActionValue + } + break + } + } + if($testResult -eq $false){ + Write-Verbose "Could not find rule with the given specification: $(Convert-M365DscHashtableToString -Hashtable $desiredRuleHashtable), skipping set for this." + } + } + $updateParams = @{ + rules = $rulesParam + } + + Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/networkAccess/forwardingPolicies/$($currentPolicy.ID)/updatePolicyRules" -Method Post -Body $updateParams + } + else { + Write-Verbose "Can not modify the list of poilicy rules for the forwarding policy with name: $($setParameters.Name)" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRules, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $testTargetResource = $true + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.PolicyRules) + { + $Results.PolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString -PolicyRules $Results.PolicyRules + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.PolicyRules) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'PolicyRules' + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-MicrosoftGraphNetworkAccessForwardingPolicyRules +{ + [CmdletBinding()] + [OutputType([System.Collections.ArrayList])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PolicyRules + ) + + $newPolicyRules = @() + foreach ($rule in $PolicyRules) { + $destinations = @() + foreach ($destination in $rule.AdditionalProperties.destinations) { + $destinations += $destination.value + } + $newPolicyRules += @{ + Name = $rule.Name + ActionValue = $rule.AdditionalProperties.action + RuleType = $rule.AdditionalProperties.ruleType + Ports = $rule.AdditionalProperties.ports + Protocol = $rule.AdditionalProperties.protocol + Destinations = $destinations + } + } + + return $newPolicyRules +} + +function Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PolicyRules + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($rule in $PolicyRules) + { + $StringContent.Append("`n MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule {`r`n") | Out-Null + $StringContent.Append(" Name = '" + $rule.Name + "'`r`n") | Out-Null + $StringContent.Append(" ActionValue = '" + $rule.ActionValue + "'`r`n") | Out-Null + $StringContent.Append(" RuleType = '" + $rule.RuleType + "'`r`n") | Out-Null + $StringContent.Append(" Protocol = '" + $rule.Protocol + "'`r`n") | Out-Null + $StringContent.Append(" Ports = @(" + $($rule.Ports -join ", ") + ")`r`n") | Out-Null + $StringContent.Append(" Destinations = @(" + $(($rule.Destinations | ForEach-Object { "'$_'" }) -join ", ") + ")`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof new file mode 100644 index 0000000000..78c92d1747 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof @@ -0,0 +1,24 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule +{ + [Write, Description("Policy Rule Name. Required")] String Name; + [Write, Description("Action value.")] String ActionValue; + [Write, Description("Type of Rule")] String RuleType; + [Write, Description("List of Ports.")] UInt32 Ports[]; + [Write, Description("Protocol Value")] String Protocol; + [Write, Description("List of destinations.")] String Destinations[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingPolicy")] +class MSFT_AADNetworkAccessForwardingPolicy : OMI_BaseResource +{ + [Key, Description("Name of the forwarding policy")] String Name; + [Write, Description("List of rules associated to this forwarding policy."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule")] String PolicyRules[]; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md new file mode 100644 index 0000000000..0eb3e52feb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessForwardingPolicy + +## Description + +Use this resource to monitor the forwarding policy rules associated with the forwarding policies. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json new file mode 100644 index 0000000000..1c3b2ce323 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADNetworkAccessForwardingPolicy", + "description": "Use this resource to monitor the forwarding policy rules associated with the forwarding policies.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "NetworkAccessPolicy.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccessPolicy.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "NetworkAccessPolicy.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccessPolicy.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 new file mode 100644 index 0000000000..a1e6c27217 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 @@ -0,0 +1,534 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + + $getValue = $null + #region resource generator code + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $getValue = Get-MgBetaNetworkAccessForwardingProfile -ForwardingProfileId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with Id:{$Id}" + + if (-not [System.String]::IsNullOrEmpty($Name)) + { + $getValue = Get-MgBetaNetworkAccessForwardingProfile -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name } + } + } + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with name {$Name}." + return $nullResult + } + + Write-Verbose -Message "An Azure AD Network Access Forwarding Profile with {$Id} and {$Name} was found" + + $forwardingProfilePolicies = Get-MgBetaNetworkAccessForwardingProfilePolicy -ForwardingProfileId $getValue.Id -ErrorAction SilentlyContinue + + if ($null -ne $forwardingProfilePolicies) + { + Write-Verbose -Message "An Azure AD Network Access Forwarding Profile Policy with $($forwardingProfilePolicies.Id) and $($forwardingProfilePolicies.Name) was found" + } + + $complexPolicies = @() + foreach ($currentPolicy in $forwardingProfilePolicies) + { + $myPolicies = @{} + $myPolicies.Add('Name', $currentPolicy.Policy.Name) + $myPolicies.Add('State', $currentPolicy.State) + $myPolicies.Add('PolicyLinkId', $currentPolicy.Id) + if ($myPolicies.values.Where({ $null -ne $_ }).Count -gt 0) + { + $complexPolicies += $myPolicies + } + } + + + $results = @{ + Name = $getValue.Name + Id = $getValue.Id + State = $getValue.State + Policies = $complexPolicies + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + # Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($null -ne $currentInstance) + { + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters + + $updateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$updateParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $updateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*') + { + $updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.$key + } + } + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)} {$($currentInstance.Name)} State" + Update-MgBetaNetworkAccessForwardingProfile ` + -ForwardingProfileId $currentInstance.Id ` + -State $updateParameters.State + + $currentPolicies = $currentInstance.Policies + $updatedPolicies = $updateParameters.Policies + + # update the current policy's state with the updated policy's state. + foreach ($currentPolicy in $currentPolicies) + { + $updatedPolicy = $updatedPolicies | Where-Object { $_.Name -eq $currentPolicy.Name } + if ($null -ne $updatedPolicy) + { + Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile Policy with Id {$($currentPolicy.PolicyLinkId)} {$($currentPolicy.Name)}" + Update-MgBetaNetworkAccessForwardingProfilePolicy ` + -ForwardingProfileId $currentInstance.Id ` + -PolicyLinkId $currentPolicy.PolicyLinkId ` + -State $updatedPolicy.State + } + } + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Policies, + + #endregion + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Network Access Forwarding Profile with Id:{$Id} and Name:{$Name}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($null -eq $CurrentValues) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaNetworkAccessForwardingProfile ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Policies.Count -gt 0) + { + $Results.Policies = Get-PoliciesAsString $Results.Policies + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.Policies) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'Policies' + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-PoliciesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Policies + ) + + $StringContent = '@(' + foreach ($policy in $Policies) + { + $StringContent += "MSFT_MicrosoftGraphNetworkaccessPolicyLink {`r`n" + $StringContent += " State = '" + $policy.State + "'`r`n" + $StringContent += " PolicyLinkId = '" + $policy.PolicyLinkId + "'`r`n" + $StringContent += " Name = '" + $policy.Name + "'`r`n" + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof new file mode 100644 index 0000000000..4bd1149ec8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof @@ -0,0 +1,24 @@ + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphNetworkaccessPolicyLink +{ + [Write, Description("Policy Name. Required")] String Name; + [Write, Description("Policy Link Id")] String PolicyLinkId; + [Write, Description("status")] String state; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingProfile")] +class MSFT_AADNetworkAccessForwardingProfile : OMI_BaseResource +{ + [Key, Description("Profile Name. Required.")] String Name; + [Write, Description("Id of the profile. Unique Identifier")] String Id; + [Write, Description("status of the profile")] String State; + [Write, Description("Traffic forwarding policies associated with this profile."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkaccessPolicyLink")] String Policies[]; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md new file mode 100644 index 0000000000..385d36537f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md @@ -0,0 +1,7 @@ + +# AADNetworkAccessForwardingProfile + +## Description + +This resource configure the Azure AD Network Access Forwarding Profile + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json new file mode 100644 index 0000000000..4a473ad41b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json @@ -0,0 +1,33 @@ + +{ + "resourceName": "AADNetworkAccessForwardingProfile", + "description": "This resource configures an Azure AD Network Access Forwarding Profile.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 new file mode 100644 index 0000000000..4b80f2f5c9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 @@ -0,0 +1,304 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingCOnditionalAccess + $results = @{ + IsSingleInstance = 'Yes' + SignalingStatus = $instance.SignalingStatus + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Updating the Conditional Access Settings" + Update-MgBetaNetworkAccessSettingConditionalAccess -SignalingStatus $SignalingStatus +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $Global:M365DSCExportResourceInstancesCount++ + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof new file mode 100644 index 0000000000..d547a01e5f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingConditionalAccess")] +class MSFT_AADNetworkAccessSettingConditionalAccess : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Enable CA Signaling for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String SignalingStatus; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md new file mode 100644 index 0000000000..d1a3be1a6d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessSettingConditionalAccess + +## Description + +Configures the adaptive access settings in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json new file mode 100644 index 0000000000..7c5706db4b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADNetworkAccessSettingConditionalAccess", + "description": "Configures the adaptive access settings in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 new file mode 100644 index 0000000000..00cb645cea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 @@ -0,0 +1,304 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaNetworkAccessSettingCrossTenantAccess + $results = @{ + IsSingleInstance = 'Yes' + NetworkPacketTaggingStatus = $instance.NetworkPacketTaggingStatus + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Updating the Cross Tenant Access Settings" + Update-MgBetaNetworkAccessSettingCrossTenantAccess -NetworkPacketTaggingStatus $NetworkPacketTaggingStatus +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter(Mandatory = $true)] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $Global:M365DSCExportResourceInstancesCount++ + + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof new file mode 100644 index 0000000000..17ab4b7810 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingCrossTenantAccess")] +class MSFT_AADNetworkAccessSettingCrossTenantAccess : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String NetworkPacketTaggingStatus; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md new file mode 100644 index 0000000000..911270ed2b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md @@ -0,0 +1,6 @@ + +# AADNetworkAccessSettingCrossTenantAccess + +## Description + +Configures the universal tenant restrictions in Entra Id diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json new file mode 100644 index 0000000000..fc96fbdfea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADNetworkAccessSettingCrossTenantAccess", + "description": "Configures the universal tenant restrictions in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.psm1 new file mode 100644 index 0000000000..473ae5d148 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.psm1 @@ -0,0 +1,315 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/onPremisesPublishingProfiles('applicationProxy')" + $instance = Invoke-MgGraphRequest -Uri $uri -Method Get + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + IsSingleInstance = 'Yes' + IsEnabled = $instance.IsEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Updating the IsEnabled setting to {$($IsEnabled.ToString())}" + $settings = @{ + isEnabled = $IsEnabled + } + $body = ConvertTo-Json $settings + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/onPremisesPublishingProfiles('applicationProxy')" + Invoke-MgGraphRequest -Uri $uri -Method PATCH -Body $Body | Out-Null +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance = 'Yes', + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $dscContent = '' + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $params = @{ + ISSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.schema.mof new file mode 100644 index 0000000000..6ccb147d28 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.schema.mof @@ -0,0 +1,13 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADOnPremisesPublishingProfilesSettings")] +class MSFT_AADOnPremisesPublishingProfilesSettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Enables of disables private net work connectors in Entra Id.")] Boolean IsEnabled; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/readme.md new file mode 100644 index 0000000000..0b9d6630fb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/readme.md @@ -0,0 +1,6 @@ + +# AADOnPremisesPublishingProfilesSettings + +## Description + +Configures the settings for the on-premises publishing profiles in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/settings.json new file mode 100644 index 0000000000..20b86ecc55 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADOnPremisesPublishingProfilesSettings", + "description": "Configures the settings for the on-premises publishing profiles in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Directory.Read.All" + } + ], + "update": [ + { + "name": "Directory.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 new file mode 100644 index 0000000000..f376853fdc --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1 @@ -0,0 +1,484 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganizationCertificateBasedAuthConfiguration ` + -CertificateBasedAuthConfigurationId $CertificateBasedAuthConfigurationId ` + -OrganizationId $OrganizationId -ErrorAction SilentlyContinue + + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Organization Certificate Based Auth Configuration with Id {$Id}." + return $nullResult + } + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Organization Certificate Based Auth Configuration with Id {$Id} was found" + + #region resource generator code + $complexCertificateAuthorities = @() + foreach ($currentCertificateAuthorities in $getValue.certificateAuthorities) + { + $myCertificateAuthorities = @{} + $myCertificateAuthorities.Add('Certificate', [System.Convert]::ToBase64String($currentCertificateAuthorities.certificate)) + $myCertificateAuthorities.Add('CertificateRevocationListUrl', $currentCertificateAuthorities.certificateRevocationListUrl) + $myCertificateAuthorities.Add('DeltaCertificateRevocationListUrl', $currentCertificateAuthorities.deltaCertificateRevocationListUrl) + $myCertificateAuthorities.Add('IsRootAuthority', $currentCertificateAuthorities.isRootAuthority) + if ($myCertificateAuthorities.values.Where({$null -ne $_}).Count -gt 0) + { + $complexCertificateAuthorities += $myCertificateAuthorities + } + } + #endregion + + $results = @{ + #region resource generator code + CertificateAuthorities = $complexCertificateAuthorities + OrganizationId = $OrganizationId + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + # Delete the old configuration + Write-Verbose -Message "Removing the current Azure AD Organization Certificate Based Auth Configuration." + Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/organization/$OrganizationId/certificateBasedAuthConfiguration/$CertificateBasedAuthConfigurationId" -Method DELETE + + if ($Ensure -eq 'Present') + { + Write-Verbose -Message "Creating an Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('OrganizationId') | Out-Null + + $createCertAuthorities = @() + foreach ($CertificateAuthority in $CertificateAuthorities) + { + $createCertAuthorities += @{ + certificate = $CertificateAuthority.Certificate + certificateRevocationListUrl = $CertificateAuthority.CertificateRevocationListUrl + deltaCertificateRevocationListUrl = $CertificateAuthority.DeltaCertificateRevocationListUrl + isRootAuthority = $CertificateAuthority.IsRootAuthority + } + } + $params = @{ + certificateAuthorities = $createCertAuthorities + } + + $policy = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/organization/$OrganizationId/certificateBasedAuthConfiguration/" -Method POST -Body $params + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $OrganizationId, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + + Write-Verbose -Message "Testing configuration of the Azure AD Organization Certificate Based Auth Configuration with Id {$CertificateBasedAuthConfigurationId}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + # This GUID is ALWAYS fixed as per the documentation. + $CertificateBasedAuthConfigurationId = "29728ade-6ae4-4ee9-9103-412912537da5" + $getValue = Get-MgBetaOrganization + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = "CertificateBasedAuthConfigurations for $($getValue.DisplayName)" + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Ensure = 'Present' + OrganizationId = $getValue.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.CertificateAuthorities) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CertificateAuthorities ` + -CIMInstanceName 'MicrosoftGraphcertificateAuthority' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CertificateAuthorities = $complexTypeStringResult + } + else + { + $Results.Remove('CertificateAuthorities') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.CertificateAuthorities) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "CertificateAuthorities" -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof new file mode 100644 index 0000000000..1331883aea --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.schema.mof @@ -0,0 +1,23 @@ +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphCertificateAuthority +{ + [Write, Description("Required. The base64 encoded string representing the public certificate.")] String Certificate; + [Write, Description("The URL of the certificate revocation list.")] String CertificateRevocationListUrl; + [Write, Description("The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created.")] String DeltaCertificateRevocationListUrl; + [Write, Description("Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority.")] Boolean IsRootAuthority; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADOrganizationCertificateBasedAuthConfiguration")] +class MSFT_AADOrganizationCertificateBasedAuthConfiguration : OMI_BaseResource +{ + [Write, Description("Collection of certificate authorities which creates a trusted certificate chain."), EmbeddedInstance("MSFT_MicrosoftGraphcertificateAuthority")] String CertificateAuthorities[]; + [Key, Description("The Organization ID. Read-only.")] String OrganizationId; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md new file mode 100644 index 0000000000..9f7447d1d9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/readme.md @@ -0,0 +1,6 @@ + +# AADOrganizationCertificateBasedAuthConfiguration + +## Description + +Azure AD Organization Certificate Based Auth Configuration diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json new file mode 100644 index 0000000000..df50b61fde --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADOrganizationCertificateBasedAuthConfiguration", + "description": "This resource configures an Azure AD Organization Certificate Based Auth Configuration.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + }, + "application": { + "read": [ + { + "name": "Organization.Read.All" + } + ], + "update": [ + + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json index f2fcba1008..31223d4d2a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json @@ -1,5 +1,5 @@ { - "resourceName": "AADGroupsSettings", + "resourceName": "AADPasswordRuleSettings", "description": "This resource configures the Azure Active Directory Password Rule Settings.", "roles": { "read": [], diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 new file mode 100644 index 0000000000..48a0c49ff4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 @@ -0,0 +1,680 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [System.String[]] + $ForwardingProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DeviceLinks, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + if (-not [System.String]::IsNullOrEmpty($Id)) { + $getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Remote Network with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($Name)) + { + $getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Remote Network with Name {$Name}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Remote Network with Id {$Id} and Name {$Name} was found" + + #region resource generator code + $forwardingProfilesList = @() + foreach ($forwardingProfile in $getValue.ForwardingProfiles) { + $forwardingProfilesList += $forwardingProfile.Name + } + + $complexDeviceLinks = Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtable -DeviceLinks $getValue.DeviceLinks + #endregion + + $results = @{ + Id = $getValue.Id + Name = $getValue.Name + Region = $getValue.Region + ForwardingProfiles = [Array]$forwardingProfilesList + DeviceLinks = [Array]$complexDeviceLinks + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [System.String[]] + $ForwardingProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DeviceLinks, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # creating the device links property + $deviceLinksHashtable = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $BoundParameters.DeviceLinks + # renames the odataType property to @odata.type + $deviceLinksHashtable = Rename-M365DSCCimInstanceParameter -Properties $deviceLinksHashtable + + #creating the forwarding policies list by getting the ids + $allForwardingProfiles = Get-MgBetaNetworkAccessForwardingProfile + $forwardingProfilesList = @() + foreach ($profileName in $BoundParameters.ForwardingProfiles) { + $matchedProfile = $allForwardingProfiles | Where-Object { $_.Name -eq $profileName } + $forwardingProfilesList += @{ + id = $matchedProfile.Id + } + } + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Remote Network with Name {$Name}" + $params = @{ + name = $BoundParameters.Name + region = $BoundParameters.Region + deviceLinks = [Array]$deviceLinksHashtable + forwardingProfiles = [Array]$forwardingProfilesList + } + + New-MgBetaNetworkAccessConnectivityRemoteNetwork -BodyParameter $params + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Remote Network with Id {$($currentInstance.Id)}" + $currentRemoteNetwork = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $currentInstance.Id + + #removing the old device links + foreach ($deviceLinkItem in $currentRemoteNetwork.DeviceLinks) { + Remove-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -RemoteNetworkId $currentInstance.Id -DeviceLinkId $deviceLinkItem.Id + } + # updating the list of device links + foreach ($deviceLinkItem in $deviceLinksHashtable) { + Write-Verbose "Device Link Hashtable: $deviceLinksItem" + New-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -RemoteNetworkId $currentInstance.Id -BodyParameter $deviceLinkItem + } + + # removing forwarding profiles + $params = @{ + "@context" = '#$delta' + value = @(@{}) + } + Invoke-MgGraphRequest -Uri https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles -Method Patch -Body $params + + #adding forwarding profiles if required + if ($forwardingProfilesList.Count -gt 0) { + $params = @{ + "@context" = '#$delta' + value = $forwardingProfilesList + } + Invoke-MgGraphRequest -Uri https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles -Method Patch -Body $params + } + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Remote Network with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [System.String[]] + $ForwardingProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DeviceLinks, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Remote Network with Id {$Id} and Name {$Name}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.Name)) + { + $displayedKey = $config.Name + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Name = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.DeviceLinks -and $Results.DeviceLinks.Count -gt 0) + { + $Results.DeviceLinks = Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtableAsString -DeviceLinks $Results.DeviceLinks + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.DeviceLinks) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceLinks" + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtable { + [CmdletBinding()] + [OutputType([System.Collections.ArrayList])] + param ( + [Parameter()] + [System.Collections.ArrayList] + $DeviceLinks + ) + + $newDeviceLinks = @() + + foreach ($deviceLink in $DeviceLinks) { + $newDeviceLink = @{} + + # Add main properties only if they are not null + if ($deviceLink.Name) { $newDeviceLink["Name"] = $deviceLink.Name } + if ($deviceLink.IpAddress) { $newDeviceLink["IPAddress"] = $deviceLink.IpAddress } + if ($deviceLink.BandwidthCapacityInMbps) { $newDeviceLink["BandwidthCapacityInMbps"] = $deviceLink.BandwidthCapacityInMbps } + if ($deviceLink.DeviceVendor) { $newDeviceLink["DeviceVendor"] = $deviceLink.DeviceVendor } + + # BGP Configuration + if ($deviceLink.BgpConfiguration) { + $bgpConfig = @{} + if ($deviceLink.BgpConfiguration.Asn) { $bgpConfig["Asn"] = $deviceLink.BgpConfiguration.Asn } + if ($deviceLink.BgpConfiguration.LocalIPAddress) { $bgpConfig["LocalIPAddress"] = $deviceLink.BgpConfiguration.LocalIPAddress } + if ($deviceLink.BgpConfiguration.PeerIPAddress) { $bgpConfig["PeerIPAddress"] = $deviceLink.BgpConfiguration.PeerIPAddress } + + if ($bgpConfig.Count -gt 0) { $newDeviceLink["BgpConfiguration"] = $bgpConfig } + } + + # Redundancy Configuration + if ($deviceLink.RedundancyConfiguration) { + $redundancyConfig = @{} + if ($deviceLink.RedundancyConfiguration.RedundancyTier) { $redundancyConfig["RedundancyTier"] = $deviceLink.RedundancyConfiguration.RedundancyTier } + if ($deviceLink.RedundancyConfiguration.ZoneLocalIPAddress) { $redundancyConfig["ZoneLocalIPAddress"] = $deviceLink.RedundancyConfiguration.ZoneLocalIPAddress } + + if ($redundancyConfig.Count -gt 0) { $newDeviceLink["RedundancyConfiguration"] = $redundancyConfig } + } + + # Tunnel Configuration + if ($deviceLink.TunnelConfiguration) { + $tunnelConfig = @{} + if ($deviceLink.TunnelConfiguration.PreSharedKey) { $tunnelConfig["PreSharedKey"] = $deviceLink.TunnelConfiguration.PreSharedKey } + if ($deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey) { $tunnelConfig["ZoneRedundancyPreSharedKey"] = $deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey } + + # Additional Properties + if ($deviceLink.TunnelConfiguration.AdditionalProperties) { + if ($deviceLink.TunnelConfiguration.AdditionalProperties.saLifeTimeSeconds) { $tunnelConfig["SaLifeTimeSeconds"] = $deviceLink.TunnelConfiguration.AdditionalProperties.saLifeTimeSeconds } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.ipSecEncryption) { $tunnelConfig["IPSecEncryption"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ipSecEncryption } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.ipSecIntegrity) { $tunnelConfig["IPSecIntegrity"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ipSecIntegrity } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.ikeEncryption) { $tunnelConfig["IKEEncryption"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ikeEncryption } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.ikeIntegrity) { $tunnelConfig["IKEIntegrity"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ikeIntegrity } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.dhGroup) { $tunnelConfig["DHGroup"] = $deviceLink.TunnelConfiguration.AdditionalProperties.dhGroup } + if ($deviceLink.TunnelConfiguration.AdditionalProperties.pfsGroup) { $tunnelConfig["PFSGroup"] = $deviceLink.TunnelConfiguration.AdditionalProperties.pfsGroup } + if ($deviceLink.TunnelConfiguration.AdditionalProperties["@odata.type"]) { $tunnelConfig["ODataType"] = $deviceLink.TunnelConfiguration.AdditionalProperties["@odata.type"] } + } + + if ($tunnelConfig.Count -gt 0) { $newDeviceLink["TunnelConfiguration"] = $tunnelConfig } + } + + # Add the device link to the collection if it has any properties + if ($newDeviceLink.Count -gt 0) { $newDeviceLinks += $newDeviceLink } + } + + return $newDeviceLinks +} + + +function Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtableAsString { + [CmdletBinding()] + [OutputType([System.String])] + param ( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $DeviceLinks + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($deviceLink in $DeviceLinks) { + $StringContent.Append("`n MSFT_AADRemoteNetworkDeviceLink {`r`n") | Out-Null + + # Append main properties if not null + if ($deviceLink.Name) { $StringContent.Append(" Name = '" + $deviceLink.Name + "'`r`n") | Out-Null } + if ($deviceLink.IPAddress) { $StringContent.Append(" IPAddress = '" + $deviceLink.IPAddress + "'`r`n") | Out-Null } + if ($deviceLink.BandwidthCapacityInMbps) { $StringContent.Append(" BandwidthCapacityInMbps = '" + $deviceLink.BandwidthCapacityInMbps + "'`r`n") | Out-Null } + if ($deviceLink.DeviceVendor) { $StringContent.Append(" DeviceVendor = '" + $deviceLink.DeviceVendor + "'`r`n") | Out-Null } + + # BGP Configuration + if ($deviceLink.BgpConfiguration) { + $bgpConfigAdded = $false + $StringContent.Append(" BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration {`r`n") | Out-Null + if ($deviceLink.BgpConfiguration.Asn) { $StringContent.Append(" Asn = " + $deviceLink.BgpConfiguration.Asn + "`r`n") | Out-Null; $bgpConfigAdded = $true } + if ($deviceLink.BgpConfiguration.LocalIPAddress) { $StringContent.Append(" LocalIPAddress = '" + $deviceLink.BgpConfiguration.LocalIPAddress + "'`r`n") | Out-Null; $bgpConfigAdded = $true } + if ($deviceLink.BgpConfiguration.PeerIPAddress) { $StringContent.Append(" PeerIPAddress = '" + $deviceLink.BgpConfiguration.PeerIPAddress + "'`r`n") | Out-Null; $bgpConfigAdded = $true } + if ($bgpConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null } + } + + # Redundancy Configuration + if ($deviceLink.RedundancyConfiguration) { + $redundancyConfigAdded = $false + $StringContent.Append(" RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration {`r`n") | Out-Null + if ($deviceLink.RedundancyConfiguration.RedundancyTier) { $StringContent.Append(" RedundancyTier = '" + $deviceLink.RedundancyConfiguration.RedundancyTier + "'`r`n") | Out-Null; $redundancyConfigAdded = $true } + if ($deviceLink.RedundancyConfiguration.ZoneLocalIPAddress) { $StringContent.Append(" ZoneLocalIPAddress = '" + $deviceLink.RedundancyConfiguration.ZoneLocalIPAddress + "'`r`n") | Out-Null; $redundancyConfigAdded = $true } + if ($redundancyConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null } + } + + # Tunnel Configuration + if ($deviceLink.TunnelConfiguration) { + $tunnelConfigAdded = $false + $StringContent.Append(" TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration {`r`n") | Out-Null + if ($deviceLink.TunnelConfiguration.PreSharedKey) { $StringContent.Append(" PreSharedKey = '" + $deviceLink.TunnelConfiguration.PreSharedKey + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey) { $StringContent.Append(" ZoneRedundancyPreSharedKey = '" + $deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.SaLifeTimeSeconds) { $StringContent.Append(" SaLifeTimeSeconds = " + $deviceLink.TunnelConfiguration.SaLifeTimeSeconds + "`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.IpSecEncryption) { $StringContent.Append(" IPSecEncryption = '" + $deviceLink.TunnelConfiguration.IpSecEncryption + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.IpSecIntegrity) { $StringContent.Append(" IPSecIntegrity = '" + $deviceLink.TunnelConfiguration.IpSecIntegrity + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.IkeEncryption) { $StringContent.Append(" IKEEncryption = '" + $deviceLink.TunnelConfiguration.IkeEncryption + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.IkeIntegrity) { $StringContent.Append(" IKEIntegrity = '" + $deviceLink.TunnelConfiguration.IkeIntegrity + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.DhGroup) { $StringContent.Append(" DHGroup = '" + $deviceLink.TunnelConfiguration.DhGroup + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.PfsGroup) { $StringContent.Append(" PFSGroup = '" + $deviceLink.TunnelConfiguration.PfsGroup + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($deviceLink.TunnelConfiguration.ODataType) { $StringContent.Append(" ODataType = '" + $deviceLink.TunnelConfiguration.ODataType + "'`r`n") | Out-Null; $tunnelConfigAdded = $true } + if ($tunnelConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null } + } + + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.schema.mof new file mode 100644 index 0000000000..c23962fa2b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.schema.mof @@ -0,0 +1,60 @@ +[ClassVersion("1.0.0")] +class MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration +{ + [Write, Description("LocalIpAddress.")] String LocalIPAddress; + [Write, Description("PeerIpAddress.")] String PeerIPAddress; + [Write, Description("Asn.")] UInt32 Asn; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration +{ + [Write, Description("ZoneLocalIpAddress.")] String ZoneLocalIPAddress; + [Write, Description("RedundancyTier.")] String RedundancyTier; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration +{ + [Write, Description("PreSharedKey")] String PreSharedKey; + [Write, Description("ZoneRedundancyPreSharedKey")] String ZoneRedundancyPreSharedKey; + [Write, Description("SaLifeTimeSeconds")] UInt32 SaLifeTimeSeconds; + [Write, Description("IpSecEncryption")] String IPSecEncryption; + [Write, Description("IpSecIntegrity")] String IPSecIntegrity; + [Write, Description("IkeEncryption")] String IKEEncryption; + [Write, Description("IkeIntegrity")] String IKEIntegrity; + [Write, Description("DhGroup")] String DHGroup; + [Write, Description("PfsGroup")] String PFSGroup; + [Write, Description("ODataType")] String ODataType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADRemoteNetworkDeviceLink +{ + [Write, Description("Name of the Device Link")] String Name; + [Write, Description("IP Address")] String IPAddress; + [Write, Description("Bandwidth Capacity in Mbps")] String BandwidthCapacityInMbps; + [Write, Description("Device Vendor")] String DeviceVendor; + + [Write, Description("BgpConfiguration."), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration")] String BgpConfiguration; + [Write, Description("redundancyConfiguration."), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration")] String RedundancyConfiguration; + [Write, Description("tunnelConfiguration"), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration")] String TunnelConfiguration; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADRemoteNetwork")] +class MSFT_AADRemoteNetwork : OMI_BaseResource +{ + [Key, Description("Name of the remote network.")] String Name; + [Write, Description("Id of the remote network")] String Id; + [Write, Description("Region")] String Region; + [Write, Description("List of the forwarding profile names associated to this remote network")] String ForwardingProfiles[]; + [Write, Description("Device Links associated to this remote network"), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLink")] String DeviceLinks[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/readme.md new file mode 100644 index 0000000000..77fbbcf87a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/readme.md @@ -0,0 +1,6 @@ + +# AADRemoteNetwork + +## Description + +Use this resource to manage the Entra's Network Access Remote Networks, and related Device links. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/settings.json new file mode 100644 index 0000000000..587f88267a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADRemoteNetwork", + "description": "Use this resource to manage the Entra's Network Access Remote Networks, and related Device links.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "NetworkAccess.Read.All" + } + ], + "update": [ + { + "name": "NetworkAccess.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 9dd27478e6..41aa9c982a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -181,11 +181,16 @@ return $nullResult } Write-Verbose -Message "Found Principal {$PrincipalId}" - $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id - Write-Verbose -Message "Found Role {$RoleDefinitionId}" - - $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" - [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" | Sort-Object -Property CompletedDateTime -Descending + $schedulesForPrincipal = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId'" + foreach ($instance in $schedulesForPrincipal) + { + $roleInfo = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $instance.RoleDefinitionId + if ($roleInfo.DisplayName -eq $RoleDefinition) + { + $schedule = $instance + } + } + [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$($schedule.RoleDefinitionId)'" | Sort-Object -Property CompletedDateTime -Descending ` if ($request.Length -gt 1) { @@ -195,6 +200,7 @@ } else { + Write-Verbose -Message "Request is not null: $request" $ObjectGuid = [System.Guid]::empty if ($PrincipalType -eq 'User') { @@ -581,7 +587,7 @@ function Set-TargetResource { Write-Verbose -Message "Creating a Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}" $ParametersOps.Remove("Id") | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $ParametersOps)" + Write-Verbose -Message "Values: $(Convert-M365DscHashtableToString -Hashtable $ParametersOps)" New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest @ParametersOps } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.psm1 new file mode 100644 index 0000000000..7273bdc894 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.psm1 @@ -0,0 +1,829 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $roleDisplayName, + + [Parameter()] + [System.String] + $ruleType, + + [Parameter()] + [System.String] + $policyId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $expirationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $notificationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $enablementRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $approvalRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $authenticationContextRule, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + + $getValue = $null + $role = Get-MgBetaRoleManagementDirectoryRoleDefinition -All -Filter "DisplayName eq '$($roleDisplayName)'" + if($null -eq $role) + { + Write-Verbose -Message "Could not find an Azure AD Role Management Definition with DisplayName {$roleDisplayName}" + return $nullResult + } + + $assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'" + if($null -eq $assignment) + { + Write-Verbose -Message "Could not find an Azure AD Role Management Policy Assignment with RoleDefinitionId {$role.Id}" + return $nullResult + } + + $policyId = $assignment.PolicyId + + $getValue = Get-MgBetaPolicyRoleManagementPolicyRule ` + -UnifiedRoleManagementPolicyId $policyId ` + -UnifiedRoleManagementPolicyRuleId $id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId}." + return $nullResult + } + + Write-Verbose -Message "An Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId} was found" + $rule = Get-M365DSCRoleManagementPolicyRuleObject -Rule $getValue + + $results = @{ + id = $id + policyId = $policyId + roleDisplayName = $roleDisplayName + ruleType = $rule.ruleType + expirationRule = $rule.expirationRule + notificationRule = $rule.notificationRule + enablementRule = $rule.enablementRule + approvalRule = $rule.approvalRule + authenticationContextRule = $rule.authenticationContextRule + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $roleDisplayName, + + [Parameter()] + [System.String] + $ruleType, + + [Parameter()] + [System.String] + $policyId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $expirationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $notificationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $enablementRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $approvalRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $authenticationContextRule, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + Write-Verbose -Message "Updating the Azure AD Role Management Policy Rule with Id {$($currentInstance.Id)}" + $body = @{ + '@odata.type' = $ruleType + } + + if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule') + { + $expirationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $expirationRule + # add all the properties to the body + foreach($key in $expirationRuleHashmap.Keys) + { + $body.Add($key, $expirationRuleHashmap.$key) + } + } + + if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule') + { + $notificationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $notificationRule + # add all the properties to the body + foreach($key in $notificationRuleHashmap.Keys) + { + $body.Add($key, $notificationRuleHashmap.$key) + } + } + + if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule') + { + $enablementRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $enablementRule + # add all the properties to the body + foreach($key in $enablementRuleHashmap.Keys) + { + $body.Add($key, $enablementRuleHashmap.$key) + } + } + + if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule') + { + $approvalRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $approvalRule + # add all the properties to the body + foreach($key in $approvalRuleHashmap.Keys) + { + $body.Add($key, $approvalRuleHashmap.$key) + } + } + + if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule') + { + $authenticationContextRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $authenticationContextRule + # add all the properties to the body + foreach($key in $authenticationContextRuleHashmap.Keys) + { + $body.Add($key, $authenticationContextRuleHashmap.$key) + } + } + + Update-MgBetaPolicyRoleManagementPolicyRule ` + -UnifiedRoleManagementPolicyId $currentInstance.policyId ` + -UnifiedRoleManagementPolicyRuleId $currentInstance.Id ` + -BodyParameter $body + #endregion +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $roleDisplayName, + + [Parameter()] + [System.String] + $ruleType, + + [Parameter()] + [System.String] + $policyId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $expirationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $notificationRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $enablementRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $approvalRule, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $authenticationContextRule, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Role Management Policy Rule with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $dscContent = [System.Text.StringBuilder]::new() + Write-Host "`r`n" -NoNewline + try + { + [array] $roles = Get-MgBetaRoleManagementDirectoryRoleDefinition -All + + $j = 1 + foreach ($role in $roles) + { + $assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'" + $policyId = $assignment.PolicyId + $rules = Get-MgBetaPolicyRoleManagementPolicyRule ` + -UnifiedRoleManagementPolicyId $policyId + + Write-Host " |---[$j/$($roles.Count)] $($role.displayName)" + $i = 1 + foreach($rule in $rules) + { + Write-Host " |---[$i/$($rules.Count)] $($role.displayName)_$($rule.id)" -NoNewline + $Params = @{ + roleDisplayName = $role.displayName + id = $rule.id + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.expirationRule) + { + $complexMapping = @( + @{ + Name = 'expirationRule' + CimInstanceName = 'AADRoleManagementPolicyExpirationRule' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.expirationRule` + -CIMInstanceName 'AADRoleManagementPolicyExpirationRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.expirationRule = $complexTypeStringResult + } + else + { + $Results.Remove('expirationRule') | Out-Null + } + } + + if ($null -ne $Results.notificationRule) + { + $complexMapping = @( + @{ + Name = 'notificationRule' + CimInstanceName = 'AADRoleManagementPolicyNotificationRule' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.notificationRule` + -CIMInstanceName 'AADRoleManagementPolicyNotificationRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.notificationRule = $complexTypeStringResult + } + else + { + $Results.Remove('notificationRule') | Out-Null + } + } + + + if ($null -ne $Results.enablementRule) + { + $complexMapping = @( + @{ + Name = 'enablementRule' + CimInstanceName = 'AADRoleManagementPolicyEnablementRule' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.enablementRule` + -CIMInstanceName 'AADRoleManagementPolicyEnablementRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.enablementRule = $complexTypeStringResult + } + else + { + $Results.Remove('enablementRule') | Out-Null + } + } + + if ($null -ne $Results.authenticationContextRule) + { + $complexMapping = @( + @{ + Name = 'authenticationContextRule' + CimInstanceName = 'AADRoleManagementPolicyAuthenticationContextRule' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.authenticationContextRule` + -CIMInstanceName 'AADRoleManagementPolicyAuthenticationContextRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.authenticationContextRule = $complexTypeStringResult + } + else + { + $Results.Remove('authenticationContextRule') | Out-Null + } + } + + if ($null -ne $Results.approvalRule) + { + $complexMapping = @( + @{ + Name = 'approvalRule' + CimInstanceName = 'AADRoleManagementPolicyApprovalRule' + IsRequired = $False + } + @{ + Name = 'setting' + CimInstanceName = 'AADRoleManagementPolicyApprovalSettings' + IsRequired = $False + } + @{ + Name = 'approvalStages' + CimInstanceName = 'AADRoleManagementPolicyApprovalStage' + IsRequired = $False + } + @{ + Name = 'escalationApprovers' + CimInstanceName = 'AADRoleManagementPolicySubjectSet' + IsRequired = $False + } + @{ + Name = 'primaryApprovers' + CimInstanceName = 'AADRoleManagementPolicySubjectSet' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.approvalRule` + -CIMInstanceName 'AADRoleManagementPolicyApprovalRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.approvalRule = $complexTypeStringResult + } + else + { + $Results.Remove('approvalRule') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.expirationRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "expirationRule" -IsCIMArray:$false + } + + + if ($Results.notificationRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "notificationRule" -IsCIMArray:$false + } + + + if ($Results.enablementRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "enablementRule" -IsCIMArray:$false + } + + if ($Results.approvalRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "approvalRule" -IsCIMArray:$false + } + + if ($Results.authenticationContextRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "authenticationContextRule" -IsCIMArray:$false + } + $dscContent.Append($currentDSCBlock) | Out-Null + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + $j++ + } + return $dscContent.ToString() + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + + +function Get-M365DSCRoleManagementPolicyRuleObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Rule + ) + + if ($null -eq $Rule) + { + return $null + } + + $odataType = "@odata.type" + $values = @{ + id = $Rule.id + ruleType = $Rule.AdditionalProperties.$odataType + } + + if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule') + { + $expirationRule = @{ + isExpirationRequired = $Rule.AdditionalProperties.isExpirationRequired + maximumDuration = $Rule.AdditionalProperties.maximumDuration + } + $values.Add('expirationRule', $expirationRule) + } + + if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule') + { + $notificationRule = @{ + notificationType = $Rule.AdditionalProperties.notificationType + recipientType = $Rule.AdditionalProperties.recipientType + notificationLevel = $Rule.AdditionalProperties.notificationLevel + isDefaultRecipientsEnabled = $Rule.AdditionalProperties.isDefaultRecipientsEnabled + notificationRecipients = [array]$Rule.AdditionalProperties.notificationRecipients + } + $values.Add('notificationRule', $notificationRule) + } + + if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule') + { + $enablementRule = @{ + enabledRules = [array]$Rule.AdditionalProperties.enabledRules + } + $values.Add('enablementRule', $enablementRule) + } + + if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule') + { + $approvalStages = @() + foreach($stage in $Rule.AdditionalProperties.setting.approvalStages) + { + $primaryApprovers = @() + foreach($approver in $stage.primaryApprovers) + { + $primaryApprover = @{ + odataType = $approver.$odataType + } + $primaryApprovers += $primaryApprover + } + + $escalationApprovers = @() + foreach($approver in $stage.escalationApprovers) + { + $escalationApprover = @{ + odataType = $approver.$odataType + } + $escalationApprovers += $escalationApprover + } + + $approvalStage = @{ + approvalStageTimeOutInDays = $stage.approvalStageTimeOutInDays + escalationTimeInMinutes = $stage.escalationTimeInMinutes + isApproverJustificationRequired = $stage.isApproverJustificationRequired + isEscalationEnabled = $stage.isEscalationEnabled + escalationApprovers = [array]$escalationApprovers + primaryApprovers = [array]$primaryApprovers + } + + $approvalStages += $approvalStage + } + $setting = @{ + approvalMode = $Rule.AdditionalProperties.setting.approvalMode; + isApprovalRequired = $Rule.AdditionalProperties.setting.isApprovalRequired + isApprovalRequiredForExtension = $Rule.AdditionalProperties.setting.isApprovalRequiredForExtension + isRequestorJustificationRequired = $Rule.AdditionalProperties.setting.isRequestorJustificationRequired + approvalStages = [array]$approvalStages + } + $approvalRule = @{ + setting = $setting + } + $values.Add('approvalRule', $approvalRule) + } + + if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule') + { + $authenticationContextRule = @{ + isEnabled = $Rule.AdditionalProperties.isEnabled + claimValue = $Rule.AdditionalProperties.claimValue + } + $values.Add('authenticationContextRule', $authenticationContextRule) + } + + + return $values +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.schema.mof new file mode 100644 index 0000000000..26d8fff818 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.schema.mof @@ -0,0 +1,85 @@ + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyExpirationRule +{ + [Write, Description("Specifies if expiration is required.")] Boolean isExpirationRequired; + [Write, Description("The maximum duration for the expiration.")] String maximumDuration; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyNotificationRule +{ + [Write, Description("Notification type for the rule.")] String notificationType; + [Write, Description("Type of the recipient for the notification.")] String recipientType; + [Write, Description("Level of the notification.")] String notificationLevel; + [Write, Description("Indicates if default recipients are enabled.")] Boolean isDefaultRecipientsEnabled; + [Write, Description("List of notification recipients.")] String notificationRecipients[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyEnablementRule +{ + [Write, Description("List of enabled rules.")] String enabledRules[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicySubjectSet +{ + [Write, Description("The type of the subject set.")] String odataType; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyApprovalStage +{ + [Write, Description("The number of days that a request can be pending a response before it is automatically denied.")] UInt32 approvalStageTimeOutInDays; + [Write, Description("The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers.")] UInt32 escalationTimeInMinutes; + [Write, Description("Indicates whether the approver must provide justification for their reponse.")] Boolean isApproverJustificationRequired; + [Write, Description("Indicates whether escalation if enabled.")] Boolean isEscalationEnabled; + [Write, Description("The escalation approvers for this stage when the primary approvers don't respond."), EmbeddedInstance("MSFT_AADRoleManagementPolicySubjectSet")] String escalationApprovers[]; + [Write, Description("The primary approvers of this stage."), EmbeddedInstance("MSFT_AADRoleManagementPolicySubjectSet")] String primaryApprovers[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyApprovalSettings +{ + [Write, Description("One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false.")] String approvalMode; + [Write, Description("If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalStage")] String approvalStages[]; + [Write, Description("Indicates whether approval is required for requests in this policy.")] Boolean isApprovalRequired; + [Write, Description("Indicates whether approval is required for a user to extend their assignment.")] Boolean isApprovalRequiredForExtension; + [Write, Description("Indicates whether the requestor is required to supply a justification in their request.")] Boolean isRequestorJustificationRequired; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyApprovalRule +{ + [Write, Description("Settings for approval requirements."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalSettings")] String setting; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADRoleManagementPolicyAuthenticationContextRule +{ + [Write, Description("Indicates if the authentication context rule is enabled.")] Boolean isEnabled; + [Write, Description("Claim value associated with the rule.")] String claimValue; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("AADRoleManagementPolicyRule")] +class MSFT_AADRoleManagementPolicyRule : OMI_BaseResource +{ + [Key, Description("The unique identifier for an entity. Read-only.")] String id; + [Key, Description("Role display name.")] String roleDisplayName; + [Write, Description("Rule Type.")] String ruleType; + [Write, Description("Policy Id.")] String policyId; + [Write, Description("Expiration Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyExpirationRule")] String expirationRule; + [Write, Description("Notification Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyNotificationRule")] String notificationRule; + [Write, Description("Enablement Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyEnablementRule")] String enablementRule; + [Write, Description("Approval Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalRule")] String approvalRule; + [Write, Description("Authentication Context Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyAuthenticationContextRule")] String authenticationContextRule; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/readme.md new file mode 100644 index 0000000000..dffb72ce80 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/readme.md @@ -0,0 +1,6 @@ + +# AADRoleManagementPolicyRule + +## Description + +Azure AD Role Management Policy Rule diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/settings.json new file mode 100644 index 0000000000..c9d3df95e9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/settings.json @@ -0,0 +1,51 @@ +{ + "resourceName": "AADRoleManagementPolicyRule", + "description": "This resource configures an Azure AD Role Management Policy Rule.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "RoleManagementPolicy.Read.Directory" + }, + { + "name": "RoleManagement.Read.Directory" + }, + { + "name": "RoleManagement.Read.All" + } + ], + "update": [ + { + "name": "RoleManagementPolicy.ReadWrite.Directory" + }, + { + "name": "RoleManagement.ReadWrite.Directory" + } + ] + }, + "application": { + "read": [ + { + "name": "RoleManagementPolicy.Read.Directory" + }, + { + "name": "RoleManagement.Read.Directory" + }, + { + "name": "RoleManagement.Read.All" + } + ], + "update": [ + { + "name": "RoleManagementPolicy.ReadWrite.Directory" + }, + { + "name": "RoleManagement.ReadWrite.Directory" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index 5640892910..736076e5bd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -48,10 +52,18 @@ function Get-TargetResource [System.String] $LogoutUrl, + [Parameter()] + [System.String] + $Notes, + [Parameter()] [System.String[]] $Owners, + [Parameter()] + [System.String] + $PreferredSingleSignOnMode, + [Parameter()] [System.String] $PublisherName, @@ -76,6 +88,14 @@ function Get-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -217,7 +237,8 @@ function Get-TargetResource } [Array]$complexDelegatedPermissionClassifications = @() - $permissionClassifications = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$AppId')/delegatedPermissionClassifications" -Method Get + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals/$($AADServicePrincipal.Id)/delegatedPermissionClassifications" + $permissionClassifications = Invoke-MgGraphRequest -Uri $Uri -Method Get foreach ($permissionClassification in $permissionClassifications.Value){ $hashtable = @{ classification = $permissionClassification.Classification @@ -226,25 +247,89 @@ function Get-TargetResource $complexDelegatedPermissionClassifications += $hashtable } + $complexKeyCredentials = @() + foreach ($currentkeyCredentials in $AADServicePrincipal.keyCredentials) + { + $mykeyCredentials = @{} + if($null -ne $currentkeyCredentials.customKeyIdentifier) + { + $mykeyCredentials.Add('CustomKeyIdentifier', [convert]::ToBase64String($currentkeyCredentials.customKeyIdentifier)) + } + $mykeyCredentials.Add('DisplayName', $currentkeyCredentials.displayName) + if ($null -ne $currentkeyCredentials.endDateTime) + { + $mykeyCredentials.Add('EndDateTime', ([DateTimeOffset]$currentkeyCredentials.endDateTime).ToString('o')) + } + $mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId) + + + if($null -ne $currentkeyCredentials.Key) + { + $mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key)) + } + + if ($null -ne $currentkeyCredentials.startDateTime) + { + $mykeyCredentials.Add('StartDateTime', ([DateTimeOffset]$currentkeyCredentials.startDateTime).ToString('o')) + } + $mykeyCredentials.Add('Type', $currentkeyCredentials.type) + $mykeyCredentials.Add('Usage', $currentkeyCredentials.usage) + if ($mykeyCredentials.values.Where({$null -ne $_}).Count -gt 0) + { + $complexKeyCredentials += $mykeyCredentials + } + } + + $complexPasswordCredentials = @() + foreach ($currentpasswordCredentials in $AADServicePrincipal.passwordCredentials) + { + $mypasswordCredentials = @{} + $mypasswordCredentials.Add('DisplayName', $currentpasswordCredentials.displayName) + if ($null -ne $currentpasswordCredentials.endDateTime) + { + $mypasswordCredentials.Add('EndDateTime', ([DateTimeOffset]$currentpasswordCredentials.endDateTime).ToString('o')) + } + $mypasswordCredentials.Add('Hint', $currentpasswordCredentials.hint) + $mypasswordCredentials.Add('KeyId', $currentpasswordCredentials.keyId) + if ($null -ne $currentpasswordCredentials.startDateTime) + { + $mypasswordCredentials.Add('StartDateTime', ([DateTimeOffset]$currentpasswordCredentials.startDateTime).ToString('o')) + } + if ($mypasswordCredentials.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPasswordCredentials += $mypasswordCredentials + } + } + + $complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -ServicePrincipalId $AADServicePrincipal.Id) + if ($null -eq $complexCustomSecurityAttributes) { + $complexCustomSecurityAttributes = @() + } + $result = @{ - AppId = $AADServicePrincipal.AppId + AppId = $appInstance.DisplayName AppRoleAssignedTo = $AppRoleAssignedToValues ObjectID = $AADServicePrincipal.Id DisplayName = $AADServicePrincipal.DisplayName AlternativeNames = $AADServicePrincipal.AlternativeNames AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired + CustomSecurityAttributes = $complexCustomSecurityAttributes DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications ErrorUrl = $AADServicePrincipal.ErrorUrl Homepage = $AADServicePrincipal.Homepage LogoutUrl = $AADServicePrincipal.LogoutUrl + Notes = $AADServicePrincipal.Notes Owners = $ownersValues + PreferredSingleSignOnMode = $AADServicePrincipal.PreferredSingleSignOnMode PublisherName = $AADServicePrincipal.PublisherName ReplyURLs = $AADServicePrincipal.ReplyURLs SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType Tags = $AADServicePrincipal.Tags + KeyCredentials = $complexKeyCredentials + PasswordCredentials = $complexPasswordCredentials Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -304,6 +389,10 @@ function Set-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -320,10 +409,18 @@ function Set-TargetResource [System.String] $LogoutUrl, + [Parameter()] + [System.String] + $Notes, + [Parameter()] [System.String[]] $Owners, + [Parameter()] + [System.String] + $PreferredSingleSignOnMode, + [Parameter()] [System.String] $PublisherName, @@ -348,6 +445,14 @@ function Set-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -409,13 +514,21 @@ function Set-TargetResource $currentParameters.Remove('ObjectID') | Out-Null $currentParameters.Remove('ApplicationSecret') | Out-Null $currentParameters.Remove('AccessTokens') | Out-Null + $currentParameters.Remove('Owners') | Out-Null + + # update the custom security attributes to be cmdlet comsumable + if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) { + $currentParameters.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentParameters.CustomSecurityAttributes + } else { + $currentParameters.Remove('CustomSecurityAttributes') + } # ServicePrincipal should exist but it doesn't if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Absent') { if ($null -ne $AppRoleAssignedTo) { - $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue + $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValues } # removing Delegated permission classifications from this new call, as adding below separately $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null @@ -435,20 +548,21 @@ function Set-TargetResource { $userInfo = Get-MgUser -UserId $owner $body = @{ - '@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($userInfo.Id)" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($userInfo.Id)" } Write-Verbose -Message "Adding new owner {$owner}" $newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body } - #adding delegated permissions classifications + # Adding delegated permissions classifications if($null -ne $DelegatedPermissionClassifications){ foreach ($permissionClassification in $DelegatedPermissionClassifications){ $params = @{ classification = $permissionClassification.Classification permissionName = $permissionClassification.permissionName } - Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" + Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $params } } } @@ -465,10 +579,31 @@ function Set-TargetResource Write-Verbose -Message "CurrentParameters: $($currentParameters | Out-String)" Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)" $currentParameters.Remove('AppRoleAssignedTo') | Out-Null - $currentParameters.Remove('Owners') | Out-Null $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null + + if ($PreferredSingleSignOnMode -eq 'saml') + { + $IdentifierUris = $ServicePrincipalNames | Where-Object { $_ -notmatch $AppId } + $currentParameters.Remove('ServicePrincipalNames') + } + + #removing the current custom security attributes + if ($currentAADServicePrincipal.CustomSecurityAttributes.Count -gt 0) { + $currentAADServicePrincipal.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentAADServicePrincipal.CustomSecurityAttributes -GetForDelete $true + $CSAParams = @{ + customSecurityAttributes = $currentAADServicePrincipal.CustomSecurityAttributes + } + Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/servicePrincipals(appId='$($currentParameters.AppId)')" -Method Patch -Body $CSAParams + } + Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters + if ($IdentifierUris) + { + Write-Verbose -Message "Updating the Application ID Uri on the application instance." + $appInstance = Get-MgApplication -Filter "AppId eq '$AppId'" + Update-MgApplication -ApplicationId $appInstance.Id -IdentifierUris $IdentifierUris + } if ($AppRoleAssignedTo) { [Array]$currentPrincipals = $currentAADServicePrincipal.AppRoleAssignedTo.Identity @@ -566,7 +701,7 @@ function Set-TargetResource if ($diff.SideIndicator -eq '=>') { $body = @{ - '@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($userInfo.Id)" + '@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($userInfo.Id)" } Write-Verbose -Message "Adding owner {$($userInfo.Id)}" New-MgServicePrincipalOwnerByRef -ServicePrincipalId $currentAADServicePrincipal.ObjectId ` @@ -585,9 +720,10 @@ function Set-TargetResource if ($null -ne $DelegatedPermissionClassifications) { # removing old perm classifications - $permissionClassificationList = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Get + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" + $permissionClassificationList = Invoke-MgGraphRequest -Uri $Uri -Method Get foreach($permissionClassification in $permissionClassificationList.Value){ - Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications/$($permissionClassification.Id)" -Method Delete + Invoke-MgGraphRequest -Uri "$($Uri)/$($permissionClassification.Id)" -Method Delete } # adding new perm classifications @@ -596,7 +732,7 @@ function Set-TargetResource classification = $permissionClassification.Classification permissionName = $permissionClassification.permissionName } - Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $params } } } @@ -642,6 +778,10 @@ function Test-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomSecurityAttributes, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $DelegatedPermissionClassifications, @@ -658,10 +798,18 @@ function Test-TargetResource [System.String] $LogoutUrl, + [Parameter()] + [System.String] + $Notes, + [Parameter()] [System.String[]] $Owners, + [Parameter()] + [System.String] + $PreferredSingleSignOnMode, + [Parameter()] [System.String] $PublisherName, @@ -686,6 +834,14 @@ function Test-TargetResource [System.String[]] $Tags, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $KeyCredentials, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PasswordCredentials, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -743,6 +899,7 @@ function Test-TargetResource { $source = $PSBoundParameters.$key $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` @@ -815,6 +972,7 @@ function Export-TargetResource [Parameter()] [System.String[]] $AccessTokens + ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters @@ -873,6 +1031,38 @@ function Export-TargetResource { $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications } + if ($null -ne $Results.KeyCredentials) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.KeyCredentials ` + -CIMInstanceName 'MicrosoftGraphkeyCredential' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.KeyCredentials = $complexTypeStringResult + } + else + { + $Results.Remove('KeyCredentials') | Out-Null + } + } + if ($null -ne $Results.PasswordCredentials) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.PasswordCredentials ` + -CIMInstanceName 'MicrosoftGraphpasswordCredential' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.PasswordCredentials = $complexTypeStringResult + } + else + { + $Results.Remove('PasswordCredentials') | Out-Null + } + } + if ($Results.CustomSecurityAttributes.Count -gt 0) + { + $Results.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString -CustomSecurityAttributes $Results.CustomSecurityAttributes + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -888,6 +1078,24 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'DelegatedPermissionClassifications' } + if ($null -ne $Results.KeyCredentials) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName "KeyCredentials" -IsCIMArray:$True + } + + if ($null -ne $Results.PasswordCredentials) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName "PasswordCredentials" -IsCIMArray:$True + } + + if ($null -ne $Results.CustomSecurityAttributes) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'CustomSecurityAttributes' + } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -912,6 +1120,195 @@ function Export-TargetResource } } +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes, + + [Parameter()] + [System.Boolean] + $GetForDelete = $false + ) + + # logic to update the custom security attributes to be cmdlet comsumable + $updatedCustomSecurityAttributes = @{} + foreach ($attributeSet in $CustomSecurityAttributes) { + $attributeSetKey = $attributeSet.AttributeSetName + + $valuesHashtable = @{} + $valuesHashtable.Add('@odata.type', '#Microsoft.DirectoryServices.CustomSecurityAttributeValue') + foreach ($attribute in $attributeSet.AttributeValues) { + $attributeKey = $attribute.AttributeName + # supply attributeName = $null in the body, if you want to delete this attribute + if ($GetForDelete -eq $true) { + $valuesHashtable.Add($attributeKey, $null) + continue + } + + $odataKey = $attributeKey + '@odata.type' + + if ($null -ne $attribute.StringArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(String)") + $attributeValue = $attribute.StringArrayValue + } + elseif ($null -ne $attribute.IntArrayValue) { + $valuesHashtable.Add($odataKey, "#Collection(Int32)") + $attributeValue = $attribute.IntArrayValue + } + elseif ($null -ne $attribute.StringValue) { + $valuesHashtable.Add($odataKey, "#String") + $attributeValue = $attribute.StringValue + } + elseif ($null -ne $attribute.IntValue) { + $valuesHashtable.Add($odataKey, "#Int32") + $attributeValue = $attribute.IntValue + } + elseif ($null -ne $attribute.BoolValue) { + $attributeValue = $attribute.BoolValue + } + + $valuesHashtable.Add($attributeKey, $attributeValue) + } + $updatedCustomSecurityAttributes.Add($attributeSetKey, $valuesHashtable) + } + return $updatedCustomSecurityAttributes +} + +# Function to create MSFT_AttributeValue +function Create-AttributeValue { + param ( + [string]$AttributeName, + [object]$Value + ) + + $attributeValue = @{ + AttributeName = $AttributeName + StringArrayValue = $null + IntArrayValue = $null + StringValue = $null + IntValue = $null + BoolValue = $null + } + + # Handle different types of values + if ($Value -is [string]) { + $attributeValue.StringValue = $Value + } + elseif ($Value -is [System.Int32] -or $Value -is [System.Int64]) { + $attributeValue.IntValue = $Value + } + elseif ($Value -is [bool]) { + $attributeValue.BoolValue = $Value + } + elseif ($Value -is [array]) { + if ($Value[0] -is [string]) { + $attributeValue.StringArrayValue = $Value + } + elseif ($Value[0] -is [System.Int32] -or $Value[0] -is [System.Int64]) { + $attributeValue.IntArrayValue = $Value + } + } + + return $attributeValue +} + + +function Get-CustomSecurityAttributes { + [OutputType([System.Array])] + param ( + [String]$ServicePrincipalId + ) + + $customSecurityAttributes = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/servicePrincipals/$($ServicePrincipalId)`?`$select=customSecurityAttributes" -Method Get + $customSecurityAttributes = $customSecurityAttributes.customSecurityAttributes + $newCustomSecurityAttributes = @() + + foreach ($key in $customSecurityAttributes.Keys) { + $attributeSet = @{ + AttributeSetName = $key + AttributeValues = @() + } + + foreach ($attribute in $customSecurityAttributes[$key].Keys) { + # Skip properties that end with '@odata.type' + if ($attribute -like "*@odata.type") { + continue + } + + $value = $customSecurityAttributes[$key][$attribute] + $attributeName = $attribute # Keep the attribute name as it is + + # Create the attribute value and add it to the set + $attributeSet.AttributeValues += Create-AttributeValue -AttributeName $attributeName -Value $value + } + + #Add the attribute set to the final structure + $newCustomSecurityAttributes += $attributeSet + } + + # Display the new structure + return [Array]$newCustomSecurityAttributes +} + +function Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $CustomSecurityAttributes + ) + + $StringContent = "@(`r`n" + foreach ($customSecurityAttribute in $CustomSecurityAttributes) + { + $StringContent += " MSFT_AADServicePrincipalAttributeSet {`r`n" + $StringContent += " AttributeSetName = '" + $customSecurityAttribute.AttributeSetName + "'`r`n" + if ($customSecurityAttribute.AttributeValues.Length -gt 0) + { + $StringContent += " AttributeValues = @(`r`n" + foreach ($attributeValue in $customSecurityAttribute.AttributeValues) + { + $StringContent += " MSFT_AADServicePrincipalAttributeValue {`r`n" + $StringContent += " AttributeName = '" + $attributeValue.AttributeName + "'`r`n" + if ($null -ne $attributeValue.BoolValue){ + $StringContent += " BoolValue = $" + $attributeValue.BoolValue + "`r`n" + } + elseif ($null -ne $attributeValue.StringValue){ + $StringContent += " StringValue = '" + $attributeValue.StringValue + "'`r`n" + } + elseif ($null -ne $attributeValue.IntValue){ + $StringContent += " IntValue = " + $attributeValue.IntValue + "`r`n" + } + elseif ($null -ne $attributeValue.StringArrayValue){ + $StringContent += " StringArrayValue = @(" + $StringContent += ($attributeValue.StringArrayValue | ForEach-Object { "'$_'" }) -join "," + $StringContent += ")`r`n" + } + elseif ($null -ne $attributeValue.IntArrayValue){ + $StringContent += " IntArrayValue = @(" + $StringContent += $attributeValue.IntArrayValue -join "," + $StringContent += ")`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += " )`r`n" + } + else + { + $StringContent += " AttributeValues = @()`r`n" + } + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + function Get-M365DSCAzureADServicePrincipalAssignmentAsString { [CmdletBinding()] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 717b2e569f..72a4d26390 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -12,6 +12,24 @@ class MSFT_AADServicePrincipalDelegatedPermissionClassification [Write, Description("Name of the permission")] String PermissionName; }; +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeValue +{ + [Write, Description("Name of the Attribute")] String AttributeName; + [Write, Description("If the attribute has a string array value")] String StringArrayValue[]; + [Write, Description("If the attribute has a int array value")] UInt32 IntArrayValue[]; + [Write, Description("If the attribute has a string value")] String StringValue; + [Write, Description("If the attribute has a int value")] UInt32 IntValue; + [Write, Description("If the attribute has a boolean value")] Boolean BoolValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalAttributeSet +{ + [Write, Description("Attribute Set Name.")] String AttributeSetName; + [Write, Description("List of attribute values."), EmbeddedInstance("MSFT_AADServicePrincipalAttributeValue")] String AttributeValues[]; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")] class MSFT_AADServicePrincipal : OMI_BaseResource { @@ -25,14 +43,17 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("Specifies the error URL of the ServicePrincipal.")] String ErrorUrl; [Write, Description("Specifies the homepage of the ServicePrincipal.")] String Homepage; [Write, Description("Specifies the LogoutURL of the ServicePrincipal.")] String LogoutUrl; + [Write, Description("Notes associated with the ServicePrincipal.")] String Notes; [Write, Description("Specifies the PublisherName of the ServicePrincipal.")] String PublisherName; [Write, Description("List of the owners of the service principal.")] String Owners[]; + [Write, Description("Specifies the signle sign-on mode configured for this application.")] String PreferredSingleSignOnMode; [Write, Description("The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.")] String ReplyUrls[]; [Write, Description("The URL for the SAML metadata of the ServicePrincipal.")] String SamlMetadataUrl; [Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[]; [Write, Description("The type of the service principal.")] String ServicePrincipalType; [Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[]; [Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[]; + [Write, Description("The list of custom security attributes attached to this SPN"), EmbeddedInstance("MSFT_AADServicePrincipalAttributeSet")] String CustomSecurityAttributes[]; [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; @@ -42,4 +63,29 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("Credentials of the Azure AD Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; + [Write, Description("The collection of password credentials associated with the service principal. Not nullable."), EmbeddedInstance("MSFT_MicrosoftGraphpasswordCredential")] String PasswordCredentials[]; + [Write, Description("The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le)."), EmbeddedInstance("MSFT_MicrosoftGraphkeyCredential")] String KeyCredentials[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphKeyCredential +{ + [Write, Description("A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate.")] String CustomKeyIdentifier; + [Write, Description("Friendly name for the key. Optional.")] String DisplayName; + [Write, Description("The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String EndDateTime; + [Write, Description("The unique identifier (GUID) for the key.")] String KeyId; + [Write, Description("The certificate's raw data in byte array converted to Base64 string.")] String Key; + [Write, Description("The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String StartDateTime; + [Write, Description("The type of key credential for example, Symmetric, AsymmetricX509Cert.")] String Type; + [Write, Description("A string that describes the purpose for which the key can be used for example, Verify.")] String Usage; +}; + +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphPasswordCredential +{ + [Write, Description("Friendly name for the password. Optional.")] String DisplayName; + [Write, Description("The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String EndDateTime; + [Write, Description("Contains the first three characters of the password. Read-only.")] String Hint; + [Write, Description("The unique identifier for the password.")] String KeyId; + [Write, Description("The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String StartDateTime; }; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json index 18de6335a5..858c10b94f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADSocialIdentityProvider/settings.json @@ -13,8 +13,14 @@ "graph": { "delegated": { "read": [ + { + "name": "IdentityProvider.Read.All" + } ], "update": [ + { + "name": "IdentityProvider.ReadWrite.All" + } ] }, "application": { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 new file mode 100644 index 0000000000..fe59ebd78f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 @@ -0,0 +1,444 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Getting configuration of user flow attribute: $DisplayName" + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + Write-Verbose -Message 'Getting configuration of user flow attribute' + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullReturn = $PSBoundParameters + $nullReturn.Ensure = 'Absent' + + $userFlowAttribute = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $userFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id } + } + elseif (-not [System.String]::IsNullOrEmpty($Id)) + { + $UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -ErrorAction SilentlyContinue + } + + if ($null -eq $UserFlowAttribute -and -not [System.String]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $UserFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName } + } + else + { + $UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -Filter "displayName eq '$DisplayName'" + } + } + + if ($null -eq $UserFlowAttribute) + { + return $nullReturn + } + try + { + Write-Verbose -Message "Found configuration of user flow attribute $($DisplayName)" + $result = @{ + Id = $UserFlowAttribute.Id + DisplayName = $UserFlowAttribute.DisplayName + Description = $UserFlowAttribute.Description + DataType = $UserFlowAttribute.DataType + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" + return $result + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullReturn + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Setting configuration of user flow attribute: $DisplayName" + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentUserFlowAttribute = Get-TargetResource @PSBoundParameters + + # doesn't exist but it should + if ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Absent') + { + Write-Verbose -Message "The user flow attribute '$($DisplayName)' does not exist but it should. Creating it." + + try + { + New-MgBetaIdentityUserFlowAttribute -DataType $DataType -Description $Description -DisplayName $DisplayName + } + catch + { + Write-Error -ErrorRecord $_ + } + } + #exists but shouldn't + elseif ($Ensure -eq 'Absent' -and $currentUserFlowAttribute.Ensure -eq 'Present') + { + Write-Verbose -Message "User flow attribute '$($DisplayName)' exists but shouldn't. Removing it." + Remove-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id + } + elseif ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Present') + { + Write-Verbose -Message "User flow attribute '$($DisplayNameName)' already exists. Updating settings" + + if ($currentUserFlowAttribute.DisplayName -ne $DisplayName -or $currentUserFlowAttribute.DataType -ne $DataType) + { + Write-Warning -Message "There is a deviation in display name and data type for the resource with ID '$($Id)' but these values are not settable so cannot update them." + } + + Write-Verbose -Message "Updating description of user flow attribute with display name '$($DisplayName)'" + Update-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -Description $Description + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + $Script:ExportMode = $false + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of User flow attribute : $DisplayName" + + $CurrentValues = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $ValuesToCheck = $PSBoundParameters + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityUserFlowAttribute -Filter "userFlowAttributeType ne 'builtIn'" -Sort DisplayName -ErrorAction Stop + $i = 1 + $dscContent = '' + Write-Host "`r`n" -NoNewline + foreach ($userFlowAttribute in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($userFlowAttribute.DisplayName)" -NoNewline + $Params = @{ + Id = $userFlowAttribute.Id + DisplayName = $userFlowAttribute.DisplayName + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + ApplicationSecret = $ApplicationSecret + Credential = $Credential + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + } + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + return $dscContent + } + + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof new file mode 100644 index 0000000000..85ea343f0a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADUserFlowAttribute")] +class MSFT_AADUserFlowAttribute : OMI_BaseResource +{ + [Write, Description("User flow attribute Id.")] String Id; + [Key, Description("Display name of the user flow attribute.")] String DisplayName; + [Write, Description("Description of the user flow attribute.")] String Description; + [Write, Description("Defines the user flow attribute data type.")] String DataType; + [Write, Description("Specify if the Azure AD role setting should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md new file mode 100644 index 0000000000..11fae742e2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md @@ -0,0 +1,5 @@ +# AADUserFlowAttribute + +## Description + +This resource configure User flow attributes which are custom attributes that you can define and use in your user flows, which are predefined, configurable policies that control the user experience during sign-up, sign-in, and profile editing processes. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json new file mode 100644 index 0000000000..d2178e7964 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json @@ -0,0 +1,29 @@ +{ + "resourceName": "AADUserflowAttribute", + "description": "This resource configures an Azure User Flow attribute..", + "roles": { + "read": [], + "update": [ + "External ID User Flow Attribute Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "IdentityUserFlow.Read.All" + }, + { + "name": "IdentityUserFlow.ReadWrite.All" + } + ], + "update": [ + { + "name": "IdentityUserFlow.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 new file mode 100644 index 0000000000..e986ac2baf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 @@ -0,0 +1,591 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instances = $Script:exportedInstances + } + else + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $instances = $response.value + } + if ($null -eq $instances) + { + return $nullResult + } + + $instance = Get-M365DSCVerifiedIdAuthorityObject -Authority ($instances | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $LinkedDomainUrl}) + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Id = $instance.Id + Name = $instance.Name + LinkedDomainUrl = $instance.LinkedDomainUrl + DidMethod = $instance.DidMethod + KeyVaultMetadata = $instance.KeyVaultMetadata + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters | Out-Null + + $currentInstance = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)" + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/" + $currentInstance.Id + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + $body = @{ + name = $Name + linkedDomainUrl = $LinkedDomainUrl + didMethod = $DidMethod + keyVaultMetadata = @{ + subscriptionId = $KeyVaultMetadata.SubscriptionId + resourceGroup = $KeyVaultMetadata.ResourceGroup + resourceName = $KeyVaultMetadata.ResourceName + resourceUrl = $KeyVaultMetadata.ResourceUrl + } + } + Write-Verbose -Message "Creating VerifiedId Authority with body $($body | ConvertTo-Json -Depth 5)" + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + Write-Warning -Message "You can only update Name of the VerifiedId Authority, if you want to update other properties, please delete and recreate the VerifiedId Authority." + $body = @{ + name = $Name + } + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)" + + $uri = "https://verifiedid.did.msidentity.com/beta/verifiableCredentials/authorities/" + $currentInstance.Id + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'DELETE' + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [System.String] + $Id, + + [Parameter()] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $LinkedDomainUrl, + + [Parameter()] + [System.String] + $DidMethod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KeyVaultMetadata, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthority' + + $CurrentValues = Get-TargetResource @PSBoundParameters + + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testTargetResource = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*' -and $source -notlike '*Permission*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource + + +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $dscContent = [System.Text.StringBuilder]::new() + $i = 1 + Write-Host "`r`n" -NoNewline + try + { + $Script:ExportMode = $true + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + [array] $Script:exportedInstances = $response.value + + foreach ($authority in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($authority.didModel.linkedDomainUrls[0])" -NoNewline + $Params = @{ + LinkedDomainUrl = $authority.didModel.linkedDomainUrls[0] + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + $Results = Get-TargetResource @Params + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.KeyVaultMetadata) + { + $complexMapping = @( + @{ + Name = 'KeyVaultMetadata' + CimInstanceName = 'AADVerifiedIdAuthorityKeyVaultMetadata' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.KeyVaultMetadata ` + -CIMInstanceName 'AADVerifiedIdAuthorityKeyVaultMetadata' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.KeyVaultMetadata = $complexTypeStringResult + } + else + { + $Results.Remove('KeyVaultMetadata') | Out-Null + } + } + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.KeyVaultMetadata) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "KeyVaultMetadata" -IsCIMArray:$False + } + + $dscContent.Append($currentDSCBlock) | Out-Null + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + } + return $dscContent.ToString() + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + + +function Get-M365DSCVerifiedIdAuthorityObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Authority + ) + + if ($null -eq $Authority) + { + return $null + } + + Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}" + $did = ($Authority.didModel.did -split ":")[1] + $values = @{ + Id = $Authority.Id + Name = $Authority.Name + LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0] + DidMethod = $did + } + if ($null -ne $Authority.KeyVaultMetadata) + { + $KeyVaultMetadata = @{ + SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId + ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup + ResourceName = $Authority.KeyVaultMetadata.ResourceName + ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl + } + + $values.Add('KeyVaultMetadata', $KeyVaultMetadata) + } + return $values +} + +function Invoke-M365DSCVerifiedIdWebRequest +{ + [OutputType([PSCustomObject])] + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + "Content-Type" = "application/json" + } + + if($Method -eq 'PATCH' -or $Method -eq 'POST') + { + $BodyJson = $body | ConvertTo-Json + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson + } + else { + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers + } + + if($Method -eq 'DELETE') + { + return $null + } + $result = ConvertFrom-Json $response.Content + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof new file mode 100644 index 0000000000..f22542ecdd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof @@ -0,0 +1,28 @@ +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityKeyVaultMetadata +{ + [Write, Description("Subscription ID of the Key Vault.")] String SubscriptionId; + [Write, Description("Resource group of the Key Vault.")] String ResourceGroup; + [Write, Description("Resource name of the Key Vault.")] String ResourceName; + [Write, Description("Resource URL of the Key Vault.")] String ResourceUrl; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthority")] +class MSFT_AADVerifiedIdAuthority : OMI_BaseResource +{ + [Write, Description("Name of the Verified ID Authority.")] String Name; + [Write, Description("Id of the Verified ID Authority.")] String Id; + [Key, Description("URL of the linked domain.")] String LinkedDomainUrl; + [Write, Description("DID method used by the Verified ID Authority.")] String DidMethod; + [Write, Description("Key Vault metadata for the Verified ID Authority."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityKeyVaultMetadata")] String KeyVaultMetadata; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md new file mode 100644 index 0000000000..b68d06b45e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md @@ -0,0 +1,8 @@ + +# AADVerifiedIdAuthority + +## Description + +Azure AD Verified Identity Authority +Use the VerifiableCredential.Authority.ReadWrite permission to read and write the authority. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#authorities diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json new file mode 100644 index 0000000000..cf3ac1ac16 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json @@ -0,0 +1,17 @@ +{ + "resourceName": "AADVerifiedIdAuthority", + "description": "This resource configures an Azure AD Verified Identity Authority.", + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 new file mode 100644 index 0000000000..1282f29af5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 @@ -0,0 +1,938 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instances = $Script:exportedInstances + } + else + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $authorities = $response.value + if ($null -eq $authorities) + { + return $nullResult + } + $authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl}) + + if ($null -eq $authority) + { + return $nullResult + } + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $contracts = $response.value + } + if ($null -eq $contracts) + { + return $nullResult + } + + $contract = Get-M365DSCVerifiedIdAuthorityContractObject -Contract ($contracts | Where-Object -FilterScript {$_.name -eq $name}) + if ($null -eq $contract) + { + return $nullResult + } + + $results = @{ + id = $contract.id + name = $contract.name + linkedDomainUrl = $linkedDomainUrl + authorityId = $authority.Id + displays = $contract.displays + rules = $contract.rules + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters | Out-Null + + $currentInstance = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)" + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $rulesHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $rules + $displaysHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $displays + if($rulesHashmap.attestations.idTokens -ne $null) + { + foreach($idToken in $rulesHashmap.attestations.idTokens) + { + if($idToken.scopeValue -ne $null) + { + $idToken.Add('scope', $idToken.scopeValue) + $idToken.Remove('scopeValue') | Out-Null + } + } + + } + + $body = @{ + name = $Name + rules = $rulesHashmap + displays = $displaysHashmap + } + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $authorities = $response.value + $authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl}) + + Write-Verbose -Message "Creating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)" + + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)" + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts/$($currentInstance.id)" + $body.Remove('name') | Out-Null + Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Warning -Message "Removal of Contracts is not supported" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $id, + + [Parameter(Mandatory = $true)] + [System.String] + $linkedDomainUrl, + + [Parameter()] + [System.String] + $authorityId, + + [Parameter(Mandatory = $true)] + [System.String] + $name, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $displays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $rules, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthorityContract' + + $CurrentValues = Get-TargetResource @PSBoundParameters + + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testTargetResource = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + Write-Verbose "TestResult returned False for $source" + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource + + +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $dscContent = [System.Text.StringBuilder]::new() + $i = 1 + Write-Host "`r`n" -NoNewline + try + { + $Script:ExportMode = $true + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + [array] $authorities = $response.value + + + [array] $Script:exportedInstances = $() + + foreach ($authority in $authorities) + { + $uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts" + $response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET' + $contracts = $response.value + + foreach($contract in $contracts) + { + $Script:exportedInstances += $contract + + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($contract.name)" -NoNewline + $Params = @{ + linkedDomainUrl = $authority.didModel.linkedDomainUrls[0] + name = $contract.name + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + + if ($Results.Ensure -eq 'Present') + { + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.displays) + { + $complexMapping = @( + @{ + Name = 'displays' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayModel' + IsRequired = $False + } + @{ + Name = 'logo' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCredentialLogo' + IsRequired = $False + } + @{ + Name = 'card' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCard' + IsRequired = $False + } + @{ + Name = 'consent' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayConsent' + IsRequired = $False + } + @{ + Name = 'claims' + CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayClaims' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.displays ` + -CIMInstanceName 'AADVerifiedIdAuthorityContractDisplayModel' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.displays = $complexTypeStringResult + } + else + { + $Results.Remove('displays') | Out-Null + } + } + + + if ($null -ne $Results.rules) + { + $complexMapping = @( + @{ + Name = 'rules' + CimInstanceName = 'AADVerifiedIdAuthorityContractRulesModel' + IsRequired = $False + } + @{ + Name = 'attestations' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestations' + IsRequired = $False + } + @{ + Name = 'vc' + CimInstanceName = 'AADVerifiedIdAuthorityContractVcType' + IsRequired = $False + } + @{ + Name = 'customStatusEndpoint' + CimInstanceName = 'AADVerifiedIdAuthorityContractCustomStatusEndpoint' + IsRequired = $False + } + @{ + Name = 'idTokenHints' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'idTokens' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'presentations' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'selfIssued' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'accessTokens' + CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues' + IsRequired = $False + } + @{ + Name = 'mapping' + CimInstanceName = 'AADVerifiedIdAuthorityContractClaimMapping' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.rules` + -CIMInstanceName 'AADVerifiedIdAuthorityContractRulesModel' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.rules = $complexTypeStringResult + } + else + { + $Results.Remove('rules') | Out-Null + } + } + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.displays) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "displays" -IsCIMArray:$true + } + + if ($Results.rules) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "rules" -IsCIMArray:$false + } + + $dscContent.Append($currentDSCBlock) | Out-Null + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ + } + } + } + return $dscContent.ToString() + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + + +function Get-M365DSCVerifiedIdAuthorityContractObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Contract + ) + + if ($null -eq $Contract) + { + return $null + } + + Write-Verbose -Message "Retrieving values for contract {$($Contract.name)}" + $values = @{ + id = $Contract.id + name = $Contract.name + } + if ($null -ne $Contract.displays) + { + $displays = @() + foreach ($display in $Contract.displays) + { + $claims = @() + foreach ($claim in $display.claims) + { + $claims += @{ + claim = $claim.claim + label = $claim.label + type = $claim.type + } + } + $displays += @{ + locale = $display.locale + card = @{ + title = $display.card.title + issuedBy = $display.card.issuedBy + backgroundColor = $display.card.backgroundColor + textColor = $display.card.textColor + logo = @{ + uri = $display.card.logo.uri + description = $display.card.logo.description + } + description = $display.card.description + } + consent = @{ + title = $display.consent.title + instructions = $display.consent.instructions + } + claims = $claims + } + } + + $values.Add('displays', $displays) + } + + + if ($null -ne $Contract.rules) + { + $rules = @{} + $attestations = @{} + if($null -ne $Contract.rules.attestations.idTokenHints) + { + $idTokenHints = @() + foreach($idTokenHint in $Contract.rules.attestations.idTokenHints) + { + $mapping = @() + foreach($map in $idTokenHint.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $idTokenHints += @{ + required = $idTokenHint.required + mapping = $mapping + trustedIssuers = $idTokenHint.trustedIssuers + } + } + $attestations.Add('idTokenHints', $idTokenHints) + } + + if($null -ne $Contract.rules.attestations.idTokens) + { + $idTokens = @() + foreach($idToken in $Contract.rules.attestations.idTokens) + { + $mapping = @() + foreach($map in $idToken.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $idTokens += @{ + required = $idToken.required + mapping = $mapping + configuration = $idToken.configuration + clientId = $idToken.clientId + redirectUri = $idToken.redirectUri + scopeValue = $idToken.scope + } + } + $attestations.Add('idTokens', $idTokens) + } + + if($null -ne $Contract.rules.attestations.presentations) + { + $presentations = @() + foreach($presentation in $Contract.rules.attestations.presentations) + { + $mapping = @() + foreach($map in $presentation.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $presentations += @{ + required = $presentation.required + mapping = $mapping + trustedIssuers = $presentation.trustedIssuers + credentialType = $presentation.credentialType + } + } + $attestations.Add('presentations', $presentations) + } + + if($null -ne $Contract.rules.attestations.selfIssued) + { + $mySelfIssueds = @() + foreach($mySelfIssued in $Contract.rules.attestations.selfIssued) + { + $mapping = @() + foreach($map in $mySelfIssued.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $mySelfIssueds += @{ + required = $mySelfIssued.required + mapping = $mapping + } + } + $attestations.Add('selfIssued', $mySelfIssueds) + } + + if($null -ne $Contract.rules.attestations.accessTokens) + { + $accessTokens = @() + foreach($accessToken in $Contract.rules.attestations.accessTokens) + { + $mapping = @() + foreach($map in $accessToken.mapping) + { + $mapping += @{ + outputClaim = $map.outputClaim + inputClaim = $map.inputClaim + required = $map.required + indexed = $map.indexed + type = $map.type + } + } + $accessTokens += @{ + required = $accessToken.required + mapping = $mapping + } + } + $attestations.Add('accessTokens', $accessTokens) + } + + + $rules.Add('attestations', $attestations) + $rules.Add('vc', @{ + type = $Contract.rules.vc.type + }) + $rules.Add('validityInterval', $Contract.rules.validityInterval) + + $values.Add('rules', $rules) + } + + return $values +} + + +function Get-M365DSCVerifiedIdAuthorityObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Authority + ) + + if ($null -eq $Authority) + { + return $null + } + + Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}" + $did = ($Authority.didModel.did -split ":")[1] + $values = @{ + Id = $Authority.Id + Name = $Authority.Name + LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0] + DidMethod = $did + } + if ($null -ne $Authority.KeyVaultMetadata) + { + $KeyVaultMetadata = @{ + SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId + ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup + ResourceName = $Authority.KeyVaultMetadata.ResourceName + ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl + } + + $values.Add('KeyVaultMetadata', $KeyVaultMetadata) + } + return $values +} + +function Invoke-M365DSCVerifiedIdWebRequest +{ + [OutputType([PSCustomObject])] + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + "Content-Type" = "application/json" + } + + if($Method -eq 'PATCH' -or $Method -eq 'POST') + { + $BodyJson = $body | ConvertTo-Json -Depth 10 + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson + } + else { + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers + } + + if($Method -eq 'DELETE') + { + return $null + } + $result = ConvertFrom-Json $response.Content + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof new file mode 100644 index 0000000000..75ec079246 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof @@ -0,0 +1,105 @@ +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo { + [Write, Description("URI of the logo. If this is a URL, it must be reachable over the public internet anonymously.")] String uri; + [Write, Description("Description of the logo.")] String description; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayCard { + [Write, Description("Title of the credential.")] String title; + [Write, Description("The name of the issuer of the credential.")] String issuedBy; + [Write, Description("Background color of the credential in hex, for example, #FFAABB.")] String backgroundColor; + [Write, Description("Text color of the credential in hex, for example, #FFAABB.")] String textColor; + [Write, Description("Supplemental text displayed alongside each credential.")] String description; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo"), Description("The logo to use for the credential.")] String logo; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayConsent { + [Write, Description("Title of the consent.")] String title; + [Write, Description("Supplemental text to use when displaying consent.")] String instructions; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayClaims { + [Write, Description("The label of the claim in display.")] String label; + [Write, Description("The name of the claim to which the label applies.")] String claim; + [Write, Description("The type of the claim.")] String type; + [Write, Description("The description of the claim.")] String description; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADVerifiedIdAuthorityContractDisplayModel { + [Write, Description("The locale of this display.")] String locale; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCard"), Description("The display properties of the verifiable credential.")] String card; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayConsent"), Description("Supplemental data when the verifiable credential is issued.")] String consent; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayClaims"), Description("Labels for the claims included in the verifiable credential.")] String claims[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractClaimMapping { + [Write, Description("The name of the claim to use from the input.")] String inputClaim; + [Write, Description("The name of the claim in the verifiable credential.")] String outputClaim; + [Write, Description("Indicating whether the value of this claim is used for searching.")] Boolean indexed; + [Write, Description("Indicating whether this mapping is required or not.")] Boolean required; + [Write, Description("Type of claim.")] String type; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractAttestationValues { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractClaimMapping"), Description("Rules to map input claims into output claims in the verifiable credential.")] String mapping[]; + [Write, Description("Indicating whether this attestation is required or not.")] Boolean required; + [Write, Description("A list of DIDs allowed to issue the verifiable credential for this contract.")] String trustedIssuers[]; + [Write, Description("Required credential type of the input.")] String credentialType; + [Write, Description("Location of the identity provider's configuration document.")] String configuration; + [Write, Description("Client ID to use when obtaining the ID token.")] String clientId; + [Write, Description("Redirect URI to use when obtaining the ID token. MUST BE vcclient://openid/")] String redirectUri; + [Write, Description("Space delimited list of scopes to use when obtaining the ID token.")] String scopeValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractAttestations { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token hints attestations.")] String idTokenHints[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token attestations.")] String idTokens[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Presentations attestations.")] String presentations[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Self Issued attestations.")] String selfIssued[]; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Access Token attestations.")] String accessTokens[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint { + [Write, Description("The URL of the custom status endpoint.")] String url; + [Write, Description("The type of the endpoint.")] String type; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADVerifiedIdAuthorityContractVcType { + [Write, Description("The type of the vc.")] String type[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_AADVerifiedIdAuthorityContractRulesModel { + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestations"), Description("Describing supported inputs for the rules.")] String attestations; + [Write, Description("This value shows the lifespan of the credential.")] UInt32 validityInterval; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractVcType"), Description("Types for this contract.")] String vc; + [Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint"), Description("Status endpoint to include in the verifiable credential for this contract.")] String customStatusEndpoint; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthorityContract")] +class MSFT_AADVerifiedIdAuthorityContract : OMI_BaseResource +{ + [Write, Description("Id of the Verified ID Authority Contract.")] String id; + [Key, Description("URL of the linked domain of the authority.")] String linkedDomainUrl; + [Write, Description("Id of the Verified ID Authority.")] String authorityId; + [Key, Description("Name of the Verified ID Authority Contract.")] String name; + [Write, Description("Display settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayModel")] String displays[]; + [Write, Description("Rules settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractRulesModel")] String rules; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md new file mode 100644 index 0000000000..730d008e03 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md @@ -0,0 +1,7 @@ +# AADVerifiedIdAuthorityContract + +## Description + +Azure AD Verified Identity Authority Contract +Use the VerifiableCredential.Contract.ReadWrite permission to read and write the authority contract. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#contracts diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json new file mode 100644 index 0000000000..83269c5f65 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AADVerifiedIdAuthorityContract", + "description": "This resource configures an Azure AD Verified Identity Authority Contracts.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 index 1af5a2f77b..ea47dd6dec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 @@ -457,7 +457,6 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload $ConnectionMode = New-M365DSCConnection -Workload 'AzureDevOPS' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 new file mode 100644 index 0000000000..c769d49b29 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 @@ -0,0 +1,434 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $accounts = Get-M365DSCAzureBillingAccount + $currentAccount = $accounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + if ($null -ne $currentAccount) + { + $instances = Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $currentAccount.Name -ErrorAction Stop + $instance = $instances.value | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + BillingAccount = $BillingAccount + DisplayName = $DisplayName + AssociatedTenantId = $instance.properties.tenantId + BillingManagementState = $instance.properties.billingManagementState + ProvisioningManagementState = $instance.properties.provisioningManagementState + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $billingAccounts = Get-M365DSCAzureBillingAccount + $account = $billingAccounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + $instanceParams = @{ + properties = @{ + displayName = $DisplayName + tenantId = $AssociatedTenantId + billingManagementState = $BillingManagementState + provisioningManagementState = $ProvisioningManagementState + } + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Adding associated tenant {$AssociatedTenantId}" + New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId ` + -Body $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating associated tenant {$AssociatedTenantId}" + New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId ` + -Body $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing associated tenant {$AssociatedTenantId}" + Remove-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name ` + -AssociatedTenantId $AssociatedTenantId + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter()] + [System.String] + $BillingManagementState, + + [Parameter()] + [System.String] + $ProvisioningManagementState, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + #Get all billing account + $accounts = Get-M365DSCAzureBillingAccount + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + [array] $Script:exportedInstances = @() + foreach ($config in $accounts.value) + { + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($accounts.Count)] $displayedKey" + + $associatedTenants += Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $config.name + + $j = 1 + foreach ($associatedTenant in $associatedTenants.value) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + Write-Host " |---[$j/$($associatedTenants.value.Length)] $($associatedTenant.properties.DisplayName)" -NoNewline + $params = @{ + BillingAccount = $config.properties.displayName + DisplayName = $associatedTenant.properties.displayName + AssociatedTenantId = $associatedTenant.properties.tenantId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof new file mode 100644 index 0000000000..d5a700ae3c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureBillingAccountsAssociatedTenant")] +class MSFT_AzureBillingAccountsAssociatedTenant : OMI_BaseResource +{ + [Key, Description("The ID that uniquely identifies a tenant.")] String AssociatedTenantId; + [Write, Description("The name of the associated tenant.")] String DisplayName; + [Write, Description("Name of the billing account.")] String BillingAccount; + [Write, Description("The state determines whether users from the associated tenant can be assigned roles for commerce activities like viewing and downloading invoices, managing payments, and making purchases.")] String BillingManagementState; + [Write, Description("The state determines whether subscriptions and licenses can be provisioned in the associated tenant. It can be set to 'Pending' to initiate a billing request.")] String ProvisioningManagementState; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md new file mode 100644 index 0000000000..c1162d9567 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/readme.md @@ -0,0 +1,6 @@ + +# AzureBillingAccountsAssociatedTenant + +## Description + +Configures associated tenants to billing accounts in the Microsoft Admin Center. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json new file mode 100644 index 0000000000..0b91a4be2d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureBillingAccountsAssociatedTenant", + "description": "Configures associated tenants to billing accounts in the Microsoft Admin Center.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 new file mode 100644 index 0000000000..e94068b043 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.psm1 @@ -0,0 +1,547 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $accounts = Get-M365DSCAzureBillingAccount + $currentAccount = $accounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + + if ($null -ne $currentAccount) + { + $instances = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $currentAccount.Name -ErrorAction Stop + $PrincipalIdValue = Get-M365DSCPrincipalIdFromName -PrincipalName $PrincipalName ` + -PrincipalType $PrincipalType + $instance = $instances.value | Where-Object -FilterScript {$_.properties.principalId -eq $PrincipalIdValue} + + if ($null -ne $instance) + { + $roleDefinitionId = $instance.properties.roleDefinitionId.Split('/') + $roleDefinitionId = $roleDefinitionId[$roleDefinitionId.Length -1] + $RoleDefinitionValue = Get-M365DSCAzureBillingAccountsRoleDefinition -BillingAccountId $currentAccount.Name ` + -RoleDefinitionId $roleDefinitionId + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + BillingAccount = $BillingAccount + PrincipalName = $PrincipalName + PrincipalType = $PrincipalType + PrincipalTenantId = $instance.properties.principalTenantId + RoleDefinition = $RoleDefinitionValue.properties.roleName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $currentInstance = Get-TargetResource @PSBoundParameters + $billingAccounts = Get-M365DSCAzureBillingAccount + $account = $billingAccounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount} + $PrincipalIdValue = Get-M365DSCPrincipalIdFromName -PrincipalName $PrincipalName ` + -PrincipalType $PrincipalType + $RoleDefinitionValues = Get-M365DSCAzureBillingAccountsRoleDefinition -BillingAccountId $account.Name + $roleDefinitionInstance = $RoleDefinitionValues.value | Where-Object -FilterScript {$_.properties.roleName -eq $currentInstance.RoleDefinition} + $instanceParams = @{ + principalId = $PrincipalIdValue + principalTenantId = $currentInstance.PrincipalTenantId + roleDefinitionId = $roleDefinitionInstance.id + } + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Adding new role assignment for user {$PrincipalName} for role {$RoleDefinition}" + New-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -Body $instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating role assignment for user {$PrincipalName} for role {$RoleDefinition}" + New-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -Body $instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $instances = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name -ErrorAction Stop + $instance = $instances.value | Where-Object -FilterScript {$_.properties.principalId -eq $PrincipalIdValue} + $AssignmentId = $instance.Id.Split('/') + $AssignmentId = $AssignmentId[$roleDefinitionId.Length -1] + Write-Verbose -Message "Removing role assignment for user {$PrincipalName} for role {$RoleDefinition}" + Remove-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $account.Name ` + -AssignmentId $AssignmentId + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType, + + [Parameter(Mandatory = $true)] + [System.String] + $RoleDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalTenantId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + #Get all billing account + $accounts = Get-M365DSCAzureBillingAccount + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $accounts.value) + { + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($accounts.Count)] $displayedKey" + + $assignments = Get-M365DSCAzureBillingAccountsRoleAssignment -BillingAccountId $config.name + + $j = 1 + foreach ($assignment in $assignments.value) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $PrincipalNameValue = Get-M365DSCPrincipalNameFromId -PrincipalId $assignment.properties.principalId ` + -PrincipalType $assignment.properties.principalType + $roleDefinitionId = $assignment.properties.roleDefinitionId.Split('/') + $roleDefinitionId = $roleDefinitionId[$roleDefinitionId.Length -1] + + Write-Host " |---[$j/$($assignments.value.Length)] $($assignment.properties.principalId)" -NoNewline + $params = @{ + BillingAccount = $config.properties.displayName + PrincipalName = $PrincipalNameValue + PrincipalType = $assignment.properties.principalType + PrincipalTenantId = $assignment.properties.principalTenantId + RoleDefinition = "AnyRole" + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCPrincipalNameFromId +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalId, + + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType + ) + + $result = $null + if ($PrincipalType -eq 'User') + { + $userInfo = Get-MgUser -UserId $PrincipalId + if ($null -ne $userInfo) + { + $result = $userInfo.UserPrincipalName + } + } + elseif ($PrincipalType -eq 'ServicePrincipal') + { + $spnInfo = Get-MgServicePrincipal -ServicePrincipalId $PrincipalId + if ($null -ne $spnInfo) + { + $result = $spnInfo.DisplayName + } + } + elseif ($PrincipalType -eq 'Group') + { + $groupInfo = Get-MgGroup -GroupId $PrincipalId + if ($null -ne $groupInfo) + { + $result = $groupInfo.DisplayName + } + } + return $result +} + +function Get-M365DSCPrincipalIdFromName +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalName, + + + [Parameter(Mandatory = $true)] + [System.String] + $PrincipalType + ) + + $result = $null + if ($PrincipalType -eq 'User') + { + $userInfo = Get-MgUser -Filter "UserPrincipalName eq '$PrincipalName'" + if ($null -ne $userInfo) + { + $result = $userInfo.Id + } + } + elseif ($PrincipalType -eq 'ServicePrincipal') + { + $spnInfo = Get-MgServicePrincipal -Filter "DisplayName eq '$PrincipalName'" + if ($null -ne $spnInfo) + { + $result = $spnInfo.Id + } + } + elseif ($PrincipalType -eq 'Group') + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$PrincipalName'" + if ($null -ne $groupInfo) + { + $result = $groupInfo.Id + } + } + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof new file mode 100644 index 0000000000..f58dbe74f1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/MSFT_AzureBillingAccountsRoleAssignment.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureBillingaccountsRoleAssignment")] +class MSFT_AzureBillingaccountsRoleAssignment : OMI_BaseResource +{ + [Key, Description("Name of the principal associated to the role assignment.")] String PrincipalName; + [Key, Description("Name of the role assigned to the principal.")] String RoleDefinition; + [Write, Description("Principal type. Can be User, Group or ServicePrincipal.")] String PrincipalType; + [Write, Description("Name of the billing account.")] String BillingAccount; + [Write, Description("The principal tenant id of the user to whom the role was assigned.")] String PrincipalTenantId; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md new file mode 100644 index 0000000000..db4e49895b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/readme.md @@ -0,0 +1,6 @@ + +# AzureBillingaccountsRoleAssignment + +## Description + +Manages roles on billing accounts. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json new file mode 100644 index 0000000000..bd7e79a40f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsRoleAssignment/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureBillingaccountsRoleAssignment", + "description": "Manages roles on billing accounts.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.psm1 new file mode 100644 index 0000000000..80feadcbc8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.psm1 @@ -0,0 +1,535 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.name -eq $Name} + } + else + { + $response = Invoke-AzRest -Uri 'https://management.azure.com/providers/microsoft.aadiam/diagnosticsettings?api-version=2017-04-01-preview' ` + -Method Get + $instances = (ConvertFrom-Json $response.Content).value + $instance = $instances | Where-Object -FilterScript {$_.name -eq $Name} + } + if ($null -eq $instance) + { + return $nullResult + } + + $CategoriesValue = @() + foreach ($category in $instance.properties.logs) + { + $CategoriesValue += @{ + category = $category.category + enabled = $category.enabled + } + } + + $results = @{ + Name = $instance.Name + StorageAccountId = $instance.properties.storageAccountId + ServiceBusRuleId = $instance.properties.serviceBusRuleId + EventHubAuthorizationRuleId = $instance.properties.eventHubAuthorizationRuleId + EventHubName = $instance.properties.eventHubName + WorkspaceId = $instance.properties.workspaceId + Categories = $CategoriesValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + name = $Name + properties = @{ + logs = @() + } + } + + foreach ($category in $Categories) + { + $instanceParams.properties.logs += @{ + category = $category.category + enabled = $category.enabled + } + } + + if (-not [System.String]::IsNullOrEmpty($StorageAccountId)) + { + $instanceParams.properties.Add('storageAccountId', $StorageAccountId) + } + if (-not [System.String]::IsNullOrEmpty($WorkspaceId)) + { + $instanceParams.properties.Add('workspaceId', $WorkspaceId) + } + if (-not [System.String]::IsNullOrEmpty($ServiceBusRuleId)) + { + $instanceParams.properties.Add('eventHubName', $EventHubName) + } + if (-not [System.String]::IsNullOrEmpty($EventHubName)) + { + $instanceParams.properties.Add('workspaceId', $WorkspaceId) + } + if (-not [System.String]::IsNullOrEmpty($EventHubAuthorizationRuleId)) + { + $instanceParams.properties.Add('eventHubAuthorizationRuleId', $EventHubAuthorizationRuleId) + } + $payload = ConvertTo-Json $instanceParams -Depth 10 -Compress + + # CREATE/UPDATE + if ($Ensure -eq 'Present') + { + if ($currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new diagnostic setting {$Name}" + } + else + { + Write-Verbose -Message "Updating diagnostic setting {$Name}" + } + $response = Invoke-AzRest -Uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticsettings/$($Name)?api-version=2017-04-01-preview" ` + -Method PUT ` + -Payload $payload + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing diagnostic setting {$Name}" + $response = Invoke-AzRest -Uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticsettings/$($Name)?api-version=2017-04-01-preview" ` + -Method DELETE + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $response = Invoke-AzRest -Uri 'https://management.azure.com/providers/microsoft.aadiam/diagnosticsettings?api-version=2017-04-01-preview' ` + -Method Get + [array] $Script:exportedInstances = (ConvertFrom-Json $response.Content).value + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Categories) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Categories -CIMInstanceName AzureDiagnosticSettingsCategory + if ($complexTypeStringResult) + { + $Results.Categories = $complexTypeStringResult + } + else + { + $Results.Remove('Categories') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Categories) + { + $isCIMArray = $false + if ($Results.Categories.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Categories' -IsCIMArray:$isCIMArray + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.schema.mof new file mode 100644 index 0000000000..e5682180bd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/MSFT_AzureDiagnosticSettings.schema.mof @@ -0,0 +1,25 @@ +[ClassVersion("1.0.0")] +class MSFT_AzureDiagnosticSettingsCategory +{ + [Write, Description("Name of the category.")] String Category; + [Write, Description("Is the log category enabled or not.")] Boolean enabled; +}; +[ClassVersion("1.0.0.0"), FriendlyName("AzureDiagnosticSettings")] +class MSFT_AzureDiagnosticSettings : OMI_BaseResource +{ + [Key, Description("Diagnostic setting name.")] String Name; + [Write, Description("List of log categories."), EmbeddedInstance("MSFT_AzureDiagnosticSettingsCategory")] String Categories[]; + [Write, Description("Storage account id.")] String StorageAccountId; + [Write, Description("Service bus id.")] String ServiceBusRuleId; + [Write, Description("Event hub id.")] String EventHubAuthorizationRuleId; + [Write, Description("Event hub name.")] String EventHubName; + [Write, Description("Workspace id.")] String WorkspaceId; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/readme.md new file mode 100644 index 0000000000..ee9ed59bc1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/readme.md @@ -0,0 +1,10 @@ +# AzureDiagnosticSettings + +## Description + +Configures Diagnostics settings in Azure. + +Users will need to grant permissions to the associated scope by running the following command in Azure Cloud Shell: +```Powershell +New-AzRoleAssignment -ObjectId "" -Scope "/providers/Microsoft.aadiam" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal' +``` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/settings.json new file mode 100644 index 0000000000..a511c3cb94 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettings/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureDiagnosticSettings", + "description": "Configures Diagnostics settings in Azure.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.psm1 new file mode 100644 index 0000000000..6c98d19639 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.psm1 @@ -0,0 +1,536 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.name -eq $Name} + } + else + { + $response = Invoke-AzRest -Uri 'https://management.azure.com/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticsettings?api-version=2017-04-01-preview' ` + -Method Get + $instances = (ConvertFrom-Json $response.Content).value + $instance = $instances | Where-Object -FilterScript {$_.name -eq $Name} + } + if ($null -eq $instance) + { + return $nullResult + } + + $CategoriesValue = @() + foreach ($category in $instance.properties.logs) + { + $CategoriesValue += @{ + category = $category.category + enabled = $category.enabled + } + } + + $results = @{ + Name = $instance.Name + StorageAccountId = $instance.properties.storageAccountId + ServiceBusRuleId = $instance.properties.serviceBusRuleId + EventHubAuthorizationRuleId = $instance.properties.eventHubAuthorizationRuleId + EventHubName = $instance.properties.eventHubName + WorkspaceId = $instance.properties.workspaceId + Categories = $CategoriesValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + name = $Name + properties = @{ + logs = @() + } + } + + foreach ($category in $Categories) + { + $instanceParams.properties.logs += @{ + category = $category.category + enabled = $category.enabled + } + } + + if (-not [System.String]::IsNullOrEmpty($StorageAccountId)) + { + $instanceParams.properties.Add('storageAccountId', $StorageAccountId) + } + if (-not [System.String]::IsNullOrEmpty($WorkspaceId)) + { + $instanceParams.properties.Add('workspaceId', $WorkspaceId) + } + if (-not [System.String]::IsNullOrEmpty($ServiceBusRuleId)) + { + $instanceParams.properties.Add('eventHubName', $EventHubName) + } + if (-not [System.String]::IsNullOrEmpty($EventHubName)) + { + $instanceParams.properties.Add('workspaceId', $WorkspaceId) + } + if (-not [System.String]::IsNullOrEmpty($EventHubAuthorizationRuleId)) + { + $instanceParams.properties.Add('eventHubAuthorizationRuleId', $EventHubAuthorizationRuleId) + } + $payload = ConvertTo-Json $instanceParams -Depth 10 -Compress + + # CREATE/UPDATE + if ($Ensure -eq 'Present') + { + if ($currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new diagnostic setting {$Name}" + } + else + { + Write-Verbose -Message "Updating diagnostic setting {$Name}" + } + $response = Invoke-AzRest -Uri "https://management.azure.com/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticsettings/$($Name)?api-version=2017-04-01-preview" ` + -Method PUT ` + -Payload $payload + Write-Verbose -Message "RESPONSE: $($response.Content)" + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing diagnostic setting {$Name}" + $response = Invoke-AzRest -Uri "https://management.azure.com/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticsettings/$($Name)?api-version=2017-04-01-preview" ` + -Method DELETE + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $StorageAccountId, + + [Parameter()] + [System.String] + $ServiceBusRuleId, + + [Parameter()] + [System.String] + $EventHubAuthorizationRuleId, + + [Parameter()] + [System.String] + $EventHubName, + + [Parameter()] + [System.String] + $WorkspaceId, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $response = Invoke-AzRest -Uri 'https://management.azure.com/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticsettings?api-version=2017-04-01-preview' ` + -Method Get + [array] $Script:exportedInstances = (ConvertFrom-Json $response.Content).value + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Categories) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Categories -CIMInstanceName AzureDiagnosticSettingsCustomSecurityAttributeCategory + if ($complexTypeStringResult) + { + $Results.Categories = $complexTypeStringResult + } + else + { + $Results.Remove('Categories') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Categories) + { + $isCIMArray = $false + if ($Results.Categories.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Categories' -IsCIMArray:$isCIMArray + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.schema.mof new file mode 100644 index 0000000000..37cad1decf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute.schema.mof @@ -0,0 +1,25 @@ +[ClassVersion("1.0.0")] +class MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory +{ + [Write, Description("Name of the category.")] String Category; + [Write, Description("Is the log category enabled or not.")] Boolean enabled; +}; +[ClassVersion("1.0.0.0"), FriendlyName("AzureDiagnosticSettingsCustomSecurityAttribute")] +class MSFT_AzureDiagnosticSettingsCustomSecurityAttribute : OMI_BaseResource +{ + [Key, Description("Diagnostic setting name.")] String Name; + [Write, Description("List of log categories."), EmbeddedInstance("MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory")] String Categories[]; + [Write, Description("Storage account id.")] String StorageAccountId; + [Write, Description("Service bus id.")] String ServiceBusRuleId; + [Write, Description("Event hub id.")] String EventHubAuthorizationRuleId; + [Write, Description("Event hub name.")] String EventHubName; + [Write, Description("Workspace id.")] String WorkspaceId; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/readme.md new file mode 100644 index 0000000000..9d6b7bc584 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/readme.md @@ -0,0 +1,10 @@ +# AzureDiagnosticSettingsCustomSecurityAttribute + +## Description + +Configures Diagnostics settings custom security attributes in Azure. + +Users will need to grant permissions to the associated scope by running the following command in Azure Cloud Shell: +```Powershell +New-AzRoleAssignment -ObjectId "" -Scope "/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal' +``` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/settings.json new file mode 100644 index 0000000000..ac66273d69 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureDiagnosticSettingsCustomSecurityAttribute/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureDiagnosticSettingsCustomSecurityAttribute", + "description": "Configures Diagnostics settings custom security attributes in Azure.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 index d3076e1a9c..8683cb40b8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.psm1 @@ -6,15 +6,19 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -69,22 +73,28 @@ function Get-TargetResource { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Id} } elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) { - $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName -and ` + $_.properties.invoiceSectionId -eq $InvoiceSectionId} } } else { if (-not [System.String]::IsNullOrEmpty($Id)) { - $instance = Get-AzSubscription -SubscriptionId $Id + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions/$($Id)?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instance = (ConvertFrom-Json $response.Content).value } - elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($Name)) + elseif ($null -eq $instance -and -not [System.String]::IsNullOrEmpty($DisplayName)) { - $instance = Get-AzSubscription -SubscriptionName $Name + $uri = "https://management.azure.com$($InvoiceSectionId)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $instances = (ConvertFrom-Json $response.Content).value + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} } } if ($null -eq $instance) @@ -93,9 +103,10 @@ function Get-TargetResource } $results = @{ - Name = $instance.Name - Id = $instance.Id - Enabled = $instance.Enabled + DisplayName = $instance.properties.displayName + Id = $instance.name + InvoiceSectionId = $instance.properties.invoiceSectionId + Status = $instance.properties.status Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -126,15 +137,19 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -183,17 +198,30 @@ function Set-TargetResource # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - throw "This resource cannot create new Azure subscriptions." + $uri = "https://management.azure.com/providers/Microsoft.Subscription/aliases/$((New-GUID).ToString())?api-version=2021-10-01" + $params = @{ + properties = @{ + billingScope = $InvoiceSectionId + DisplayName = $DisplayName + Workload = "Production" + } + } + $payload = ConvertTo-Json $params -Depth 10 -Compress + Write-Verbose -Message "Creating new subscription {$DisplayName} with payload:`r`n$payload" + $response = Invoke-AzRest -Uri $uri -Method PUT -Payload $payload + Write-Verbose -Message "Result: $($response.Content)" } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - if ($Enabled) + if ($Status -eq 'Active') { + Write-Verbose -Message "Enabling subscription {$Name}" Enable-AzSubscription -Id $currentInstance.Id | Out-Null } elseif (-not $Enabled) { + Write-Verbose -Message "Disabling subscription {$Name}" Disable-AzSubscription -Id $currentInstance.Id | Out-Null } } @@ -212,15 +240,19 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $Name, + $DisplayName, [Parameter()] [System.String] $Id, + [Parameter(Mandatory = $true)] + [System.String] + $InvoiceSectionId, + [Parameter()] - [System.Boolean] - $Enabled, + [System.String] + $Status, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -315,8 +347,7 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload - $ConnectionMode = New-M365DSCConnection -Workload 'Workload' ` + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. @@ -334,47 +365,70 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-AzSubscription -ErrorAction Stop - $i = 1 - $dscContent = '' - if ($Script:exportedInstances.Length -eq 0) - { - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host "`r`n" -NoNewline - } - foreach ($config in $Script:exportedInstances) + $uri = 'https://management.azure.com/providers/Microsoft.Billing/billingaccounts/?api-version=2020-05-01' + $response = Invoke-AzRest -Uri $uri -Method Get + $billingAccounts = (ConvertFrom-Json $response.Content).value + + foreach ($billingAccount in $billingAccounts) { - $displayedKey = $config.Name - Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline - $params = @{ - Name = $config.Name - Id = $config.Id - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens - } + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts/$($billingAccount.Name)/billingprofiles/?api-version=2020-05-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $billingProfiles = (ConvertFrom-Json $response.Content).value - $Results = Get-TargetResource @Params - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - $i++ - Write-Host $Global:M365DSCEmojiGreenCheckMark + foreach ($profile in $billingProfiles) + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($billingAccount.name)/billingProfiles/$($profile.name)/billingSubscriptions?api-version=2024-04-01" + $response = Invoke-AzRest -Uri $uri -Method Get + $subscriptions = (ConvertFrom-Json $response.Content).value + [array] $Script:exportedInstances += $subscriptions + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $subscriptions) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.properties.displayName + Write-Host " |---[$i/$($subscriptions.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.properties.displayName + Id = $config.Name + InvoiceSectionId = $config.properties.invoiceSectionId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } } return $dscContent } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof index 3d74c750c9..6087aa5fca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureSubscription/MSFT_AzureSubscription.schema.mof @@ -1,9 +1,10 @@ [ClassVersion("1.0.0.0"), FriendlyName("AzureSubscription")] class MSFT_AzureSubscription : OMI_BaseResource { - [Key, Description("The display name of the subscription.")] String Name; + [Key, Description("The display name of the subscription.")] String DisplayName; [Write, Description("The unique identifier of the subscription.")] String Id; - [Write, Description("Enables or disables the subscription")] Boolean Enabled; + [Write, Description("The unique identifier of the invoice section associated with the subscription.")] String InvoiceSectionId; + [Write, Description("Status of the subscription.")] String Status; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 new file mode 100644 index 0000000000..4e9907eafa --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.psm1 @@ -0,0 +1,437 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $resourceGroupInstance = Get-AzResourceGroup -Id "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)" -ErrorAction SilentlyContinue + if ($null -eq $resourceGroupInstance) + { + return $nullResult + } + + $uri = "https://management.azure.com/$($resourceGroupInstance.ResourceId)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $response = Invoke-AzRest -Uri $uri -Method Get + $authorities = ConvertFrom-Json $response.Content + + $EnabledValue = $false + if ($null -eq $authorities.error -and $null -ne $authorities.id) + { + $EnabledValue = $true + } + + $results = @{ + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + VerifiedIdAuthorityId = $VerifiedIdAuthorityId + VerifiedIdAuthorityLocation = $authorities.location + FaceCheckEnabled = $EnabledValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + if ($FaceCheckEnabled) + { + Write-Verbose -Message "Enabling FaceCheck on Verified ID Authority {$($VerifiedIDAuthorityId)}" + $uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $payload = '{"location": "' + $VerifiedIdAuthorityLocation + '"}' + $response = Invoke-AzRest -Uri $uri -Method Put -Payload $payload + } + else + { + Write-Verbose -Message "Disabling FaceCheck on Verified ID Authority {$($VerifiedIDAuthorityId)}" + $uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.VerifiedId/authorities/$($VerifiedIdAuthorityId)?api-version=2024-01-26-preview" + $payload = '{"location": null}' + $response = Invoke-AzRest -Uri $uri -Method DELETE + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $VerifiedIdAuthorityId, + + [Parameter()] + [System.Boolean] + $FaceCheckEnabled, + + [Parameter()] + [System.String] + $VerifiedIdAuthorityLocation, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken + } + $uri = 'https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities' + $response = Invoke-WebRequest -Uri $uri -Method Get -Headers $headers + $authorities = ConvertFrom-Json $response.Content + + $resourceGroups = Get-AzResourceGroup -ErrorAction Stop + $i = 1 + $dscContent = '' + if ($resourceGroups.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $j = 1 + foreach ($resourceGroup in $resourceGroups) + { + $displayedKey = $resourceGroup.ResourceGroupName + Write-Host " |---[$j/$($resourceGroups.Length)] $displayedKey" -NoNewline + + if ($authorities.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + $i = 1 + foreach ($authority in $authorities.value) + { + $uri = "https://management.azure.com/$($resourceGroup.ResourceId)/providers/Microsoft.VerifiedId/authorities/$($authority.id)?api-version=2024-01-26-preview" + $response = Invoke-AzRest -Uri $uri -Method Get + $entries = ConvertFrom-Json $response.Content + + $Global:M365DSCExportResourceInstancesCount++ + + $displayedKey = $authority.name + Write-Host " |---[$i/$($authorities.value.Length)] $displayedKey" -NoNewline + + $SubscriptionId = $resourceGroup.ResourceId.Split('/') + $SubscriptionId = $SubscriptionId[2] + + $params = @{ + VerifiedIdAuthorityId = $authority.id + SubscriptionId = $SubscriptionId + ResourceGroupName = $resourceGroup.ResourceGroupName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + $j++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof new file mode 100644 index 0000000000..aaf9f6f876 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/MSFT_AzureVerifiedIdFaceCheck.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AzureVerifiedIdFaceCheck")] +class MSFT_AzureVerifiedIdFaceCheck : OMI_BaseResource +{ + [Key, Description("Id of the Azure subscription.")] String SubscriptionId; + [Key, Description("Name of the associated resource group.")] String ResourceGroupName; + [Key, Description("Id of the verified ID authority.")] String VerifiedIdAuthorityId; + [Write, Description("Represents whether or not FaceCheck is enabled for the authrotiy.")] Boolean FaceCheckEnabled; + [Write, Description("Location of the Verified ID Authority.")] String VerifiedIdAuthorityLocation; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md new file mode 100644 index 0000000000..4c2750472f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/readme.md @@ -0,0 +1,6 @@ + +# AzureVerifiedIdFaceCheck + +## Description + +Configures Azure Verified Id FaceCheck. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json new file mode 100644 index 0000000000..84f791e02a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AzureVerifiedIdFaceCheck/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "AzureVerifiedIdFaceCheck", + "description": "Configures Azure Verified Id FaceCheck.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 new file mode 100644 index 0000000000..54da575452 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.psm1 @@ -0,0 +1,646 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + else + { + $instances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $instances | Where-Object -FilterScript {$_.id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $instances | Where-Object -FilterScript {$_.scanName -eq $Name} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $ScannerAgentValue = $null + if ($null -ne $instance.scannerAgent) + { + $ScannerAgentValue = @{ + id = $instance.scannerAgent.id + machineId = $instance.scannerAgent.machineId + machineName = $instance.scannerAgent.machineName + } + } + + # This property cannot be retrieve, nor changed once set. + $ScanAuthenticationParamsValue = $null + if ($null -ne $instance.scanAuthenticationParams) + { + $ScanAuthenticationParamsValue = @{ + DataType = $ScanAuthenticationParams.DataType + Type = $ScanAuthenticationParams.Type + KeyVaultUrl = $ScanAuthenticationParams.KeyVaultUrl + KeyVaultSecretName = $ScanAuthenticationParams.keyVaultSecretName + Domain = $ScanAuthenticationParams.Domain + Username = $ScanAuthenticationParams.Username + IsGMSAUser = $ScanAuthenticationParams.IsGMSAUser + CommunityString = $ScanAuthenticationParams.CommunityString + AuthProtocol = $ScanAuthenticationParams.AuthProtocol + AuthPassword = $ScanAuthenticationParams.AuthPassword + PrivProtocol = $ScanAuthenticationParams.PrivProtocol + PrivPassword = $ScanAuthenticationParams.PrivPassword + } + } + else + { + $ScanAuthenticationParamsValue = @{ + "@odata.context" = "#microsoft.windowsDefenderATP.api.SnmpAuthParams" + Type = "NoAuthNoPriv" + } + } + + $results = @{ + Name = $instance.scanName + Id = $instance.id + IntervalInHours = $instance.intervalInHours + Target = $instance.Target + IsActive = $instance.isActive + ScanType = $instance.scanType + ScannerAgent = $ScannerAgentValue + ScanAuthenticationParams = $ScanAuthenticationParamsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParams = @{ + scanType = $ScanType + scanName = $Name + isActive = $IsActive + target = $Target + intervalInHours = $IntervalInHours + scannerAgent = @{ + machineName = $ScannerAgent.machineName + id = $ScannerAgent.id + } + targetType = 'Ip' + scanAuthenticationParams = @{ + "@odata.type" = $ScanAuthenticationParams.DataType + type = $ScanAuthenticationParams.Type + } + } + + if ($null -ne $ScanAuthenticationParams.KeyVaultUrl) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultUrl", $ScanAuthenticationParams.KeyVaultUrl) + } + if ($null -ne $ScanAuthenticationParams.KeyVaultSecretName) + { + $instanceParams.scanAuthenticationParams.Add("keyVaultSecretName", $ScanAuthenticationParams.KeyVaultSecretName) + } + if ($null -ne $ScanAuthenticationParams.Domain) + { + $instanceParams.scanAuthenticationParams.Add("domain", $ScanAuthenticationParams.Domain) + } + if ($null -ne $ScanAuthenticationParams.Username) + { + $instanceParams.scanAuthenticationParams.Add("username", $ScanAuthenticationParams.Username) + } + if ($null -ne $ScanAuthenticationParams.IsGMSAUser) + { + $instanceParams.scanAuthenticationParams.Add("isGMSAUser", $ScanAuthenticationParams.IsGMSAUser) + } + if ($null -ne $ScanAuthenticationParams.CommunityString) + { + $instanceParams.scanAuthenticationParams.Add("communityString", $ScanAuthenticationParams.CommunityString) + } + if ($null -ne $ScanAuthenticationParams.AuthProtocol) + { + $instanceParams.scanAuthenticationParams.Add("authProtocol", $ScanAuthenticationParams.AuthProtocol) + } + if ($null -ne $ScanAuthenticationParams.AuthPassword) + { + $instanceParams.scanAuthenticationParams.Add("authPassword", $ScanAuthenticationParams.AuthPassword) + } + if ($null -ne $ScanAuthenticationParams.PrivProtocol) + { + $instanceParams.scanAuthenticationParams.Add("privProtocol", $ScanAuthenticationParams.PrivProtocol) + } + if ($null -ne $ScanAuthenticationParams.PrivPassword) + { + $instanceParams.scanAuthenticationParams.Add("privPassword", $ScanAuthenticationParams.PrivPassword) + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method POST ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/$($currentInstance.Id)" ` + -Method PATCH ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $instanceParams = @{ + ScanDefinitionIds = @($currentInstance.Id) + } + Write-Verbose -Message "Deleting device authenticated scan definition {$Name} with payload:`r`n$(ConvertTo-Json $instanceParams -Depth 10)" + $response = Invoke-M365DSCDefenderREST -Uri "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete" ` + -Method POST ` + -Body $instanceParams + Write-Verbose -Message "Response:`r`n$($response.Content)" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.UInt32] + $IntervalInHours, + + [Parameter()] + [System.String] + $Target, + + [Parameter()] + [System.Boolean] + $IsActive, + + [Parameter()] + [System.String] + $ScanType, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScannerAgent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ScanAuthenticationParams, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + + # Once set, these cannot be retrieved nor changed. + $ValuesToCheck.Remove("ScanAuthenticationParams") | Out-Null + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $targetValue = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($targetValue) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'DefenderForEndpoint' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = (Invoke-M365DSCDefenderREST -Uri 'https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions' ` + -Method GET).value + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.scanName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Name = $config.scanName + id = $config.id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.ScannerAgent) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScannerAgent -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionScanAgent + if ($complexTypeStringResult) + { + $Results.ScannerAgent = $complexTypeStringResult + } + else + { + $Results.Remove('ScannerAgent') | Out-Null + } + } + + if ($Results.ScanAuthenticationParams) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.ScanAuthenticationParams -CIMInstanceName DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams + if ($complexTypeStringResult) + { + $Results.ScanAuthenticationParams = $complexTypeStringResult + } + else + { + $Results.Remove('ScanAuthenticationParams') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.ScanAuthenticationParams) + { + $isCIMArray = $false + if ($Results.ScanAuthenticationParams.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScanAuthenticationParams' -IsCIMArray:$isCIMArray + } + + if ($Results.ScannerAgent) + { + $isCIMArray = $false + if ($Results.ScannerAgent.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ScannerAgent' -IsCIMArray:$isCIMArray + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof new file mode 100644 index 0000000000..5fdc4f8d1c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/MSFT_DefenderDeviceAuthenticatedScanDefinition.schema.mof @@ -0,0 +1,45 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams +{ + [Write, Description("Odata type associated with the request.")] String DataType; + [Write, Description("Type of scan.")] String Type; + [Write, Description("An optional property that specifies from which KeyVault the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultUrl; + [Write, Description("An optional property that specifies KeyVault secret name from which the scanner should retrieve credentials. If KeyVault is specified there's no need to specify username, password.")] String KeyVaultSecretName; + [Write, Description("Domain name when using WindowsAuthParams.")] String Domain; + [Write, Description("Username when using WindowsAuthParams or the username when choosing SnmpAuthParams with any type other than CommunityString.")] String Username; + [Write, Description("Must be set to true when choosing WindowsAuthParams.")] Boolean IsGMSAUser; + [Write, Description("Community string to use when choosing SnmpAuthParams with CommunityString.")] String CommunityString; + [Write, Description("Auth protocol to use with SnmpAuthParams and AuthNoPriv or AuthPriv. Possible values are MD5, SHA1.")] String AuthProtocol; + [Write, Description("Auth password to use with SnmpAuthParams and AuthNoPriv or AuthPriv.")] String AuthPassword; + [Write, Description("Priv protocol to use with SnmpAuthParams and AuthPriv. Possible values are DES, 3DES, AES.")] String PrivProtocol; + [Write, Description("Priv password to use with SnmpAuthParams and AuthPriv.")] String PrivPassword; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent +{ + [Write, Description("Unique identified for the scan agent.")] String id; + [Write, Description("Id of the machine associated with the agent.")] String machineId; + [Write, Description("Name of the machine associated with the agent.")] String machineName; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("DefenderDeviceAuthenticatedScanDefinition")] +class MSFT_DefenderDeviceAuthenticatedScanDefinition : OMI_BaseResource +{ + [Key, Description("Name of the scan definition.")] String Name; + [Write, Description("Unique identified for the scan definition.")] String Id; + [Write, Description("Interval in hours to run the scan.")] UInt32 IntervalInHours; + [Write, Description("Target of the scan definition.")] String Target; + [Write, Description("Determines if the scan definition is active or not.")] Boolean IsActive; + [Write, Description("Type of scan.")] String ScanType; + [Write, Description("Information about the associated scan agent."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent")] String ScannerAgent; + [Write, Description("Authentication parameters."), EmbeddedInstance("MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams")] String ScanAuthenticationParams; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md new file mode 100644 index 0000000000..0846f96567 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/readme.md @@ -0,0 +1,6 @@ + +# DefenderDeviceAuthenticatedScanDefinition + +## Description + +Configures device authenticated scan definitions in Defender. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json new file mode 100644 index 0000000000..ea3b134fe1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_DefenderDeviceAuthenticatedScanDefinition/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "DefenderDeviceAuthenticatedScanDefinition", + "description": "Configures device authenticated scan definitions in Defender.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 new file mode 100644 index 0000000000..80cee1cb8b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.psm1 @@ -0,0 +1,1055 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + Confirm-M365DSCDependencies + + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $instance = Get-ActiveSyncMailboxPolicy -Identity $Identity -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Ensure = 'Present' + Name = [System.String]$instance.Name + AllowApplePushNotifications = [System.Boolean]$instance.AllowApplePushNotifications + AllowBluetooth = [System.String]$instance.AllowBluetooth + AllowBrowser = [System.Boolean]$instance.AllowBrowser + AllowCamera = [System.Boolean]$instance.AllowCamera + AllowConsumerEmail = [System.Boolean]$instance.AllowConsumerEmail + AllowDesktopSync = [System.Boolean]$instance.AllowDesktopSync + AllowExternalDeviceManagement = [System.Boolean]$instance.AllowExternalDeviceManagement + AllowHTMLEmail = [System.Boolean]$instance.AllowHTMLEmail + AllowInternetSharing = [System.Boolean]$instance.AllowInternetSharing + AllowIrDA = [System.Boolean]$instance.AllowIrDA + AllowMobileOTAUpdate = [System.Boolean]$instance.AllowMobileOTAUpdate + AllowNonProvisionableDevices = [System.Boolean]$instance.AllowNonProvisionableDevices + AllowPOPIMAPEmail = [System.Boolean]$instance.AllowPOPIMAPEmail + AllowRemoteDesktop = [System.Boolean]$instance.AllowRemoteDesktop + AllowSimpleDevicePassword = [System.Boolean]$instance.AllowSimpleDevicePassword + AllowSMIMEEncryptionAlgorithmNegotiation = [System.String]$instance.AllowSMIMEEncryptionAlgorithmNegotiation + AllowSMIMESoftCerts = [System.Boolean]$instance.AllowSMIMESoftCerts + AllowStorageCard = [System.Boolean]$instance.AllowStorageCard + AllowTextMessaging = [System.Boolean]$instance.AllowTextMessaging + AllowUnsignedApplications = [System.Boolean]$instance.AllowUnsignedApplications + AllowUnsignedInstallationPackages = [System.Boolean]$instance.AllowUnsignedInstallationPackages + AllowWiFi = [System.Boolean]$instance.AllowWiFi + AlphanumericDevicePasswordRequired = [System.Boolean]$instance.AlphanumericDevicePasswordRequired + ApprovedApplicationList = [System.String[]]$instance.ApprovedApplicationList + AttachmentsEnabled = [System.Boolean]$instance.AttachmentsEnabled + DeviceEncryptionEnabled = [System.Boolean]$instance.DeviceEncryptionEnabled + DevicePasswordEnabled = [System.Boolean]$instance.DevicePasswordEnabled + DevicePasswordExpiration = [System.String]$instance.DevicePasswordExpiration + DevicePasswordHistory = [System.Int32]$instance.DevicePasswordHistory + DevicePolicyRefreshInterval = [System.String]$instance.DevicePolicyRefreshInterval + IrmEnabled = [System.Boolean]$instance.IrmEnabled + IsDefault = [System.Boolean]$instance.IsDefault + IsDefaultPolicy = [System.Boolean]$instance.IsDefaultPolicy + MaxAttachmentSize = [System.String]$instance.MaxAttachmentSize + MaxCalendarAgeFilter = [System.String]$instance.MaxCalendarAgeFilter + MaxDevicePasswordFailedAttempts = [System.String]$instance.MaxDevicePasswordFailedAttempts + MaxEmailAgeFilter = [System.String]$instance.MaxEmailAgeFilter + MaxEmailBodyTruncationSize = [System.String]$instance.MaxEmailBodyTruncationSize + MaxEmailHTMLBodyTruncationSize = [System.String]$instance.MaxEmailHTMLBodyTruncationSize + MaxInactivityTimeDeviceLock = [System.String]$instance.MaxInactivityTimeDeviceLock + MinDevicePasswordComplexCharacters = [System.Int32]$instance.MinDevicePasswordComplexCharacters + MinDevicePasswordLength = [System.Int32]$instance.MinDevicePasswordLength + PasswordRecoveryEnabled = [System.Boolean]$instance.PasswordRecoveryEnabled + RequireDeviceEncryption = [System.Boolean]$instance.RequireDeviceEncryption + RequireEncryptedSMIMEMessages = [System.Boolean]$instance.RequireEncryptedSMIMEMessages + RequireEncryptionSMIMEAlgorithm = [System.String]$instance.RequireEncryptionSMIMEAlgorithm + RequireManualSyncWhenRoaming = [System.Boolean]$instance.RequireManualSyncWhenRoaming + RequireSignedSMIMEAlgorithm = [System.String]$instance.RequireSignedSMIMEAlgorithm + RequireSignedSMIMEMessages = [System.Boolean]$instance.RequireSignedSMIMEMessages + RequireStorageCardEncryption = [System.Boolean]$instance.RequireStorageCardEncryption + UnapprovedInROMApplicationList = [System.String[]]$instance.UnapprovedInROMApplicationList + UNCAccessEnabled = [System.Boolean]$instance.UNCAccessEnabled + WSSAccessEnabled = [System.Boolean]$instance.WSSAccessEnabled + Identity = [System.String]$Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $setParameters.Remove("Identity") + New-ActiveSyncMailboxPolicy @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Set-ActiveSyncMailboxPolicy @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-ActiveSyncMailboxPolicy -Identity $Identity + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.String] + [ValidateSet("Disable", "HandsfreeOnly", "Allow")] + $AllowBluetooth, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.String] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.String[]] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.String] + $DevicePasswordExpiration, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.String] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $IrmEnabled, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.String] + $MaxAttachmentSize, + + [Parameter()] + [System.String] + [ValidateSet("All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.String] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.String] + [ValidateSet("All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths")] + $MaxEmailAgeFilter, + + [Parameter()] + [System.String] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.String] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Int32] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.String] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.String] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.String[]] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ActiveSyncMailboxPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof new file mode 100644 index 0000000000..32242a76b3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/MSFT_EXOActiveSyncMailboxPolicy.schema.mof @@ -0,0 +1,66 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOActiveSyncMailboxPolicy")] +class MSFT_EXOActiveSyncMailboxPolicy : OMI_BaseResource +{ + [Write, Description("Specifies the name of the policy.")] String Name; + [Write, Description("Specifies whether push notifications are allowed for Apple mobile devices.")] Boolean AllowApplePushNotifications; + [Write, Description("Specifies whether the Bluetooth capabilities of the mobile phone are allowed."), ValueMap{"Disable", "HandsfreeOnly", "Allow"}, Values{"Disable", "HandsfreeOnly", "Allow"}] String AllowBluetooth; + [Write, Description("Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone.")] Boolean AllowBrowser; + [Write, Description("Specifies whether the mobile phone's camera is allowed.")] Boolean AllowCamera; + [Write, Description("Specifies whether the mobile phone user can configure a personal email account on the device.")] Boolean AllowConsumerEmail; + [Write, Description("Specifies whether the mobile phone can synchronize with a desktop computer through a cable.")] Boolean AllowDesktopSync; + [Write, Description("Specifies whether an external device management program is allowed to manage the device.")] Boolean AllowExternalDeviceManagement; + [Write, Description("Specifies whether HTML email is enabled on the device.")] Boolean AllowHTMLEmail; + [Write, Description("Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet.")] Boolean AllowInternetSharing; + [Write, Description("Specifies whether infrared connections are allowed to the mobile phone.")] Boolean AllowIrDA; + [Write, Description("Specifies whether certain updates are seen by devices that implemented support for this restricting functionality.")] Boolean AllowMobileOTAUpdate; + [Write, Description("Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy.")] Boolean AllowNonProvisionableDevices; + [Write, Description("Specifies whether the user can configure a POP3 or IMAP4 email account on the device.")] Boolean AllowPOPIMAPEmail; + [Write, Description("Specifies whether the mobile phone can initiate a remote desktop connection.")] Boolean AllowRemoteDesktop; + [Write, Description("Specifies whether a simple device password is allowed.")] Boolean AllowSimpleDevicePassword; + [Write, Description("Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm.")] String AllowSMIMEEncryptionAlgorithmNegotiation; + [Write, Description("Specifies whether S/MIME software certificates are allowed.")] Boolean AllowSMIMESoftCerts; + [Write, Description("Specifies whether the device can access information stored on a storage card.")] Boolean AllowStorageCard; + [Write, Description("Specifies whether text messaging is allowed from the device.")] Boolean AllowTextMessaging; + [Write, Description("Specifies whether unsigned applications can be installed on the device.")] Boolean AllowUnsignedApplications; + [Write, Description("Specifies whether unsigned installation packages can be run on the device.")] Boolean AllowUnsignedInstallationPackages; + [Write, Description("Specifies whether wireless Internet access is allowed on the device.")] Boolean AllowWiFi; + [Write, Description("Specifies whether the device password must be alphanumeric.")] Boolean AlphanumericDevicePasswordRequired; + [Write, Description("Specifies a list of approved applications for the device.")] String ApprovedApplicationList[]; + [Write, Description("Specifies whether the user can download attachments.")] Boolean AttachmentsEnabled; + [Write, Description("Enables device encryption on the mobile phone.")] Boolean DeviceEncryptionEnabled; + [Write, Description("Specifies that the user set a password for the device.")] Boolean DevicePasswordEnabled; + [Write, Description("Specifies the length of time, in days, that a password can be used.")] String DevicePasswordExpiration; + [Write, Description("Specifies the number of previously used passwords to store.")] Sint32 DevicePasswordHistory; + [Write, Description("Specifies how often the policy is sent from the server to the mobile phone")] String DevicePolicyRefreshInterval; + [Write, Description("Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy.")] Boolean IrmEnabled; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefault; + [Write, Description("Specifies whether this policy is the default Mobile Device mailbox policy.")] Boolean IsDefaultPolicy; + [Write, Description("Specifies the maximum size of attachments that can be downloaded to the mobile phone.")] String MaxAttachmentSize; + [Write, Description("Specifies the maximum range of calendar days that can be synchronized to the device."), ValueMap{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxCalendarAgeFilter; + [Write, Description("Specifies the number of attempts a user can make to enter the correct password for the device.")] String MaxDevicePasswordFailedAttempts; + [Write, Description("Specifies the maximum number of days of email items to synchronize to the device."), ValueMap{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}, Values{"All", "OneDay", "ThreeDays", "OneWeek", "TwoWeeks", "OneMonth", "ThreeMonths", "SixMonths"}] String MaxEmailAgeFilter; + [Write, Description("Specifies the maximum size at which email messages are truncated when synchronized to the device.")] String MaxEmailBodyTruncationSize; + [Write, Description("Specifies the maximum size at which HTML-formatted email messages are synchronized to the device.")] String MaxEmailHTMLBodyTruncationSize; + [Write, Description("Specifies the length of time that the device can be inactive before the password is required to reactivate the device.")] String MaxInactivityTimeDeviceLock; + [Write, Description("Specifies the minimum number of complex characters required in a device password.")] Sint32 MinDevicePasswordComplexCharacters; + [Write, Description("Specifies the minimum number of characters in the device password.")] Sint32 MinDevicePasswordLength; + [Write, Description("Specifies whether you can store the recovery password for the device on an Exchange server.")] Boolean PasswordRecoveryEnabled; + [Write, Description("Specifies whether encryption is required on the device.")] Boolean RequireDeviceEncryption; + [Write, Description("Specifies whether you must encrypt S/MIME messages.")] Boolean RequireEncryptedSMIMEMessages; + [Write, Description("Specifies what required algorithm must be used when encrypting a message.")] String RequireEncryptionSMIMEAlgorithm; + [Write, Description("Specifies whether the device must synchronize manually while roaming.")] Boolean RequireManualSyncWhenRoaming; + [Write, Description("Specifies what required algorithm must be used when signing a message.")] String RequireSignedSMIMEAlgorithm; + [Write, Description("Specifies whether the device must send signed S/MIME messages.")] Boolean RequireSignedSMIMEMessages; + [Write, Description("Specifies whether encryption of a storage card is required.")] Boolean RequireStorageCardEncryption; + [Write, Description("Specifies a list of applications that can't be run in ROM.")] String UnapprovedInROMApplicationList[]; + [Write, Description("Specifies whether access to Microsoft Windows file shares is enabled.")] Boolean UNCAccessEnabled; + [Write, Description("Specifies whether access to Microsoft Windows SharePoint Services is enabled.")] Boolean WSSAccessEnabled; + [Key, Description("Specifies the Mobile Device mailbox policy.")] String Identity; + [Write, Description("Specifies if this AddressList should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md new file mode 100644 index 0000000000..9486035c99 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/readme.md @@ -0,0 +1,5 @@ +# EXOActiveSyncMailboxPolicy + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json new file mode 100644 index 0000000000..e9afb65af6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOActiveSyncMailboxPolicy/settings.json @@ -0,0 +1,31 @@ +{ + "resourceName": "EXOActiveSyncMailboxPolicy", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Organization Client Access", + "View-Only Configuration" + ], + "requiredrolegroups": "Organization Management" + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 index 3da9fdc728..a79d3e4da8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 @@ -256,15 +256,17 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of Arc Config settings' $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = $PSBoundParameters - + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck # Need to remove Identity as Get-ArcConfig doesn't return Identity $ValuesToCheck.Remove('Identity') | Out-Null + $PSBoundParameters.ArcTrustedSealers = $PSBoundParameters.ArcTrustedSealers -Join ',' + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 new file mode 100644 index 0000000000..0d2fc291bf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.psm1 @@ -0,0 +1,326 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $instance = Get-MailboxAuditBypassAssociation -Identity $Identity -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = [System.String]$Identity + AuditBypassEnabled = [System.Boolean]$instance.AuditBypassEnabled + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + Set-MailboxAuditBypassAssociation @SetParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MailboxAuditBypassAssociation -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Identity + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof new file mode 100644 index 0000000000..318977aa0b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/MSFT_EXOMailboxAuditBypassAssociation.schema.mof @@ -0,0 +1,12 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOMailboxAuditBypassAssociation")] +class MSFT_EXOMailboxAuditBypassAssociation : OMI_BaseResource +{ + [Key, Description("The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property.")] String Identity; + [Write, Description("The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer.")] Boolean AuditBypassEnabled; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md new file mode 100644 index 0000000000..092c6a9914 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/readme.md @@ -0,0 +1,5 @@ +# EXOMailboxAuditBypassAssociation + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json new file mode 100644 index 0000000000..476fa8a84d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxAuditBypassAssociation/settings.json @@ -0,0 +1,36 @@ +{ + "resourceName": "EXOMailboxAuditBypassAssociation", + "description": "", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Compliance Admin", + "View-Only Configuration", + "Journaling" + ], + "requiredrolegroups": [ + "Organization Management", + "Compliance Management", + "Records Management" + ] + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.psm1 index 2c42f8f150..f5b5a24b5d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.psm1 @@ -16,6 +16,22 @@ function Get-TargetResource [System.String] $Locale, + [Parameter()] + [System.String] + $RetentionPolicy, + + [Parameter()] + [System.String] + $AddressBookPolicy, + + [Parameter()] + [System.String] + $RoleAssignmentPolicy, + + [Parameter()] + [System.String] + $SharingPolicy, + [Parameter()] [ValidateSet('Present')] [System.String] @@ -87,6 +103,7 @@ function Get-TargetResource try { $mailboxSettings = Get-MailboxRegionalConfiguration -Identity $DisplayName -ErrorAction Stop + $mailboxInfo = Get-Mailbox -Identity $DisplayName -ErrorAction Stop } catch { @@ -103,6 +120,11 @@ function Get-TargetResource DisplayName = $DisplayName TimeZone = $mailboxSettings.TimeZone Locale = $mailboxSettings.Language.Name + RetentionPolicy = $mailboxInfo.RetentionPolicy + AddressBookPolicy = $mailboxInfo.AddressBookPolicy + RoleAssignmentPolicy = $mailboxInfo.RoleAssignmentPolicy + SharingPolicy = $mailboxInfo.SharingPolicy + Ensure = "Present" Credential = $Credential ApplicationId = $ApplicationId CertificateThumbprint = $CertificateThumbprint @@ -134,6 +156,22 @@ function Set-TargetResource [System.String] $Locale, + [Parameter()] + [System.String] + $RetentionPolicy, + + [Parameter()] + [System.String] + $AddressBookPolicy, + + [Parameter()] + [System.String] + $RoleAssignmentPolicy, + + [Parameter()] + [System.String] + $SharingPolicy, + [Parameter()] [ValidateSet('Present')] [System.String] @@ -191,6 +229,36 @@ function Set-TargetResource Set-MailboxRegionalConfiguration -Identity $DisplayName ` -Language $Locale ` -TimeZone $TimeZone + + $needToUpdate = $false + $updateParams = @{ + Identity = $DisplayName + } + if (-not [System.String]::IsNullOrEmpty($AddressBookPolicy)) + { + $needToUpdate = $true + $updateParams.Add('AddressBookPolicy', $AddressBookPolicy) + } + if (-not [System.String]::IsNullOrEmpty($RoleAssignmentPolicy)) + { + $needToUpdate = $true + $updateParams.Add('RoleAssignmentPolicy', $RoleAssignmentPolicy) + } + if (-not [System.String]::IsNullOrEmpty($RetentionPolicy)) + { + $needToUpdate = $true + $updateParams.Add('RetentionPolicy', $RetentionPolicy) + } + if (-not [System.String]::IsNullOrEmpty($SharingPolicy)) + { + $needToUpdate = $true + $updateParams.Add('SharingPolicy', $SharingPolicy) + } + if ($needToUpdate) + { + Write-Verbose -Message "Updating Mailbox specific properties with:`r`n$(Convert-M365DscHashtableToString -Hashtable $updateParams)" + Set-Mailbox @updateParams + } } function Test-TargetResource @@ -211,6 +279,22 @@ function Test-TargetResource [System.String] $Locale, + [Parameter()] + [System.String] + $RetentionPolicy, + + [Parameter()] + [System.String] + $AddressBookPolicy, + + [Parameter()] + [System.String] + $RoleAssignmentPolicy, + + [Parameter()] + [System.String] + $SharingPolicy, + [Parameter()] [ValidateSet('Present')] [System.String] @@ -264,19 +348,20 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck @('DisplayName', ` - 'TimeZone', ` - 'Locale') + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.schema.mof index e8fdf17315..6916f3509a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMailboxSettings/MSFT_EXOMailboxSettings.schema.mof @@ -2,6 +2,10 @@ class MSFT_EXOMailboxSettings : OMI_BaseResource { [Key, Description("The display name of the Shared Mailbox")] string DisplayName; + [Write, Description("Associated retention policy.")] string RetentionPolicy; + [Write, Description("Associated address book policy.")] string AddressBookPolicy; + [Write, Description("Associated role assignment policy.")] string RoleAssignmentPolicy; + [Write, Description("Associated sharing policy.")] string SharingPolicy; [Write, Description("The name of the Time Zone to assign to the mailbox")] string TimeZone; [Write, Description("The code of the Locale to assign to the mailbox")] string Locale; [Write, Description("Present ensures the Mailbox Settings are applied"), ValueMap{"Present"}, Values{"Present"}] string Ensure; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXORetentionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXORetentionPolicy/settings.json index f9832ee223..d805a5b797 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXORetentionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXORetentionPolicy/settings.json @@ -1,5 +1,5 @@ { - "resourceName": "EXOMailboxCalendarConfiguration", + "resourceName": "EXORetentionPolicy", "description": "", "roles": { "read": [ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 new file mode 100644 index 0000000000..da092793e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.psm1 @@ -0,0 +1,400 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + Confirm-M365DSCDependencies + + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'" + + if ($null -eq $servicePrincipal) + { + return $nullResult + } + + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.AppId -eq $servicePrincipal.AppId} + } + else + { + $instance = Get-ServicePrincipal -Identity $servicePrincipal.Id -ErrorAction Stop + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = $servicePrincipal.Id + AppName = $servicePrincipal.AppDisplayName + DisplayName = $instance.DisplayName + AppId = $instance.AppId + ObjectId = $instance.ObjectId + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($AppName)'" + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-ServicePrincipal -AppId $servicePrincipal.AppId -ObjectId $servicePrincipal.Id + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + $setParameters.Remove("AppId") + $setParameters.Remove("ObjectId") + Set-ServicePrincipal -DisplayName $DisplayName -Identity $servicePrincipal.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-ServicePrincipal -Identity $servicePrincipal.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $AppName, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $AppId, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ServicePrincipal -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $servicePrincipal = Get-MgServicePrincipal -ServicePrincipalId $config.Identity + + $displayedKey = $servicePrincipal.AppDisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + AppName = $servicePrincipal.AppDisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof new file mode 100644 index 0000000000..c8d3020df9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/MSFT_EXOServicePrincipal.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOServicePrincipal")] +class MSFT_EXOServicePrincipal : OMI_BaseResource +{ + [Key, Description("The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal.")] string AppName; + [Write, Description("The DisplayName parameter specifies the friendly name of the service principal.")] string DisplayName; + [Write, Description("The Identity parameter specifies the service principal that you want to view.")] string Identity; + [Write, Description("The AppId parameter specifies the unique AppId GUID value for the service principal.")] string AppId; + [Write, Description("Present ensures the group exists, absent ensures it is removed"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Exchange Global Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md new file mode 100644 index 0000000000..46d431783d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/readme.md @@ -0,0 +1,27 @@ +# EXOServicePrincipal + +## Description + +Use the ServicePrincipal cmdlets to create, change service principals in your cloud-based organization. + +## Parameters + +- Identity: The Identity parameter specifies the service principal that you want to modify. You can use any value that uniquely identifies the service principal. For example: Name, Distinguished name (DN), GUID, AppId, ObjectId +- AppName: The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. +- DisplayName: The DisplayName parameter specifies the friendly name of the service principal. If the name contains spaces, enclose the name in quotation marks ("). +- AppId: The AppId parameter specifies the unique AppId GUID value for the service principal. +- ObjectId: The ObjectId parameter specifies the unique ObjectId GUID value for the service principal. + +## Examples + +- Set-ServicePrincipal -Identity dc873ad4-0397-4d74-b5c0-897cd3a94731 -DisplayName "Another App Name" +- New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId 6233fba6-0198-4277-892f-9275bf728bcc + +## Parameters present in New and not in Set + +- AppId +- ObjectId + +## Parameters present in Set and not in New + +- Identity diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json new file mode 100644 index 0000000000..4886d3193d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOServicePrincipal/settings.json @@ -0,0 +1,24 @@ +{ + "resourceName": "EXOServicePrincipal", + "description": "Use this resource to to view information about service principals, create service principals, to remove service principals, to change service principals in your cloud-based organization.", + "roles": { + "read": [ + "Exchange Admin" + ], + "update": [ + "Exchange Admin" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 index 08fd6b85e3..01778e9c2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListItems/MSFT_EXOTenantAllowBlockListItems.psm1 @@ -378,18 +378,21 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $ValuesToCheck.Remove('Entries') | Out-Null - if ($null -ne $ValuesToCheck.ExpirationDate -and $ValuesToCheck.ExpirationDate.Kind -eq 'Local') - { - $ValuesToCheck.ExpirationDate = $ValuesToCheck.ExpirationDate.ToUniversalTime().ToString() - } - if ($CurrentValues.Ensure -eq 'Absent') + if ($CurrentValues.Ensure -ne $Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" return $false } + if ($null -ne $ValuesToCheck.ExpirationDate -and $ValuesToCheck.ExpirationDate.Kind -eq 'Local') + { + $ValuesToCheck.ExpirationDate = $ValuesToCheck.ExpirationDate.ToUniversalTime().ToString() + } + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Entries') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.psm1 new file mode 100644 index 0000000000..80ff2e2ead --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.psm1 @@ -0,0 +1,433 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SpoofedUser, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $SendingInfrastructure, + + [Parameter()] + [System.String] + $SpoofType, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Identity)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.SpoofedUser -eq $SpoofedUser} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Identity)) + { + $instance = Get-TenantAllowBlockListSpoofItems -Identity $Identity + } + if ($null -eq $instance) + { + $instance = Get-TenantAllowBlockListSpoofItems | Where-Object -FilterScript {$_.SpoofedUser -eq $SpoofedUser} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + SpoofedUser = $instance.SpoofedUser + Identity = $instance.Identity + SendingInfrastructure = $instance.SendingInfrastructure + SpoofType = $instance.SpoofType + Action = $instance.Action + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SpoofedUser, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $SendingInfrastructure, + + [Parameter()] + [System.String] + $SpoofType, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating blocked spoofed item {$SpoofedUser}" + $instanceParams = @{ + Action = $Action + SpoofedUser = $SpoofedUser + SendingInfrastructure = $SendingInfrastructure + SpoofType = $SpoofType + Identity = 'Default' + } + New-TenantAllowBlockListSpoofItems @instanceParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating blocked spoofed item {$SpoofedUser}" + $instanceParams = @{ + Action = $Action + Ids = @($currentInstance.Identity) + Identity = 'Default' + } + Set-TenantAllowBlockListSpoofItems @instanceParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing blocked spoofed item {$SpoofedUser}" + Remove-TenantAllowBlockListSpoofItems -Identity $currentInstance.Identity + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $SpoofedUser, + + [Parameter()] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $SendingInfrastructure, + + [Parameter()] + [System.String] + $SpoofType, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-TenantAllowBlockListSpoofItems -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.SpoofedUser + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + SpoofedUser = $config.SpoofedUser + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.schema.mof new file mode 100644 index 0000000000..fae0e2caf2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/MSFT_EXOTenantAllowBlockListSpoofItems.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOTenantAllowBlockListSpoofItems")] +class MSFT_EXOTenantAllowBlockListSpoofItems : OMI_BaseResource +{ + [Key, Description("The SpoofedUser parameter specifies the email address or domain for the spoofed sender entry.")] String SpoofedUser; + [Write, Description("The Action parameter specifies whether is an allowed or blocked spoofed sender entry.")] String Action; + [Write, Description("Unique identified for the blocked item.")] String Identity; + [Write, Description("The SendingInfrastructure parameter specifies the source of the messages sent by the spoofed sender that's defined in the SpoofedUser parameter..")] String SendingInfrastructure; + [Write, Description("The SpoofType parameter specifies whether this is an internal or external spoofed sender entry.")] String SpoofType; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/readme.md new file mode 100644 index 0000000000..e8fbc86276 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/readme.md @@ -0,0 +1,6 @@ + +# EXOTenantAllowBlockListSpoofItems + +## Description + +Configures blocked spoofed items in Exchange Online. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/settings.json new file mode 100644 index 0000000000..bd90bf0349 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOTenantAllowBlockListSpoofItems/settings.json @@ -0,0 +1,24 @@ +{ + "resourceName": "EXOTenantAllowBlockListSpoofItems", + "description": "Configures blocked spoofed items in Exchange Online.", + "roles": { + "read": [ + "Exchange Admin" + ], + "update": [ + "Exchange Admin" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index df09bf216b..114f77c7cf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -551,7 +551,7 @@ function Set-TargetResource #Update-MgBetaDeviceManagementIntent does not support updating the property settings #Update-MgBetaDeviceManagementIntentSetting only support updating a single setting at a time #Using Rest to reduce the number of calls - $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json index 0250bfc33a..e3c1d8a2ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json index 7f3c9f6cc3..8e0c3442a4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index c342d5cf38..f5694dd4bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -92,7 +92,7 @@ function Get-TargetResource { $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter "Name eq '$DisplayName'" -ErrorAction SilentlyContinue - if(([array]$devicePolicy).count -gt 1) + if(([array]$devicePolicy).Count -gt 1) { throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" } @@ -109,7 +109,7 @@ function Get-TargetResource #Retrieve policy specific settings - $Identity = $policy.id + $Identity = $policy.Id [array]$settings = $policy.settings $returnHashtable = @{} @@ -295,12 +295,12 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) $createParameters = @{} - $createParameters.add('name', $DisplayName) - $createParameters.add('description', $Description) - $createParameters.add('settings', @($settings)) - $createParameters.add('platforms', $platforms) - $createParameters.add('technologies', $technologies) - $createParameters.add('templateReference', @{ + $createParameters.Add('name', $DisplayName) + $createParameters.Add('description', $Description) + $createParameters.Add('settings', @($settings)) + $createParameters.Add('platforms', $platforms) + $createParameters.Add('technologies', $technologies) + $createParameters.Add('templateReference', @{ templateId = $templateReferenceId }) $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters @@ -323,11 +323,11 @@ function Set-TargetResource $settings = Get-M365DSCIntuneDeviceConfigurationSettings -Properties ([System.Collections.Hashtable]$PSBoundParameters) - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings @@ -419,69 +419,45 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection Local User Group Membership Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." - } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $testResult = $true if ($CurrentValues.Ensure -ne $Ensure) { - $testResult = $false + Write-Verbose -Message "Test-TargetResource returned $false" + return $false } + $testResult = $true - #region LocalUserGroupCollection - if ($testResult) - { - if ((-not $CurrentValues.LocalUserGroupCollection) -xor (-not $ValuesToCheck.LocalUserGroupCollection)) - { - Write-Verbose -Message 'Configuration drift: one the LocalUserGroupCollection is null' - return $false - } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - if ($CurrentValues.LocalUserGroupCollection) + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - if ($CurrentValues.LocalUserGroupCollection.count -ne $ValuesToCheck.LocalUserGroupCollection.count) + if ($source.UserSelectionType -eq 'add_replace') { - Write-Verbose -Message "Configuration drift: Number of LocalUserGroupCollection has changed - current {$($CurrentValues.LocalUserGroupCollection.count)} target {$($ValuesToCheck.LocalUserGroupCollection.count)}" - return $false + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $source.UserSelectionType = 'add_restrict' } - for ($i = 0; $i -lt $CurrentValues.LocalUserGroupCollection.count; $i++) - { - $source = $ValuesToCheck.LocalUserGroupCollection[$i] - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $CurrentValues.LocalUserGroupCollection[$i] + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) - if (-not $testResult) - { - $testResult = $false - break - } + if (-not $testResult) + { + break } + + $ValuesToCheck.Remove($key) | Out-Null } - if (-not $testResult) - { - return $false - } - $ValuesToCheck.Remove('LocalUserGroupCollection') | Out-Null } - #endregion - #region Assignments - if ($testResult) - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null - } - #endregion + $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck if ($testResult) { @@ -714,6 +690,11 @@ function Get-M365DSCIntuneDeviceConfigurationSettings } foreach ($groupConfiguration in $Properties.LocalUserGroupCollection) { + if ($groupConfiguration.UserSelectionType -eq 'add_replace') + { + Write-Warning -Message "The UserSelectionType 'add_replace' is not supported anymore. It will be converted to 'add_restrict'" + $groupConfiguration.UserSelectionType = 'add_restrict' + } $groupDefaultValue = @{ children = @( @{ @@ -783,57 +764,4 @@ function Get-M365DSCIntuneDeviceConfigurationSettings return $defaultValue } -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = @{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'settings' = $Settings - 'templateReference' = $templateReference - } - - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof index f41b644e83..0dcc2f322c 100644 Binary files a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof and b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.schema.mof differ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json index d6aeda8c71..1c2a8b1d80 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 510bddb1d7..a7d21f2100 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -451,7 +451,8 @@ function Set-TargetResource #Update-MgBetaDeviceManagementIntent does not support updating the property settings #Update-MgBetaDeviceManagementIntentSetting only support updating a single setting at a time #Using Rest to reduce the number of calls - $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" + + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json index 1d0cdf0573..7fb501a21b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json index a20915a6b7..7e45256fd1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 new file mode 100644 index 0000000000..46e096cf71 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 @@ -0,0 +1,1013 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enabled, + + [Parameter()] + [ValidateSet('none', 'safe', 'all')] + [System.String] + $automaticSampleSubmissionConsent, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $diagnosticLevel, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $automaticDefinitionUpdateEnabled, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableRealTimeProtection, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $passiveMode, + + [Parameter()] + [ValidateRange(5000, 15000)] + [System.Int32] + $scanHistoryMaximumItems, + + [Parameter()] + [ValidateRange(1, 180)] + [System.Int32] + $scanResultsRetentionDays, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $exclusionsMergePolicy, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $threatTypeSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $threatTypeSettingsMergePolicy, + + [Parameter()] + [System.String[]] + $allowedThreats, + + [Parameter()] + [System.String[]] + $disallowedThreatActions, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanArchives, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanAfterDefinitionUpdate, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableFileHashComputation, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $behaviorMonitoring, + + [Parameter()] + [ValidateSet('normal', 'moderate', 'high', 'plus', 'tolerance')] + [System.String] + $cloudBlockLevel, + + [Parameter()] + [ValidateRange(1, 64)] + [System.Int32] + $maximumOnDemandScanThreads, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $networkprotection_enforcementLevel, + + [Parameter()] + [System.String[]] + $unmonitoredFilesystems, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $nonExecMountPolicy, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $antivirusengine_enforcementLevel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + $policyTemplateId = $getValue.TemplateReference.TemplateId + [array]$settingDefinitions = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate ` + -DeviceManagementConfigurationPolicyTemplateId $policyTemplateId ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop | Select-Object -ExpandProperty SettingDefinitions + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -AllSettingDefinitions $settingDefinitions + + #region resource generator code + $complexExclusions = @() + foreach ($currentExclusions in $policySettings.exclusions) + { + $myExclusions = @{} + $myExclusions.Add('Exclusions_item_type', $currentExclusions.exclusions_item_type) + $myExclusions.Add('Exclusions_item_extension', $currentExclusions.exclusions_item_extension) + $myExclusions.Add('Exclusions_item_name', $currentExclusions.exclusions_item_name) + $myExclusions.Add('Exclusions_item_path', $currentExclusions.exclusions_item_path) + $myExclusions.Add('Exclusions_item_isDirectory', $currentExclusions.exclusions_item_isDirectory) + if ($myExclusions.values.Where({$null -ne $_}).Count -gt 0) + { + $complexExclusions += $myExclusions + } + } + $policySettings.Remove('exclusions') | Out-Null + + $complexThreatTypeSettings = @() + foreach ($currentThreatTypeSettings in $policySettings.threatTypeSettings) + { + $myThreatTypeSettings = @{} + $myThreatTypeSettings.Add('ThreatTypeSettings_item_key', $currentThreatTypeSettings.threatTypeSettings_item_key) + $myThreatTypeSettings.Add('ThreatTypeSettings_item_value', $currentThreatTypeSettings.threatTypeSettings_item_value) + if ($myThreatTypeSettings.values.Where({$null -ne $_}).Count -gt 0) + { + $complexThreatTypeSettings += $myThreatTypeSettings + } + } + $policySettings.Remove('threatTypeSettings') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + exclusions = $complexExclusions + threatTypeSettings = $complexThreatTypeSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enabled, + + [Parameter()] + [ValidateSet('none', 'safe', 'all')] + [System.String] + $automaticSampleSubmissionConsent, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $diagnosticLevel, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $automaticDefinitionUpdateEnabled, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableRealTimeProtection, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $passiveMode, + + [Parameter()] + [ValidateRange(5000, 15000)] + [System.Int32] + $scanHistoryMaximumItems, + + [Parameter()] + [ValidateRange(1, 180)] + [System.Int32] + $scanResultsRetentionDays, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $exclusionsMergePolicy, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $threatTypeSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $threatTypeSettingsMergePolicy, + + [Parameter()] + [System.String[]] + $allowedThreats, + + [Parameter()] + [System.String[]] + $disallowedThreatActions, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanArchives, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanAfterDefinitionUpdate, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableFileHashComputation, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $behaviorMonitoring, + + [Parameter()] + [ValidateSet('normal', 'moderate', 'high', 'plus', 'tolerance')] + [System.String] + $cloudBlockLevel, + + [Parameter()] + [ValidateRange(1, 64)] + [System.Int32] + $maximumOnDemandScanThreads, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $networkprotection_enforcementLevel, + + [Parameter()] + [System.String[]] + $unmonitoredFilesystems, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $nonExecMountPolicy, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $antivirusengine_enforcementLevel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '4cfd164c-5e8a-4ea9-b15d-9aa71e4ffff4_1' + $platforms = 'linux' + $technologies = 'microsoftSense' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Antivirus Policy Linux with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enabled, + + [Parameter()] + [ValidateSet('none', 'safe', 'all')] + [System.String] + $automaticSampleSubmissionConsent, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $diagnosticLevel, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $automaticDefinitionUpdateEnabled, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableRealTimeProtection, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $passiveMode, + + [Parameter()] + [ValidateRange(5000, 15000)] + [System.Int32] + $scanHistoryMaximumItems, + + [Parameter()] + [ValidateRange(1, 180)] + [System.Int32] + $scanResultsRetentionDays, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $exclusionsMergePolicy, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $threatTypeSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $threatTypeSettingsMergePolicy, + + [Parameter()] + [System.String[]] + $allowedThreats, + + [Parameter()] + [System.String[]] + $disallowedThreatActions, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanArchives, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $scanAfterDefinitionUpdate, + + [Parameter()] + [ValidateSet('false', 'true')] + [System.String] + $enableFileHashComputation, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $behaviorMonitoring, + + [Parameter()] + [ValidateSet('normal', 'moderate', 'high', 'plus', 'tolerance')] + [System.String] + $cloudBlockLevel, + + [Parameter()] + [ValidateRange(1, 64)] + [System.Int32] + $maximumOnDemandScanThreads, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $networkprotection_enforcementLevel, + + [Parameter()] + [System.String[]] + $unmonitoredFilesystems, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $nonExecMountPolicy, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $antivirusengine_enforcementLevel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "4cfd164c-5e8a-4ea9-b15d-9aa71e4ffff4_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.exclusions) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.exclusions ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogExclusions' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.exclusions = $complexTypeStringResult + } + else + { + $Results.Remove('exclusions') | Out-Null + } + } + if ($null -ne $Results.threatTypeSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.threatTypeSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.threatTypeSettings = $complexTypeStringResult + } + else + { + $Results.Remove('threatTypeSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.exclusions) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "exclusions" -IsCIMArray:$True + } + if ($Results.threatTypeSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "threatTypeSettings" -IsCIMArray:$True + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.schema.mof new file mode 100644 index 0000000000..949abac55d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.schema.mof @@ -0,0 +1,69 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions +{ + [Write, Description("Type - Depends on exclusions (0: Path, 1: File extension, 2: Process name)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String exclusions_item_type; + [Write, Description("File extension - Depends on exclusions_item_type=1")] String exclusions_item_extension; + [Write, Description("File name - exclusions_item_type=2")] String exclusions_item_name; + [Write, Description("Path - exclusions_item_type=0")] String exclusions_item_path; + [Write, Description("Is directory (false: Disabled, true: Enabled) - Depends on exclusions_item_type=0"), ValueMap{"false", "true"}, Values{"false", "true"}] String exclusions_item_isDirectory; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings +{ + [Write, Description("Threat type - Depends on threatTypeSettings (0: potentially_unwanted_application, 1: archive_bomb)"), ValueMap{"0", "1"}, Values{"0", "1"}] String threatTypeSettings_item_key; + [Write, Description("Action to take - Depends on threatTypeSettings (0: audit, 1: block, 2: off)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String threatTypeSettings_item_value; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAntivirusPolicyLinux")] +class MSFT_IntuneAntivirusPolicyLinux : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Enable cloud delivered protection (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String enabled; + [Write, Description("Enable automatic sample submissions (none: None, safe: Safe, all: All)"), ValueMap{"none", "safe", "all"}, Values{"none", "safe", "all"}] String automaticSampleSubmissionConsent; + [Write, Description("Diagnostic data collection level (0: optional, 1: required)"), ValueMap{"0", "1"}, Values{"0", "1"}] String diagnosticLevel; + [Write, Description("Automatic security intelligence updates (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String automaticDefinitionUpdateEnabled; + [Write, Description("Enable real-time protection (deprecated) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String enableRealTimeProtection; + [Write, Description("Enable passive mode (deprecated) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String passiveMode; + [Write, Description("Scan history size")] SInt32 scanHistoryMaximumItems; + [Write, Description("Scan results retention")] SInt32 scanResultsRetentionDays; + [Write, Description("Exclusions merge (0: merge, 1: admin_only)"), ValueMap{"0", "1"}, Values{"0", "1"}] String exclusionsMergePolicy; + [Write, Description("Scan exclusions"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions")] String exclusions[]; + [Write, Description("Threat type settings"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings")] String threatTypeSettings[]; + [Write, Description("Threat type settings merge (0: merge, 1: admin_only)"), ValueMap{"0", "1"}, Values{"0", "1"}] String threatTypeSettingsMergePolicy; + [Write, Description("Allowed threats")] String allowedThreats[]; + [Write, Description("Disallowed threat actions")] String disallowedThreatActions[]; + [Write, Description("Enable scanning of archives (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String scanArchives; + [Write, Description("Enable scanning after definition update (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String scanAfterDefinitionUpdate; + [Write, Description("Enable file hash computation (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String enableFileHashComputation; + [Write, Description("Enable behavior monitoring (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String behaviorMonitoring; + [Write, Description("Configure cloud block level (normal: Normal, moderate: Moderate, high: High, plus: High_Plus, tolerance: Zero_Tolerance)"), ValueMap{"normal", "moderate", "high", "plus", "tolerance"}, Values{"normal", "moderate", "high", "plus", "tolerance"}] String cloudBlockLevel; + [Write, Description("maximum on demand scan threads")] SInt32 maximumOnDemandScanThreads; + [Write, Description("Enforcement Level (0: disabled, 1: audit, 2: block)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String networkprotection_enforcementLevel; + [Write, Description("Unmonitored Filesystems")] String unmonitoredFilesystems[]; + [Write, Description("non execute mount mute (0: unmute, 1: mute)"), ValueMap{"0", "1"}, Values{"0", "1"}] String nonExecMountPolicy; + [Write, Description("Enforcement Level (0: Realtime, 1: OnDemand, 2: Passive)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String antivirusengine_enforcementLevel; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md new file mode 100644 index 0000000000..d8060ea61a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md @@ -0,0 +1,6 @@ + +# IntuneAntivirusPolicyLinux + +## Description + +Intune Antivirus Policy Linux diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/settings.json new file mode 100644 index 0000000000..996c1ddb08 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "IntuneAntivirusPolicyLinux", + "description": "This resource configures an Intune Antivirus Policy Linux.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json index 307c2f8403..0489d61a43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json index fe0c097e79..6f8ca8d487 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.psm1 new file mode 100644 index 0000000000..2140de5510 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.psm1 @@ -0,0 +1,855 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 Config Mgr with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 Config Mgr with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune App And Browser Isolation Policy for Windows10 Config Mgr with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = 'e373ebb7-c1c5-4ffb-9ce0-698f1834fd9d_1' + $platforms = 'windows10' + $technologies = 'configManager' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune App And Browser Isolation Policy for Windows10 Config Mgr with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune App And Browser Isolation Policy for Windows10 Config Mgr with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune App And Browser Isolation Policy for Windows10 Config Mgr with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune App And Browser Isolation Policy for Windows10 Config Mgr with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "e373ebb7-c1c5-4ffb-9ce0-698f1834fd9d_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.schema.mof new file mode 100644 index 0000000000..73395d0a08 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.schema.mof @@ -0,0 +1,48 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr")] +class MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AllowWindowsDefenderApplicationGuard; + [Write, Description("Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ClipboardSettings; + [Write, Description("Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SaveFilesToHost; + [Write, Description("Install Windows defender application guard (install: Install). Required if AllowWindowsDefenderApplicationGuard is not set to 0."), ValueMap{"install"}, Values{"install"}] String InstallWindowsDefenderApplicationGuard; + [Write, Description("Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String ClipboardFileType; + [Write, Description("Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPersistence; + [Write, Description("Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowVirtualGPU; + [Write, Description("Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.)"), ValueMap{"0", "1", "2", "4", "8"}, Values{"0", "1", "2", "4", "8"}] SInt32 PrintingSettings[]; + [Write, Description("Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCameraMicrophoneRedirection; + [Write, Description("Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AuditApplicationGuard; + [Write, Description("Certificate Thumbprints")] String CertificateThumbprints[]; + [Write, Description("Enterprise IP Range")] String EnterpriseIPRange[]; + [Write, Description("Enterprise Cloud Resources")] String EnterpriseCloudResources[]; + [Write, Description("Enterprise Network Domain Names")] String EnterpriseNetworkDomainNames[]; + [Write, Description("Enterprise Proxy Servers")] String EnterpriseProxyServers[]; + [Write, Description("Enterprise Internal Proxy Servers")] String EnterpriseInternalProxyServers[]; + [Write, Description("Neutral Resources")] String NeutralResources[]; + [Write, Description("Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseProxyServersAreAuthoritative; + [Write, Description("Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseIPRangesAreAuthoritative; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/readme.md new file mode 100644 index 0000000000..2e023e4763 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/readme.md @@ -0,0 +1,6 @@ + +# IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr + +## Description + +Intune App And Browser Isolation Policy for Windows10 Config Mgr diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/settings.json new file mode 100644 index 0000000000..2bed23cd76 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr", + "description": "This resource configures an Intune App And Browser Isolation Policy for Windows10 Config Mgr.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 index bb74801759..479083759f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.psm1 @@ -78,25 +78,25 @@ function Get-TargetResource if ($null -eq $instance) { - $instance = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $Id -ErrorAction Stop - - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find MobileAppCategory by Id {$Id}." - - if (-Not [string]::IsNullOrEmpty($DisplayName)) - { - $instance = Get-MgBetaDeviceAppManagementMobileAppConfiguration ` - -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue - } - } - - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find MobileAppCategory by DisplayName {$DisplayName}." - return $nullResult - } + $instance = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $Id -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileAppCategory by Id {$Id}." + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceAppManagementMobileAppCategory ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileAppCategory by DisplayName {$DisplayName}." + return $nullResult + } } $results = @{ @@ -192,22 +192,27 @@ function Set-TargetResource $currentInstance = Get-TargetResource @PSBoundParameters $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $setParameters.remove('Id') | Out-Null - $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Id') | Out-Null # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + Write-Verbose -Message "Creating an Intune App Category with DisplayName {$DisplayName}" + New-MgBetaDeviceAppManagementMobileAppCategory @SetParameters } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Updating the Intune App Category with DisplayName {$DisplayName}" + Update-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $currentInstance.Id @SetParameters } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Removing the Intune App Category with DisplayName {$DisplayName}" + Remove-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $currentInstance.Id -Confirm:$false } } @@ -279,13 +284,26 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $testResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json index 9e60b9ada3..57be974d43 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json index e5bfa4dcaf..b6d0af3e02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json index 10e50f1081..315a58a821 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 3148f18042..c6bd7d5a2c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -272,23 +272,30 @@ function Get-TargetResource try { - $policy = Get-MgBetaDeviceAppManagementiOSManagedAppProtection -IosManagedAppProtectionId $Identity -ErrorAction SilentlyContinue + if (-not [System.String]::IsNullOrEmpty($Identity)) + { + [Array]$policy = Get-MgBetaDeviceAppManagementiOSManagedAppProtection -IosManagedAppProtectionId $Identity -ErrorAction SilentlyContinue + } + if ($policy.Length -eq 0) + { + Write-Verbose -Message "No iOS App Protection Policy {$Identity} was found by Identity. Trying to retrieve by DisplayName" + [Array]$policy = Get-MgBetaDeviceAppManagementiOSManagedAppProtection -Filter "DisplayName eq '$DisplayName'" -ErrorAction SilentlyContinue + } - if ($null -eq $policy) + if ($policy.Length -gt 1) { - Write-Verbose -Message "No iOS App Protection Policy {$Identity} was found" - $policy = Get-MgBetaDeviceAppManagementiOSManagedAppProtection -Filter "displayName eq '$DisplayName'" -ErrorAction SilentlyContinue + throw "Multiple policies with display name {$DisplayName} were found. Please ensure only one instance exists." } if ($null -eq $policy) { - Write-Verbose -Message "No iOS App Protection Policy {$DisplayName} was found." + Write-Verbose -Message "No iOS App Protection Policy {$DisplayName} was found by Display Name. Instance doesn't exist." return $nullResult } Write-Verbose -Message "Found iOS App Protection Policy {$DisplayName}" - $policyApps = Get-MgBetaDeviceAppManagementiOSManagedAppProtectionApp -IosManagedAppProtectionId $policy.id + $policyApps = Get-MgBetaDeviceAppManagementiOSManagedAppProtectionApp -IosManagedAppProtectionId $policy.Id $appsArray = @() foreach ($app in $policyApps) @@ -296,19 +303,26 @@ function Get-TargetResource $appsArray += $app.mobileAppIdentifier.additionalProperties.bundleId } - $policyAssignments = Get-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $policy.id + $policyAssignments = Get-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $policy.Id $assignmentsArray = @() $exclusionArray = @() + $ObjectGuid = [System.Guid]::empty foreach ($policyAssignment in $policyAssignments) { + $assignmentValue = $policyAssignment.target.groupId + if ([System.Guid]::TryParse($policyAssignment.target.groupId, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $groupInfo = Get-MgGroup -GroupId $policyAssignment.target.groupId + $assignmentValue = $groupInfo.DisplayName + } if ($policyAssignment.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget') { - $assignmentsArray += $policyAssignment.target.groupId + $assignmentsArray += $assignmentValue } if ($policyAssignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget') { - $exclusionArray += $policyAssignment.target.groupId + $exclusionArray += $assignmentValue } } @@ -419,7 +433,14 @@ function Get-TargetResource -TenantId $TenantId ` -Credential $Credential - return $nullResult + if ($_.Exception.Message -eq "Multiple policies with display name {$DisplayName} were found. Please ensure only one instance exists.") + { + throw $_ + } + else + { + return $nullResult + } } } @@ -753,6 +774,7 @@ function Set-TargetResource Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $policy.id -Apps $myApps + Write-Verbose -Message "Updating policy assignments" Update-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $policy.id -Assignments $myAssignments } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') @@ -796,6 +818,7 @@ function Set-TargetResource Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $Identity -Apps $myApps + Write-Verbose -Message "Updating policy assignments: $myassignments" Update-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $Identity -Assignments $myAssignments } @@ -1267,21 +1290,34 @@ function Get-IntuneAppProtectionPolicyiOSAssignmentToHashtable $Parameters ) + $ObjectGuid = [System.Guid]::empty $assignments = @() foreach ($assignment in $Parameters.Assignments) { + $assignmentValue = $assignment + if (-not [System.Guid]::TryParse($assignment,[System.Management.Automation.PSReference]$ObjectGuid)) + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$assignment'" + $assignmentValue = $groupInfo.Id + } $assignments += @{ 'target' = @{ - groupId = $assignment + groupId = $assignmentValue '@odata.type' = '#microsoft.graph.groupAssignmentTarget' } } } foreach ($exclusion in $Parameters.Exclusions) { + $assignmentValue = $exclusion + if (-not [System.Guid]::TryParse($exclusion,[System.Management.Automation.PSReference]$ObjectGuid)) + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$exclusion'" + $assignmentValue = $groupInfo.Id + } $assignments += @{ 'target' = @{ - groupId = $assignment + groupId = $assignmentValue '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' } } @@ -1302,7 +1338,7 @@ function Get-IntuneAppProtectionPolicyiOSAssignment try { - $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/assignments" + $Url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/assignments" $response = Invoke-MgGraphRequest -Method Get ` -Uri $Url return $response.value @@ -1333,12 +1369,13 @@ function Update-IntuneAppProtectionPolicyiOSAssignment ) try { - $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/assign" - # Write-Verbose -Message "Group Assignment for iOS App Protection policy with JSON payload: `r`n$JSONContent" + $Url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/assign" + $body = ($Assignments | ConvertTo-Json -Depth 20 -Compress) + Write-Verbose -Message "Group Assignment for iOS App Protection policy with JSON payload {$Url}: `r`n$body" Invoke-MgGraphRequest -Method POST ` -Uri $Url ` - -Body ($Assignments | ConvertTo-Json -Depth 20) ` - -Headers @{'Content-Type' = 'application/json' } | Out-Null + -Body $body ` + -Headers @{'Content-Type' = 'application/json' } } catch { @@ -1366,7 +1403,7 @@ function Update-IntuneAppProtectionPolicyiOSApp try { - $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/targetApps" + $Url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceAppManagement/iosManagedAppProtections('$IosManagedAppProtectionId')/targetApps" # Write-Verbose -Message "Group Assignment for iOS App Protection policy with JSON payload: `r`n$JSONContent" Invoke-MgGraphRequest -Method POST ` -Uri $Url ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json index 270c79777d..ec5cecf736 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 new file mode 100644 index 0000000000..7e2c725bab --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.psm1 @@ -0,0 +1,478 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + try + { + $instance = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + if ($null -eq $instance) + { + # There is only one Apple push notification certificate per tenant so no need to filter by Id + $instance = Get-MgBetaDeviceManagementApplePushNotificationCertificate -ErrorAction Stop + + if ($null -eq $instance) + { + Write-Verbose -Message "Apple push notification certificate." + return $nullResult + } + } + + $results = @{ + Id = $instance.Id + AppleIdentifier = $instance.AppleIdentifier + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + if (-not [String]::IsNullOrEmpty($instance.Certificate)) { + $results.Add('Certificate', $instance.Certificate) + } + else { + $results.Add('Certificate', "") + } + + # Get the value of Data sharing consent between Intune and Apple. The id is hardcoded to "appleMDMPushCertificate". + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + $results.Add('DataSharingConsetGranted', $consentInstance.Granted) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $SetParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $SetParameters.Remove('Id') | Out-Null + $SetParameters.Remove('DataSharingConsetGranted') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier'." + + # Post data sharing consent as granted between Intune and Apple. NOTE: It's a one-way operation. Once agreed, it can't be revoked. + # so first check if it is $false, then make a post call to agree to the consent, this set the DataSharingConsetGranted to $true. + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + If($consentInstance.Granted -eq $False) { + Invoke-MgGraphRequest -Method POST -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/dataSharingConsents/appleMDMPushCertificate/consentToDataSharing" -Headers @{ "Content-Type" = "application/json" } + } + else { + Write-Host "Data sharing conset is already granted, so it can't be revoked." + } + + # There is only PATCH request hence using Update cmdlet to post the certificate + Update-MgBetaDeviceManagementApplePushNotificationCertificate @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier'." + Update-MgBetaDeviceManagementApplePushNotificationCertificate @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Apple Push Notification Certificate with Apple ID: '$AppleIdentifier' by patching with empty certificate." + + # There is only PATCH request hence using Update cmdlet to remove the certificate by passing empty certificate as param. + $params = @{ + appleIdentifier = "" + certificate = "" + } + Update-MgBetaDeviceManagementApplePushNotificationCertificate -BodyParameter $params + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.Boolean] + $DataSharingConsetGranted, + + #endregion Intune params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementApplePushNotificationCertificate -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + + $Params = @{ + Id = $config.Id + AppleIdentifier = $config.AppleIdentifier + Certificate = $config.Certificate + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + # Get the value of Data sharing consent between Intune and Apple. The id is hardcoded to "appleMDMPushCertificate". + $consentInstance = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId "appleMDMPushCertificate" + $Params.Add('DataSharingConsetGranted', $consentInstance.Granted) + + $Results = Get-TargetResource @Params + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof new file mode 100644 index 0000000000..34227230e9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/MSFT_IntuneAppleMDMPushNotificationCertificate.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppleMDMPushNotificationCertificate")] +class MSFT_IntuneAppleMDMPushNotificationCertificate : OMI_BaseResource +{ + [Key, Description("The name of the Apple Identifier.")] String AppleIdentifier; + [Write, Description("The Apple Push notification certificate.")] String Certificate; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The boolean indicating DataSharing Conset agreement granted or not between Intune and Apple.")] Boolean DataSharingConsetGranted; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md new file mode 100644 index 0000000000..37a95a0750 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/readme.md @@ -0,0 +1,6 @@ + +# IntuneAppleMDMPushNotificationCertificate + +## Description + +Configures a resource for Apple MDM Push notification certificate used for device enrollment. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json new file mode 100644 index 0000000000..dfefc450b3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppleMDMPushNotificationCertificate/settings.json @@ -0,0 +1,44 @@ +{ + "resourceName": "IntuneAppleMDMPushCertificate", + "description": "Configures a resource for Apple MDM Push notification certificate used for device enrollment.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementManagedDevices.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementManagedDevices.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json index 0bd2d39195..de96e82e6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json index 5f0f5f1c8b..6057c5b021 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 index af4ecd222e..a3208e9ae9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 @@ -23,7 +23,7 @@ function Get-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -96,17 +96,18 @@ function Get-TargetResource { if ($null -eq $instance) { - $instance = Get-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $Id -ErrorAction Stop + $instance = Get-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $Id -ErrorAction SilentlyContinue - if ($null -eq $instance) - { - Write-Verbose -Message "Could not find Derived Credential by Id {$Id}." + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find Derived Credential by Id {$Id}." + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceManagementDerivedCredential ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue - if (-Not [string]::IsNullOrEmpty($DisplayName)) - { - $instance = Get-MgBetaDeviceManagementDerivedCredential ` - -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue if ($null -eq $instance) { Write-Verbose -Message "Could not find Derived Credential by DisplayName {$DisplayName}." @@ -178,7 +179,7 @@ function Set-TargetResource { #endregion resource params [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -231,18 +232,21 @@ function Set-TargetResource { $currentInstance = Get-TargetResource @PSBoundParameters $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $setParameters.remove('Id') | Out-Null - $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Id') | Out-Null # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { + Write-Verbose -Message "Creating an Intune Derived Credential with DisplayName {$DisplayName}" + New-MgBetaDeviceManagementDerivedCredential @SetParameters } # UPDATE is not supported API, it always creates a new Derived Credential instance # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { + Write-Verbose -Message "Removing the Intune Derived Credential with DisplayName {$DisplayName}" + Remove-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $currentInstance.Id -Confirm:$false } } @@ -272,7 +276,7 @@ function Test-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', @@ -330,13 +334,26 @@ function Test-TargetResource { $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } Write-Verbose -Message "Test-TargetResource returned $testResult" @@ -368,7 +385,7 @@ function Export-TargetResource { $Issuer, [Parameter()] - [ValidateSet('none', 'email', 'companyPortal')] + [ValidateSet('none', 'email', 'companyPortal', 'companyPortal,email')] [System.String] $NotificationType = 'none', diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof index e893173409..b04d7ad2b8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof @@ -12,8 +12,8 @@ class MSFT_IntuneDerivedCredential : OMI_BaseResource String Issuer; [Write, Description("Supported values for the notification type to use."), - ValueMap{"none", "email", "companyPortal"}, - Values{"none", "email", "companyPortal"}] + ValueMap{"none", "email", "companyPortal", "companyPortal,email"}, + Values{"none", "email", "companyPortal", "companyPortal,email"}] String NotificationType; [Write, Description("Supported values for the notification type to use."), diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json index 6ce0bedcec..568542e5bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json index d32693cec5..83fe077865 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json index ab503e6e12..2a02222c6a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json index bd59e189c5..d426ac83cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json index 876c98b3c1..f99b98df4a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json index 4f70de0036..d08714575d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index b32c40c477..3348ec3938 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -992,7 +992,7 @@ function Update-DeviceConfigurationGroupPolicyDefinitionValue ) try { - $Uri = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/$DeviceConfigurationPolicyId/updateDefinitionValues" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/groupPolicyConfigurations/$DeviceConfigurationPolicyId/updateDefinitionValues" $body = @{} $DefinitionValueToRemoveIds = @() diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json index 4636671998..88bde5e09c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json index 59369d197b..1309114462 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json index 1ec45e354d..a9710165fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json index ad18510898..7bee7e4a38 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json index 2ebe5a545e..7f3828149e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/settings.json @@ -28,6 +28,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json index 7f59aea637..a9514693a2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json index eb9da4aa9e..3acddb9169 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/settings.json @@ -13,6 +13,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -28,6 +31,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json index 0ff407f836..9e4b185543 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json index 876ce379ca..98abdb2c2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json index d5d83f0b7f..d30f15580a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json index 7853f50eb7..7bc21f184f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json index 66190b15e9..4b9ef1bb53 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json index f08c5923b0..5b45219916 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json index c592a86cab..a89fd6923c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json index 2923dc7038..2e66e44c69 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -13,6 +16,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -23,6 +29,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -31,6 +40,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json index 8851545142..b01c36ed5d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json index d3a3c44787..d101037f68 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json index ea7bf4e312..e6117602b1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json index 1c86cfd292..bc1a6d1b7f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json index 9113736e64..99867d0c33 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json index 13e3014ede..25310db748 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json index 81fb935ab5..2ecb0e308d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 index 15a87358b5..6986c95636 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 @@ -1011,8 +1011,7 @@ function Get-DeviceConfigurationPolicyRootCertificate [System.String] $DeviceConfigurationPolicyId ) - - $Uri = " https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate" $result = Invoke-MgGraphRequest -Method Get -Uri $Uri -ErrorAction Stop return $result @@ -1031,8 +1030,8 @@ function Update-DeviceConfigurationPolicyRootCertificateId [System.String] $RootCertificateId ) - - $Uri = " https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate/`$ref" + + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate/`$ref" $ref = @{ '@odata.id' = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$RootCertificateId')" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json index d7181b6d6d..85b689c6d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json index 854402cc59..8812b2ccd2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json index 5b10130496..db1d9e82e6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json index e65c087644..052b0d3143 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json index d9683c421c..68a260efb4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json index bc61bbaa65..e5bc5b667d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 index 89b0ea08e3..5fece7e58c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 @@ -1188,8 +1188,7 @@ function Get-DeviceConfigurationPolicyCertificate [System.String] $CertificateName ) - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName" try { $result = Invoke-MgGraphRequest -Method Get -Uri $Uri 4>$null @@ -1228,9 +1227,8 @@ function Update-DeviceConfigurationPolicyCertificateId [System.String] $CertificateName ) - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName/`$ref" - + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName/`$ref" + if ($CertificateName -eq 'rootCertificatesForServerValidation') { $method = 'POST' @@ -1271,7 +1269,7 @@ function Remove-DeviceConfigurationPolicyCertificateId foreach ($certificateId in $CertificateIds) { - $Uri = " https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName/$certificateId/`$ref" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceConfigurations('$DeviceConfigurationPolicyId')/microsoft.graph.windowsWiredNetworkConfiguration/$CertificateName/$certificateId/`$ref" Invoke-MgGraphRequest -Method DELETE -Uri $Uri -Body ($ref | ConvertTo-Json) -ErrorAction Stop 4>$null } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json index e2fa434298..905ce1cdc7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json index 750c8444e2..942c440c54 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json index 14d53ad6c0..ce6301407a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 321938df51..ad135e73cd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -410,7 +410,7 @@ function Set-TargetResource $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments } $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 - $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($policy.Id)/assign" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceEnrollmentConfigurations/$($policy.Id)/assign" Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop Update-DeviceEnrollmentConfigurationPriority ` @@ -448,7 +448,7 @@ function Set-TargetResource $intuneAssignments += ConvertTo-IntunePolicyAssignment -Assignments $Assignments } $body = @{'enrollmentConfigurationAssignments' = $intuneAssignments} | ConvertTo-Json -Depth 100 - $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($currentInstance.Id)/assign" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceEnrollmentConfigurations/$($currentInstance.Id)/assign" Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop if ($PSBoundParameters.ContainsKey('Priority') -and $Priority -ne $currentInstance.Priority) @@ -826,7 +826,7 @@ function Update-DeviceEnrollmentConfigurationPriority ) try { - $Uri = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$DeviceEnrollmentConfigurationId/setpriority" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/deviceEnrollmentConfigurations/$DeviceEnrollmentConfigurationId/setpriority" $body = @{'priority' = $Priority } | ConvertTo-Json -Depth 100 #write-verbose -Message $body Invoke-MgGraphRequest ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json index 0c1c8f9933..9ad80f0947 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/settings.json @@ -5,6 +5,9 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -16,6 +19,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, @@ -29,6 +35,9 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -40,6 +49,9 @@ } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 index cf73c2b59a..8fc3e91fd8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 @@ -225,6 +225,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + $ValuesToCheck = $PSBoundParameters Write-Verbose -Message "Testing configuration of Intune Device Management Compliance Settings" $CurrentValues = Get-TargetResource @PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json index 876c98b3c1..e0191e2511 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json @@ -1,5 +1,5 @@ { - "resourceName": "IntuneDeviceCompliancePolicyWindows10", + "resourceName": "IntuneDeviceManagementComplianceSettings", "description": "This resource configures the settings of Windows 10 compliance policies in your cloud-based organization.", "permissions": { "graph": { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 new file mode 100644 index 0000000000..9e42732f80 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.psm1 @@ -0,0 +1,516 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $allSettings = Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting + $specificSetting = $allSettings | Where-Object { $_.id -eq $Id } + + if (-not $specificSetting) { + Write-Verbose "No Android Managed Store Account Enterprise Setting found with Id $Id." + return $nullResult + } + + $result = @{ + Id = $specificSetting.id + BindStatus = $specificSetting.bindStatus + # OwnerUserPrincipalName = $specificSetting.ownerUserPrincipalName + # OwnerOrganizationName = $specificSetting.ownerOrganizationName + # EnrollmentTarget = $specificSetting.enrollmentTarget + # DeviceOwnerManagementEnabled = $specificSetting.deviceOwnerManagementEnabled + # AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $specificSetting.androidDeviceOwnerFullyManagedEnrollmentEnabled + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return $result + + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Management Android Google Play Enrollment with id {$Id}" + # Check data sharing consent status + $dataSharingConsent = Get-MgBetaDeviceManagementDataSharingConsent -DataSharingConsentId 'androidManagedStore' + if ($dataSharingConsent.granted -eq $false) + { + Write-Verbose -Message "Consent not granted, requesting consent..." + $consentResult = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/dataSharingConsents/androidManagedStore/consentToDataSharing" -Method 'POST' -Body @{ + DataSharingConsentId = "androidManagedStore" + } -ContentType "application/json" + } + + # Request enrollment signup URL if necessary + # TO DO: Once Android team has added adjusted code, uncomment the following code block + # if ($BindStatus -eq 'notBound') { + # Write-Verbose -Message "Requesting signup URL for enrollment..." + # $params = @{ + # hostName = "intune.microsoft.com" + # } + + # $signupUrl = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/requestSignupUrl" -Method 'POST' -Body @{ + # hostName = "intune.microsoft.com" + # } -ContentType "application/json" + + # return $nullResult + # } + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove the Intune Device Management Android Google Play Enrollment with Id {$($currentInstance.Id)}" + $unbindResult = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/unbind" -Method 'POST' -Body @{} -ContentType "application/json" + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $BindStatus, + + # [Parameter()] + # [System.String] + # $OwnerUserPrincipalName, + + # [Parameter()] + # [System.String] + # $OwnerOrganizationName, + + # [Parameter()] + # [System.String] + # $EnrollmentTarget, + + # [Parameter()] + # [System.Boolean] + # $DeviceOwnerManagementEnabled, + + # [Parameter()] + # [System.Boolean] + # $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Management Android Google Play Enrollment with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:getInstances = Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:getInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:getInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:getInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Id = $config.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof new file mode 100644 index 0000000000..9e2721e9ed --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay.schema.mof @@ -0,0 +1,19 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagementEnrollmentAndroidGooglePlay")] +class MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay : OMI_BaseResource +{ + [Key, Description("Primary key identifier of the Android Managed Store Account Enterprise Setting.")] String Id; + [Write, Description("Binding status of the Android Managed Store Account Enterprise Setting (e.g., 'bound', 'notBound').")] String BindStatus; + [Write, Description("The user principal name of the owner of the Android Managed Store Account.")] String OwnerUserPrincipalName; + [Write, Description("The organization name of the owner of the Android Managed Store Account.")] String OwnerOrganizationName; + [Write, Description("Specifies the enrollment target for the account enterprise setting (e.g., 'defaultEnrollmentRestrictions', 'targetedAsEnrollmentRestrictions').")] String EnrollmentTarget; + [Write, Description("Specifies whether device owner management is enabled.")] Boolean DeviceOwnerManagementEnabled; + [Write, Description("Specifies whether fully managed enrollment is enabled for Android devices.")] Boolean AndroidDeviceOwnerFullyManagedEnrollmentEnabled; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] String Ensure; + [Write, Description("Credentials of the workload's Admin."), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Credential for the application secret used in authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Indicates whether a Managed Identity is used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access tokens used for authentication in scenarios requiring multiple tokens.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md new file mode 100644 index 0000000000..d01aadb29b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/readme.md @@ -0,0 +1,7 @@ + +# IntuneDeviceManagementEnrollmentAndroidGooglePlay + +## Description + +This resource configures Android Enterprise enrollment settings for device management within Microsoft Intune. +Note: Currently the bind API to enroll is waiting for the product team to make changes so the API can be called outside of an Intune portal. Until those changes are made, we can only unbind (disconnect/unenroll). For that reason we have commented out certain parameters that cannot be set. This will be uncommented once those changes are made. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json new file mode 100644 index 0000000000..789eb4dbb4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneDeviceManagementEnrollmentAndroidGooglePlay", + "description": "This resource configures Intune Android enrollment settings.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 new file mode 100644 index 0000000000..b895ea034d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 @@ -0,0 +1,628 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Checking for the Intune Android Device Owner Enrollment Profile {$DisplayName}" + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Trying to retrieve profile by Id" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -AndroidDeviceOwnerEnrollmentProfileId $Id + } + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "Trying to retrieve profile by DisplayName" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -Filter "displayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "No AndroidDeviceOwnerEnrollmentProfiles with {$Id} was found." + return $nullResult + } + + $results = @{ + Id = $androidDeviceOwnerEnrollmentProfile.Id + DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName + AccountId = $androidDeviceOwnerEnrollmentProfile.AccountId + ConfigureWifi = $androidDeviceOwnerEnrollmentProfile.ConfigureWifi + Description = $androidDeviceOwnerEnrollmentProfile.Description + EnrolledDeviceCount = $androidDeviceOwnerEnrollmentProfile.EnrolledDeviceCount + EnrollmentMode = $androidDeviceOwnerEnrollmentProfile.EnrollmentMode.ToString() + EnrollmentTokenType = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenType.ToString() + EnrollmentTokenUsageCount = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenUsageCount + IsTeamsDeviceProfile = $androidDeviceOwnerEnrollmentProfile.IsTeamsDeviceProfile + QrCodeContent = $androidDeviceOwnerEnrollmentProfile.QrCodeContent + QrCodeImage = $androidDeviceOwnerEnrollmentProfile.QrCodeImage + RoleScopeTagIds = $androidDeviceOwnerEnrollmentProfile.RoleScopeTagIds + TokenCreationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenCreationDateTime.ToString() + TokenExpirationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenExpirationDateTime.ToString() + TokenValue = $androidDeviceOwnerEnrollmentProfile.TokenValue + WifiHidden = $androidDeviceOwnerEnrollmentProfile.WifiHidden + WifiPassword = $androidDeviceOwnerEnrollmentProfile.WifiPassword + WifiSecurityType = $androidDeviceOwnerEnrollmentProfile.WifiSecurityType.ToString() + WifiSsid = $androidDeviceOwnerEnrollmentProfile.WifiSsid + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Create AndroidDeviceOwnerEnrollmentProfile: $DisplayName with Enrollment Mode: $EnrollmentMode" + + $setParameters.remove('Id') | Out-Null + $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Verbose') | Out-Null + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of AndroidDeviceOwnerEnrollmentProfile: {$DisplayName}" + + $ValuesToCheck = $PSBoundParameters + $ValuesToCheck.Remove('WifiPassword') | Out-Null + $CurrentValues = Get-TargetResource @PSBoundParameters + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $TestResult = Test-M365DSCParameterState ` + -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof new file mode 100644 index 0000000000..22fe3fc6f1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0.0")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage +{ + [Write, Description("Indicates the content mime type.")] String type; + [Write, Description("The byte array that contains the actual content.")] String value; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseResource +{ + [Key, Description("Display name for the enrollment profile.")] String DisplayName; + [Write, Description("Unique GUID for the enrollment profile. Read-Only.")] String Id; + + [Write, Description("Intune AccountId GUID the enrollment profile belongs to.")] String AccountId; + [Write, Description("Description for the enrollment profile.")] String Description; + [Write, Description("The enrollment mode of devices that use this enrollment profile."), ValueMap{"corporateOwnedDedicatedDevice", "corporateOwnedFullyManaged", "corporateOwnedWorkProfile", "corporateOwnedAOSPUserlessDevice", "corporateOwnedAOSPUserAssociatedDevice"}] String EnrollmentMode; + [Write, Description("The enrollment token type for an enrollment profile."), ValueMap{"default", "corporateOwnedDedicatedDeviceWithAzureADSharedMode", "deviceStaging"}] String EnrollmentTokenType; + [Write, Description("Value of the most recently created token for this enrollment profile.")] String TokenValue; + [Write, Description("Date time the most recently created token was created.")] String TokenCreationDateTime; + [Write, Description("Date time the most recently created token will expire.")] String TokenExpirationDateTime; + [Write, Description("Total number of Android devices that have enrolled using this enrollment profile.")] UInt32 EnrolledDeviceCount; + [Write, Description("Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000")] UInt32 EnrollmentTokenUsageCount; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeContent; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeImage; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default.")] Boolean ConfigureWifi; + [Write, Description("String that contains the wi-fi login ssid")] String WifiSsid; + [Write, Description("String that contains the wi-fi login password. The parameter is a PSCredential object."), EmbeddedInstance("MSFT_Credential")] String WifiPassword; + [Write, Description("String that contains the wi-fi security type."), ValueMap{"none", "wpa", "wep"}] String WifiSecurityType; + [Write, Description("Boolean that indicates if hidden wifi networks are enabled")] Boolean WifiHidden; + [Write, Description("Boolean indicating if this profile is an Android AOSP for Teams device profile.")] Boolean IsTeamsDeviceProfile; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md new file mode 100644 index 0000000000..14e5fe1b0d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md @@ -0,0 +1,5 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json new file mode 100644 index 0000000000..8507274e9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "description": "Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json index 1b08179b72..d2f13930e3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, @@ -20,11 +26,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" }, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 index d6e82dc24b..ab574f169e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 @@ -377,7 +377,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementIntent -DeviceManagementIntentId $currentInstance.Id -BodyParameter $UpdateParameters #region resource generator code - $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentInstance.Id)/updateSettings" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/intents/$($currentInstance.Id)/updateSettings" $body = @{'settings' = $settings } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json index cacdc9cd53..404582571b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json index 861f452495..c0b019f8fb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json index 84a108a641..33f7eaeed0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyLinux/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json index e948d6df87..73dac608fe 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index a7a6ad3a6e..987f41812b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -126,18 +126,11 @@ function Get-TargetResource $policySettings = @{} $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings - if ($policySettings.ClientConfigurationPackageType -eq 'onboarding_fromconnector') - { - $policySettings.Add('ConfigurationType', 'AutoFromConnector') - } - else - { - $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) - } + $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) $policySettings.Remove('ClientConfigurationPackageType') $policySettings.Remove('onboarding') $policySettings.Remove('offboarding') - $policySettings.Remove('onboarding_fromconnector') + $policySettings.Remove('autofromconnector') # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced $policySettings.Remove('telemetryreportingfrequency') @@ -273,8 +266,8 @@ function Set-TargetResource { 'AutoFromConnector' { - $BoundParameters.Add('ClientConfigurationPackageType', 'onboarding_fromconnector') - $BoundParameters.Add('onboarding_fromconnector', $ConfigurationBlob) + $BoundParameters.Add('ClientConfigurationPackageType', 'autofromconnector') + $BoundParameters.Add('onboarding_fromconnector', 'autoConnectPlaceholder') $BoundParameters.Remove('ConfigurationBlob') | Out-Null } 'Onboard' @@ -291,9 +284,9 @@ function Set-TargetResource } } - if ([System.String]::IsNullOrEmpty($ConfigurationBlob)) + if ($ConfigurationType -ne 'AutoFromConnector' -and [System.String]::IsNullOrEmpty($ConfigurationBlob)) { - throw "ConfigurationBlob is required for configurationType '$($DSCParams.ConfigurationType)'" + throw "ConfigurationBlob is required for configurationType '$($ConfigurationType)'" } $BoundParameters.Remove('ConfigurationType') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json index 204badf15c..252f77a1aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json index babe2f5775..a859ae39a8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json index 74e36b3081..293b222bff 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneFirewallPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } @@ -17,11 +23,17 @@ }, "application": { "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } ], "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof index ce7f2b865f..ec3e29882d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof @@ -57,12 +57,12 @@ class MSFT_IntuneMobileAppsMacOSLobApp : OMI_BaseResource [Write, Description("The owner of the app. Inherited from mobileApp.")] String Owner; [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; [Write, Description("The publisher of the app. Inherited from mobileApp.")] String Publisher; - [Write, Description("The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp."), ValueMap{"notPublished", "processing","published"}, Values{"notPublished", "processing", "published"}] String PublishingState; [Write, Description("The bundleId of the app.")] String BundleId; [Write, Description("The build number of the app.")] String BuildNumber; [Write, Description("The version number of the app.")] String VersionNumber; [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; [Write, Description("Whether to ignore the version of the app or not.")] Boolean IgnoreVersionDetection; + [Write, Description("Install the app as managed. Requires macOS 11.0.")] Boolean InstallAsManaged; [Write, Description("The icon for this app."), EmbeddedInstance("MSFT_DeviceManagementMimeContent")] String LargeIcon; [Write, Description("The minimum supported operating system to install the app."), EmbeddedInstance("MSFT_DeviceManagementMinimumOperatingSystem")] String MinimumSupportedOperatingSystem; [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json index 3e70ad560b..38c9bf4cd7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json index a9bd04b5fa..16e9c3c07d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 new file mode 100644 index 0000000000..2eac6e4eca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 @@ -0,0 +1,693 @@ +# https://learn.microsoft.com/en-us/graph/api/resources/intune-onboarding-mobilethreatdefenseconnector?view=graph-rest-1.0 +# https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement.administration/new-mgdevicemanagementmobilethreatdefenseconnector?view=graph-powershell-1.0 + +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + else + { + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id -ErrorAction Stop + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by Id: {$Id}." + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + # There is no API which searches MobileThreatDefenseConnector by its DisplayName so the below code is commented out. + # $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + # -Filter "DisplayName eq '$DisplayName'" ` + + # The DisplayName property is not supported by the any API of this resource, hence hard-coded in below function for convenience. + $connectorId = (Get-MobileThreatDefenseConnectorIdOrDisplayName -DisplayName $DisplayName).Id + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + -MobileThreatDefenseConnectorId $connectorId + -ErrorAction SilentlyContinue + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by DisplayName: {$DisplayName}." + return $nullResult + } + } + + if([string]::IsNullOrEmpty($DisplayName)) + { + $DisplayName = (Get-MobileThreatDefenseConnectorIdOrDisplayName -Id $instance.Id).DisplayName + } + + $results = @{ + Id = $instance.Id + DisplayName = $DisplayName + ResponseHeadersVariable = $instance.ResponseHeadersVariable + AllowPartnerToCollectIosApplicationMetadata = $instance.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $instance.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $instance.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $instance.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $instance.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $instance.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $instance.IosEnabled + IosMobileApplicationManagementEnabled = $instance.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $instance.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $instance.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $instance.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $instance.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $instance.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $instance.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $instance.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $SetParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # Remove the DisplayName parameter as the Graph API does not support it + $SetParameters.Remove('DisplayName') | Out-Null + $SetParameters.Remove('Id') | Out-Null + $SetParameters.Remove('LastHeartbeatDateTime') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MgBetaDeviceManagementMobileThreatDefenseConnector @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune parameters + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + [ValidateSet('unavailable', 'available', 'enabled', 'unresponsive', 'notSetUp', 'error')] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + AllowPartnerToCollectIosApplicationMetadata = $config.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $config.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $config.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $config.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $config.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $config.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $config.IosEnabled + IosMobileApplicationManagementEnabled = $config.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $config.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $config.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $config.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $config.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $config.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $config.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $config.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +#region Helper functions + +function Get-MobileThreatDefenseConnectorIdOrDisplayName { + param ( + [Parameter(Mandatory = $false)] + [string]$Id, + + [Parameter(Mandatory = $false)] + [string]$DisplayName + ) + + # Hashtable mapping IDs to Display Names + $IdToDisplayNameMap = @{ + "fc780465-2017-40d4-a0c5-307022471b92" = "Microsoft Defender for Endpoint" + "860d3ab4-8fd1-45f5-89cd-ecf51e4f92e5" = "BETTER Mobile Security" + "d3ddeae8-441f-4681-b80f-aef644f7195a" = "Check Point Harmony Mobile" + "8d0ed095-8191-4bd3-8a41-953b22d51ff7" = "Pradeo" + "1f58d6d2-02cc-4c80-b008-1bfe7396a10a" = "Jamf Trust" + "4873197-ffec-4dfc-9816-db65f34c7cb9" = "Trellix Mobile Security" + "a447eca6-a986-4d3f-9838-5862bf50776c" = "CylancePROTECT Mobile" + "4928f0f6-2660-4f69-b4c5-5170ec921f7b" = "Trend Micro" + "bb13fe25-ce1f-45aa-b278-cabbc6b9072e" = "SentinelOne" + "e6f777f8-e4c2-4a5b-be01-50b5c124bc7f" = "Windows Security Center" + "29ee2d98-e795-475f-a0f8-0802dc3384a9" = "CrowdStrike Falcon for Mobile" + "870b252b-0ef0-4707-8847-50fc571472b3" = "Sophos" + "2c7790de-8b02-4814-85cf-e0c59380dee8" = "Lookout for Work" + "28fd67fd-b179-4629-a8b0-dad420b697c7" = "Symantec Endpoint Protection" + "08a8455c-48dd-45ff-ad82-7211355354f3" = "Zimperium" + } + + # If Id is provided, look up the DisplayName + if($null -ne $Id) + { + $displayName = $IdToDisplayNameMap[$Id] + } + + # If DisplayName is provided, look up the Id + # Create a reverse lookup hashtable for DisplayName to Id + $DisplayNameToIdMap = @{} + foreach ($key in $IdToDisplayNameMap.Keys) { + $DisplayNameToIdMap[$IdToDisplayNameMap[$key]] = $key + } + if (-not [string]::IsNullOrEmpty($DisplayName)) { + $Id = $DisplayNameToIdMap[$DisplayName] + if (-not $Id) { + Write-Host "Internal func: DisplayName '$DisplayName' not found." + return + } + } + + # Create the results tuple + return @{ + Id = $Id + DisplayName = $displayName + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof new file mode 100644 index 0000000000..0930cf9803 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof @@ -0,0 +1,31 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileThreatDefenseConnector")] +class MSFT_IntuneMobileThreatDefenseConnector : OMI_BaseResource +{ + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API.")] String DisplayName; + + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosApplicationMetadata; + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosPersonalApplicationMetadata; + [Write, Description("For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean AndroidDeviceBlockedOnMissingPartnerData; + [Write, Description("For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean AndroidEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean AndroidMobileApplicationManagementEnabled; + [Write, Description("For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean IosDeviceBlockedOnMissingPartnerData; + [Write, Description("For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean IosEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean IosMobileApplicationManagementEnabled; + [Write, Description("DateTime of last Heartbeat received from the Mobile Threat Defense partner.")] DateTime LastHeartbeatDateTime; + [Write, Description("When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE.")] Boolean MicrosoftDefenderForEndpointAttachEnabled; + [Write, Description("Partner state of this tenant.")] String PartnerState; + [Write, Description("Get or Set days the per tenant tolerance to unresponsiveness for this partner integration.")] Uint32 PartnerUnresponsivenessThresholdInDays; + [Write, Description("Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner.")] Boolean PartnerUnsupportedOSVersionBlocked; + [Write, Description("When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE.")] Boolean WindowsDeviceBlockedOnMissingPartnerData; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE.")] Boolean WindowsEnabled; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md new file mode 100644 index 0000000000..19046bad50 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileThreatDefenseConnector + +## Description + +This resource configures a connection to Mobile Threat Defense partner. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json new file mode 100644 index 0000000000..448e3e179c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileThreatDefenseConnector", + "description": "This resource configures a connection to Mobile Threat Defense partner.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 index 08b0458b82..dfcc8d735b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 @@ -344,15 +344,14 @@ function Set-TargetResource $UpdateParameters.Add("PolicySetId", $currentInstance.Id) Update-MgbetaDeviceAppManagementPolicySet @UpdateParameters - + + $Url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceAppManagement/policySets/$($currentInstance.Id)/update" if ($null -ne ($itemamendments = Get-ItemsAmendmentsObject -currentObjectItems $currentInstance.Items -targetObjectItems $items)) { - $url = ('https://graph.microsoft.com/beta/deviceAppManagement/policySets/' + $currentInstance.Id + '/update' ) Invoke-MgGraphRequest -Method POST -Uri $url -Body $itemamendments } $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments - $url = ('https://graph.microsoft.com/beta/deviceAppManagement/policySets/' + $currentInstance.Id + '/update' ) Invoke-MgGraphRequest -Method POST -Uri $url -Body $assignmentsHash #endregion } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json index d554d6a3d1..4439bab90a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/settings.json @@ -5,22 +5,38 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ - + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } ] } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json index d0b58f2960..3e0874d1bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneRoleAssignment/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementRBAC.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 new file mode 100644 index 0000000000..4640ae3064 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.psm1 @@ -0,0 +1,1061 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Defender For Endpoint with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Defender For Endpoint with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Defender For Endpoint with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + + # Add device settings with conditional checks + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny', $policySettings.DeviceSettings.deviceInstall_Classes_Deny) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_List', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_Retroactive', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXts_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXts_Name', $policySettings.DeviceSettings.encryptionMethodWithXts_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsOsDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsOsDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsOsDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsFdvDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsFdvDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsFdvDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.encryptionMethodWithXtsRdvDropDown_Name) { + $complexDeviceSettings.Add('EncryptionMethodWithXtsRdvDropDown_Name', $policySettings.DeviceSettings.encryptionMethodWithXtsRdvDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryUsage_Name) { + $complexDeviceSettings.Add('FDVRecoveryUsage_Name', $policySettings.DeviceSettings.fDVRecoveryUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('FDVActiveDirectoryBackup_Name', $policySettings.DeviceSettings.fDVActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVHideRecoveryPage_Name) { + $complexDeviceSettings.Add('FDVHideRecoveryPage_Name', $policySettings.DeviceSettings.fDVHideRecoveryPage_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryPasswordUsageDropDown_Name) { + $complexDeviceSettings.Add('FDVRecoveryPasswordUsageDropDown_Name', $policySettings.DeviceSettings.fDVRecoveryPasswordUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRequireActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('FDVRequireActiveDirectoryBackup_Name', $policySettings.DeviceSettings.fDVRequireActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVAllowDRA_Name) { + $complexDeviceSettings.Add('FDVAllowDRA_Name', $policySettings.DeviceSettings.fDVAllowDRA_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVActiveDirectoryBackupDropDown_Name) { + $complexDeviceSettings.Add('FDVActiveDirectoryBackupDropDown_Name', $policySettings.DeviceSettings.fDVActiveDirectoryBackupDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVRecoveryKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('FDVRecoveryKeyUsageDropDown_Name', $policySettings.DeviceSettings.fDVRecoveryKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('FDVDenyWriteAccess_Name', $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVEncryptionType_Name) { + $complexDeviceSettings.Add('FDVEncryptionType_Name', $policySettings.DeviceSettings.fDVEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.fDVEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('FDVEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.fDVEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.enablePreBootPinExceptionOnDECapableDevice_Name) { + $complexDeviceSettings.Add('EnablePreBootPinExceptionOnDECapableDevice_Name', $policySettings.DeviceSettings.enablePreBootPinExceptionOnDECapableDevice_Name) + } + if ($null -ne $policySettings.DeviceSettings.enhancedPIN_Name) { + $complexDeviceSettings.Add('EnhancedPIN_Name', $policySettings.DeviceSettings.enhancedPIN_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryUsage_Name) { + $complexDeviceSettings.Add('OSRecoveryUsage_Name', $policySettings.DeviceSettings.OSRecoveryUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRequireActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('OSRequireActiveDirectoryBackup_Name', $policySettings.DeviceSettings.OSRequireActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSActiveDirectoryBackup_Name) { + $complexDeviceSettings.Add('OSActiveDirectoryBackup_Name', $policySettings.DeviceSettings.OSActiveDirectoryBackup_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryPasswordUsageDropDown_Name) { + $complexDeviceSettings.Add('OSRecoveryPasswordUsageDropDown_Name', $policySettings.DeviceSettings.OSRecoveryPasswordUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSHideRecoveryPage_Name) { + $complexDeviceSettings.Add('OSHideRecoveryPage_Name', $policySettings.DeviceSettings.OSHideRecoveryPage_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSAllowDRA_Name) { + $complexDeviceSettings.Add('OSAllowDRA_Name', $policySettings.DeviceSettings.OSAllowDRA_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSRecoveryKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('OSRecoveryKeyUsageDropDown_Name', $policySettings.DeviceSettings.OSRecoveryKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSActiveDirectoryBackupDropDown_Name) { + $complexDeviceSettings.Add('OSActiveDirectoryBackupDropDown_Name', $policySettings.DeviceSettings.OSActiveDirectoryBackupDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.enablePrebootInputProtectorsOnSlates_Name) { + $complexDeviceSettings.Add('EnablePrebootInputProtectorsOnSlates_Name', $policySettings.DeviceSettings.enablePrebootInputProtectorsOnSlates_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSEncryptionType_Name) { + $complexDeviceSettings.Add('OSEncryptionType_Name', $policySettings.DeviceSettings.OSEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.OSEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('OSEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.OSEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureAdvancedStartup_Name) { + $complexDeviceSettings.Add('ConfigureAdvancedStartup_Name', $policySettings.DeviceSettings.configureAdvancedStartup_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMStartupKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMStartupKeyUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMStartupKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMPINKeyUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMPINKeyUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMPINKeyUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureTPMUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigureTPMUsageDropDown_Name', $policySettings.DeviceSettings.configureTPMUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.configureNonTPMStartupKeyUsage_Name) { + $complexDeviceSettings.Add('ConfigureNonTPMStartupKeyUsage_Name', $policySettings.DeviceSettings.configureNonTPMStartupKeyUsage_Name) + } + if ($null -ne $policySettings.DeviceSettings.configurePINUsageDropDown_Name) { + $complexDeviceSettings.Add('ConfigurePINUsageDropDown_Name', $policySettings.DeviceSettings.configurePINUsageDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVConfigureBDE) { + $complexDeviceSettings.Add('RDVConfigureBDE', $policySettings.DeviceSettings.RDVConfigureBDE) + } + if ($null -ne $policySettings.DeviceSettings.RDVAllowBDE_Name) { + $complexDeviceSettings.Add('RDVAllowBDE_Name', $policySettings.DeviceSettings.RDVAllowBDE_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVEncryptionType_Name) { + $complexDeviceSettings.Add('RDVEncryptionType_Name', $policySettings.DeviceSettings.RDVEncryptionType_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVEncryptionTypeDropDown_Name) { + $complexDeviceSettings.Add('RDVEncryptionTypeDropDown_Name', $policySettings.DeviceSettings.RDVEncryptionTypeDropDown_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVDisableBDE_Name) { + $complexDeviceSettings.Add('RDVDisableBDE_Name', $policySettings.DeviceSettings.RDVDisableBDE_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('RDVDenyWriteAccess_Name', $policySettings.DeviceSettings.RDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.RDVCrossOrg) { + $complexDeviceSettings.Add('RDVCrossOrg', $policySettings.DeviceSettings.RDVCrossOrg) + } + if ($null -ne $policySettings.DeviceSettings.EnableSmartScreen) { + $complexDeviceSettings.Add('EnableSmartScreen', $policySettings.DeviceSettings.EnableSmartScreen) + } + if ($null -ne $policySettings.DeviceSettings.EnableSmartScreenDropdown) { + $complexDeviceSettings.Add('EnableSmartScreenDropdown', $policySettings.DeviceSettings.EnableSmartScreenDropdown) + } + if ($null -ne $policySettings.DeviceSettings.DisableSafetyFilterOverrideForAppRepUnknown) { + $complexDeviceSettings.Add('DisableSafetyFilterOverrideForAppRepUnknown', $policySettings.DeviceSettings.DisableSafetyFilterOverrideForAppRepUnknown) + } + if ($null -ne $policySettings.DeviceSettings.Disable_Managing_Safety_Filter_IE9) { + $complexDeviceSettings.Add('Disable_Managing_Safety_Filter_IE9', $policySettings.DeviceSettings.Disable_Managing_Safety_Filter_IE9) + } + if ($null -ne $policySettings.DeviceSettings.IE9SafetyFilterOptions) { + $complexDeviceSettings.Add('IE9SafetyFilterOptions', $policySettings.DeviceSettings.IE9SafetyFilterOptions) + } + if ($null -ne $policySettings.DeviceSettings.AllowWarningForOtherDiskEncryption) { + $complexDeviceSettings.Add('AllowWarningForOtherDiskEncryption', $policySettings.DeviceSettings.AllowWarningForOtherDiskEncryption) + } + if ($null -ne $policySettings.DeviceSettings.AllowStandardUserEncryption) { + $complexDeviceSettings.Add('AllowStandardUserEncryption', $policySettings.DeviceSettings.AllowStandardUserEncryption) + } + if ($null -ne $policySettings.DeviceSettings.ConfigureRecoveryPasswordRotation) { + $complexDeviceSettings.Add('ConfigureRecoveryPasswordRotation', $policySettings.DeviceSettings.ConfigureRecoveryPasswordRotation) + } + if ($null -ne $policySettings.DeviceSettings.RequireDeviceEncryption) { + $complexDeviceSettings.Add('RequireDeviceEncryption', $policySettings.DeviceSettings.RequireDeviceEncryption) + } + if ($null -ne $policySettings.DeviceSettings.AllowArchiveScanning) { + $complexDeviceSettings.Add('AllowArchiveScanning', $policySettings.DeviceSettings.AllowArchiveScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowBehaviorMonitoring) { + $complexDeviceSettings.Add('AllowBehaviorMonitoring', $policySettings.DeviceSettings.AllowBehaviorMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.AllowCloudProtection) { + $complexDeviceSettings.Add('AllowCloudProtection', $policySettings.DeviceSettings.AllowCloudProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowEmailScanning) { + $complexDeviceSettings.Add('AllowEmailScanning', $policySettings.DeviceSettings.AllowEmailScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowFullScanRemovableDriveScanning) { + $complexDeviceSettings.Add('AllowFullScanRemovableDriveScanning', $policySettings.DeviceSettings.AllowFullScanRemovableDriveScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowOnAccessProtection) { + $complexDeviceSettings.Add('AllowOnAccessProtection', $policySettings.DeviceSettings.AllowOnAccessProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowRealtimeMonitoring) { + $complexDeviceSettings.Add('AllowRealtimeMonitoring', $policySettings.DeviceSettings.AllowRealtimeMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.AllowScanningNetworkFiles) { + $complexDeviceSettings.Add('AllowScanningNetworkFiles', $policySettings.DeviceSettings.AllowScanningNetworkFiles) + } + if ($null -ne $policySettings.DeviceSettings.AllowIOAVProtection) { + $complexDeviceSettings.Add('AllowIOAVProtection', $policySettings.DeviceSettings.AllowIOAVProtection) + } + if ($null -ne $policySettings.DeviceSettings.AllowScriptScanning) { + $complexDeviceSettings.Add('AllowScriptScanning', $policySettings.DeviceSettings.AllowScriptScanning) + } + if ($null -ne $policySettings.DeviceSettings.AllowUserUIAccess) { + $complexDeviceSettings.Add('AllowUserUIAccess', $policySettings.DeviceSettings.AllowUserUIAccess) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros) + } + if ($null -ne $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) + } + if ($null -ne $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockWebshellCreationForServers) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.BlockWebshellCreationForServers) + } + if ($null -ne $policySettings.DeviceSettings.BlockWebshellCreationForServers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockWebshellCreationForServers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB) + } + if ($null -ne $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockPersistenceThroughWMIEventSubscription) { + $complexDeviceSettings.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.BlockPersistenceThroughWMIEventSubscription) + } + if ($null -ne $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools) + } + if ($null -ne $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers) + } + if ($null -ne $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands) + } + if ($null -ne $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) + } + if ($null -ne $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode) + } + if ($null -ne $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware) + } + if ($null -ne $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail) + } + if ($null -ne $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.CheckForSignaturesBeforeRunningScan) { + $complexDeviceSettings.Add('CheckForSignaturesBeforeRunningScan', $policySettings.DeviceSettings.CheckForSignaturesBeforeRunningScan) + } + if ($null -ne $policySettings.DeviceSettings.CloudBlockLevel) { + $complexDeviceSettings.Add('CloudBlockLevel', $policySettings.DeviceSettings.CloudBlockLevel) + } + if ($null -ne $policySettings.DeviceSettings.CloudExtendedTimeout) { + $complexDeviceSettings.Add('CloudExtendedTimeout', $policySettings.DeviceSettings.CloudExtendedTimeout) + } + if ($null -ne $policySettings.DeviceSettings.DisableLocalAdminMerge) { + $complexDeviceSettings.Add('DisableLocalAdminMerge', $policySettings.DeviceSettings.DisableLocalAdminMerge) + } + if ($null -ne $policySettings.DeviceSettings.EnableNetworkProtection) { + $complexDeviceSettings.Add('EnableNetworkProtection', $policySettings.DeviceSettings.EnableNetworkProtection) + } + if ($null -ne $policySettings.DeviceSettings.HideExclusionsFromLocalAdmins) { + $complexDeviceSettings.Add('HideExclusionsFromLocalAdmins', $policySettings.DeviceSettings.HideExclusionsFromLocalAdmins) + } + if ($null -ne $policySettings.DeviceSettings.HideExclusionsFromLocalUsers) { + $complexDeviceSettings.Add('HideExclusionsFromLocalUsers', $policySettings.DeviceSettings.HideExclusionsFromLocalUsers) + } + if ($null -ne $policySettings.DeviceSettings.OobeEnableRtpAndSigUpdate) { + $complexDeviceSettings.Add('OobeEnableRtpAndSigUpdate', $policySettings.DeviceSettings.OobeEnableRtpAndSigUpdate) + } + if ($null -ne $policySettings.DeviceSettings.PUAProtection) { + $complexDeviceSettings.Add('PUAProtection', $policySettings.DeviceSettings.PUAProtection) + } + if ($null -ne $policySettings.DeviceSettings.RealTimeScanDirection) { + $complexDeviceSettings.Add('RealTimeScanDirection', $policySettings.DeviceSettings.RealTimeScanDirection) + } + if ($null -ne $policySettings.DeviceSettings.ScanParameter) { + $complexDeviceSettings.Add('ScanParameter', $policySettings.DeviceSettings.ScanParameter) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleQuickScanTime) { + $complexDeviceSettings.Add('ScheduleQuickScanTime', $policySettings.DeviceSettings.ScheduleQuickScanTime) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleScanDay) { + $complexDeviceSettings.Add('ScheduleScanDay', $policySettings.DeviceSettings.ScheduleScanDay) + } + if ($null -ne $policySettings.DeviceSettings.ScheduleScanTime) { + $complexDeviceSettings.Add('ScheduleScanTime', $policySettings.DeviceSettings.ScheduleScanTime) + } + if ($null -ne $policySettings.DeviceSettings.SignatureUpdateInterval) { + $complexDeviceSettings.Add('SignatureUpdateInterval', $policySettings.DeviceSettings.SignatureUpdateInterval) + } + if ($null -ne $policySettings.DeviceSettings.SubmitSamplesConsent) { + $complexDeviceSettings.Add('SubmitSamplesConsent', $policySettings.DeviceSettings.SubmitSamplesConsent) + } + if ($null -ne $policySettings.DeviceSettings.LsaCfgFlags) { + $complexDeviceSettings.Add('LsaCfgFlags', $policySettings.DeviceSettings.LsaCfgFlags) + } + if ($null -ne $policySettings.DeviceSettings.DeviceEnumerationPolicy) { + $complexDeviceSettings.Add('DeviceEnumerationPolicy', $policySettings.DeviceSettings.DeviceEnumerationPolicy) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenEnabled) { + $complexDeviceSettings.Add('SmartScreenEnabled', $policySettings.DeviceSettings.SmartScreenEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenPuaEnabled) { + $complexDeviceSettings.Add('SmartScreenPuaEnabled', $policySettings.DeviceSettings.SmartScreenPuaEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenDnsRequestsEnabled) { + $complexDeviceSettings.Add('SmartScreenDnsRequestsEnabled', $policySettings.DeviceSettings.SmartScreenDnsRequestsEnabled) + } + if ($null -ne $policySettings.DeviceSettings.NewSmartScreenLibraryEnabled) { + $complexDeviceSettings.Add('NewSmartScreenLibraryEnabled', $policySettings.DeviceSettings.NewSmartScreenLibraryEnabled) + } + if ($null -ne $policySettings.DeviceSettings.SmartScreenForTrustedDownloadsEnabled) { + $complexDeviceSettings.Add('SmartScreenForTrustedDownloadsEnabled', $policySettings.DeviceSettings.SmartScreenForTrustedDownloadsEnabled) + } + if ($null -ne $policySettings.DeviceSettings.PreventSmartScreenPromptOverride) { + $complexDeviceSettings.Add('PreventSmartScreenPromptOverride', $policySettings.DeviceSettings.PreventSmartScreenPromptOverride) + } + if ($null -ne $policySettings.DeviceSettings.PreventSmartScreenPromptOverrideForFiles) { + $complexDeviceSettings.Add('PreventSmartScreenPromptOverrideForFiles', $policySettings.DeviceSettings.PreventSmartScreenPromptOverrideForFiles) + } + + # Check if $complexDeviceSettings is empty + if ($complexDeviceSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexDeviceSettings = $null + } + $policySettings.Remove('DeviceSettings') | Out-Null + + $complexUserSettings = @{} + + # Add user settings with conditional checks + if ($null -ne $policySettings.UserSettings.DisableSafetyFilterOverrideForAppRepUnknown) { + $complexUserSettings.Add('DisableSafetyFilterOverrideForAppRepUnknown', $policySettings.UserSettings.DisableSafetyFilterOverrideForAppRepUnknown) + } + + # Check if $complexUserSettings is empty + if ($complexUserSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexUserSettings = $null + } + $policySettings.Remove('UserSettings') | Out-Null + #endregion + + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '49b8320f-e179-472e-8e2c-2fde00289ca2_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Defender For Endpoint with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Defender For Endpoint with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Defender For Endpoint with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Defender For Endpoint with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "49b8320f-e179-472e-8e2c-2fde00289ca2_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$False + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$False + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof new file mode 100644 index 0000000000..fd92d48936 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/MSFT_IntuneSecurityBaselineDefenderForEndpoint.schema.mof @@ -0,0 +1,166 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint +{ + [Write, Description("Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny; + [Write, Description("Prevented Classes - Depends on DeviceInstall_Classes_Deny")] String DeviceInstall_Classes_Deny_List[]; + [Write, Description("Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny_Retroactive; + [Write, Description("Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EncryptionMethodWithXts_Name; + [Write, Description("Select the encryption method for operating system drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsOsDropDown_Name; + [Write, Description("Select the encryption method for fixed data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsFdvDropDown_Name; + [Write, Description("Select the encryption method for removable data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit (default), 4: AES-CBC 256-bit, 6: XTS-AES 128-bit, 7: XTS-AES 256-bit)"), ValueMap{"3", "4", "6", "7"}, Values{"3", "4", "6", "7"}] String EncryptionMethodWithXtsRdvDropDown_Name; + [Write, Description("Choose how BitLocker-protected fixed drives can be recovered (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVRecoveryUsage_Name; + [Write, Description("Save BitLocker recovery information to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVActiveDirectoryBackup_Name; + [Write, Description("Omit recovery options from the BitLocker setup wizard - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVHideRecoveryPage_Name; + [Write, Description("Configure user storage of BitLocker recovery information: - Depends on FDVRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String FDVRecoveryPasswordUsageDropDown_Name; + [Write, Description("Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVRequireActiveDirectoryBackup_Name; + [Write, Description("Allow data recovery agent - Depends on FDVRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVAllowDRA_Name; + [Write, Description("Configure storage of BitLocker recovery information to AD DS: - Depends on FDVRecoveryUsage_Name (1: Backup recovery passwords and key packages, 2: Backup recovery passwords only)"), ValueMap{"1", "2"}, Values{"1", "2"}] String FDVActiveDirectoryBackupDropDown_Name; + [Write, Description(" - Depends on FDVRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String FDVRecoveryKeyUsageDropDown_Name; + [Write, Description("Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVDenyWriteAccess_Name; + [Write, Description("Enforce drive encryption type on fixed data drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) - Depends on FDVEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String FDVEncryptionTypeDropDown_Name; + [Write, Description("Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnablePreBootPinExceptionOnDECapableDevice_Name; + [Write, Description("Allow enhanced PINs for startup (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnhancedPIN_Name; + [Write, Description("Choose how BitLocker-protected operating system drives can be recovered (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSRecoveryUsage_Name; + [Write, Description("Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSRequireActiveDirectoryBackup_Name; + [Write, Description("Save BitLocker recovery information to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSActiveDirectoryBackup_Name; + [Write, Description("Configure user storage of BitLocker recovery information: - Depends on OSRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String OSRecoveryPasswordUsageDropDown_Name; + [Write, Description("Omit recovery options from the BitLocker setup wizard - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSHideRecoveryPage_Name; + [Write, Description("Allow data recovery agent - Depends on OSRecoveryUsage_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSAllowDRA_Name; + [Write, Description(" - Depends on OSRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String OSRecoveryKeyUsageDropDown_Name; + [Write, Description("Configure storage of BitLocker recovery information to AD DS: - Depends on OSRecoveryUsage_Name (1: Store recovery passwords and key packages, 2: Store recovery passwords only)"), ValueMap{"1", "2"}, Values{"1", "2"}] String OSActiveDirectoryBackupDropDown_Name; + [Write, Description("Enable use of BitLocker authentication requiring preboot keyboard input on slates (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnablePrebootInputProtectorsOnSlates_Name; + [Write, Description("Enforce drive encryption type on operating system drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OSEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) - Depends on OSEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String OSEncryptionTypeDropDown_Name; + [Write, Description("Require additional authentication at startup (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureAdvancedStartup_Name; + [Write, Description("Configure TPM startup key: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key with TPM, 1: Require startup key with TPM, 0: Do not allow startup key with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMStartupKeyUsageDropDown_Name; + [Write, Description("Configure TPM startup key and PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key and PIN with TPM, 1: Require startup key and PIN with TPM, 0: Do not allow startup key and PIN with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMPINKeyUsageDropDown_Name; + [Write, Description("Configure TPM startup: - Depends on ConfigureAdvancedStartup_Name (2: Allow TPM, 1: Require TPM, 0: Do not allow TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigureTPMUsageDropDown_Name; + [Write, Description("Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - Depends on ConfigureAdvancedStartup_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureNonTPMStartupKeyUsage_Name; + [Write, Description("Configure TPM startup PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup PIN with TPM, 1: Require startup PIN with TPM, 0: Do not allow startup PIN with TPM)"), ValueMap{"2", "1", "0"}, Values{"2", "1", "0"}] String ConfigurePINUsageDropDown_Name; + [Write, Description("Control use of BitLocker on removable drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVConfigureBDE; + [Write, Description("Allow users to apply BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVAllowBDE_Name; + [Write, Description("Enforce drive encryption type on removable data drives (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVEncryptionType_Name; + [Write, Description("Select the encryption type: (Device) (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RDVEncryptionTypeDropDown_Name; + [Write, Description("Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVDisableBDE_Name; + [Write, Description("Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVDenyWriteAccess_Name; + [Write, Description("Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVCrossOrg; + [Write, Description("Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableSmartScreen; + [Write, Description("Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn)"), ValueMap{"block", "warn"}, Values{"block", "warn"}] String EnableSmartScreenDropdown; + [Write, Description("Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverrideForAppRepUnknown; + [Write, Description("Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Managing_Safety_Filter_IE9; + [Write, Description("Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IE9SafetyFilterOptions; + [Write, Description("Allow Warning For Other Disk Encryption (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWarningForOtherDiskEncryption; + [Write, Description("Allow Standard User Encryption - Depends on AllowWarningForOtherDiskEncryption (0: This is the default, when the policy is not set. If current logged on user is a standard user, 'RequireDeviceEncryption' policy will not try to enable encryption on any drive., 1: 'RequireDeviceEncryption' policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowStandardUserEncryption; + [Write, Description("Configure Recovery Password Rotation (0: Refresh off (default), 1: Refresh on for Azure AD-joined devices, 2: Refresh on for both Azure AD-joined and hybrid-joined devices)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String ConfigureRecoveryPasswordRotation; + [Write, Description("Require Device Encryption (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RequireDeviceEncryption; + [Write, Description("Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowArchiveScanning; + [Write, Description("Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowBehaviorMonitoring; + [Write, Description("Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCloudProtection; + [Write, Description("Allow Email Scanning (0: Not allowed. Turns off email scanning., 1: Allowed. Turns on email scanning.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowEmailScanning; + [Write, Description("Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowFullScanRemovableDriveScanning; + [Write, Description("Allow On Access Protection (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowOnAccessProtection; + [Write, Description("Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowRealtimeMonitoring; + [Write, Description("Allow Scanning Network Files (0: Not allowed. Turns off scanning of network files., 1: Allowed. Scans network files.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScanningNetworkFiles; + [Write, Description("Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIOAVProtection; + [Write, Description("Allow Script Scanning (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScriptScanning; + [Write, Description("Allow User UI Access (0: Not allowed. Prevents users from accessing UI., 1: Allowed. Lets users access UI.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowUserUIAccess; + [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; + [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; + [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; + [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; + [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; + [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; + [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; + [Write, Description("Check For Signatures Before Running Scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CheckForSignaturesBeforeRunningScan; + [Write, Description("Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)"), ValueMap{"0", "2", "4", "6"}, Values{"0", "2", "4", "6"}] String CloudBlockLevel; + [Write, Description("Cloud Extended Timeout")] SInt32 CloudExtendedTimeout; + [Write, Description("Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableLocalAdminMerge; + [Write, Description("Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String EnableNetworkProtection; + [Write, Description("Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String HideExclusionsFromLocalAdmins; + [Write, Description("Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String HideExclusionsFromLocalUsers; + [Write, Description("Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String OobeEnableRtpAndSigUpdate; + [Write, Description("PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String PUAProtection; + [Write, Description("Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RealTimeScanDirection; + [Write, Description("Scan Parameter (1: Quick scan, 2: Full scan)"), ValueMap{"1", "2"}, Values{"1", "2"}] String ScanParameter; + [Write, Description("Schedule Quick Scan Time")] SInt32 ScheduleQuickScanTime; + [Write, Description("Schedule Scan Day (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan)"), ValueMap{"0", "1", "2", "3", "4", "5", "6", "7", "8"}, Values{"0", "1", "2", "3", "4", "5", "6", "7", "8"}] String ScheduleScanDay; + [Write, Description("Schedule Scan Time")] SInt32 ScheduleScanTime; + [Write, Description("Signature Update Interval")] SInt32 SignatureUpdateInterval; + [Write, Description("Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String SubmitSamplesConsent; + [Write, Description("Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LsaCfgFlags; + [Write, Description("Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DeviceEnumerationPolicy; + [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenPuaEnabled; + [Write, Description("Enable Microsoft Defender SmartScreen DNS requests (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenDnsRequestsEnabled; + [Write, Description("Enable new SmartScreen library (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NewSmartScreenLibraryEnabled; + [Write, Description("Force Microsoft Defender SmartScreen checks on downloads from trusted sources (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenForTrustedDownloadsEnabled; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverride; + [Write, Description("Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverrideForFiles; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint +{ + [Write, Description("Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverrideForAppRepUnknown; +}; +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineDefenderForEndpoint")] +class MSFT_IntuneSecurityBaselineDefenderForEndpoint : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Scope for Device Setting"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint")] String DeviceSettings; + [Write, Description("Scope for Device Setting"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint")] String UserSettings; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md new file mode 100644 index 0000000000..e80ebe6568 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineDefenderForEndpoint + +## Description + +Intune Security Baseline Defender For Endpoint diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json new file mode 100644 index 0000000000..4e92507acb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneSecurityBaselineDefenderForEndpoint", + "description": "This resource configures an Test Intune Security Baseline Defender For Endpoint.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 index 9958ba28ca..f338ec2e99 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 @@ -888,11 +888,11 @@ function Test-TargetResource { $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` - -Target ($target) -Verbose + -Target ($target) if (-not $testResult) { - Write-Verbose "$key is different" -Verbose + Write-Verbose "$key is different" break } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json index 4bda1f09ca..0906af650b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json index 67b62b373e..25e6e71739 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json @@ -5,11 +5,17 @@ "graph": { "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index 77dbef87f1..17448c34a4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -241,7 +241,7 @@ function Get-TargetResource try { Write-Verbose -Message "Checking for the Intune Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" - + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters ` -ErrorAction Stop @@ -1084,7 +1084,7 @@ function Export-TargetResource $Results.Remove('Assignments') | Out-Null } } - + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -1126,4 +1126,4 @@ function Export-TargetResource } } -Export-ModuleMember -Function *-TargetResource \ No newline at end of file +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json index b13be8da58..8545fd14cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 index 1f639783f1..0893638321 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 @@ -111,6 +111,7 @@ function Get-TargetResource { $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` -Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" ` + -All ` -ErrorAction SilentlyContinue if ($getValue.Count -gt 1) @@ -929,7 +930,7 @@ function Update-IntuneDeviceConfigurationPolicy ) try { - $Uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId" $policy = @{ 'name' = $Name diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json index dcbdf86350..c29e518ded 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json index 29a31d1028..d97cec5ff2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json index 18c0618cda..73fbade06c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json index 4267d74c45..3418a6b113 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json index 74ae1c2be6..d9b467444e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json index 9b9968c82c..5584392a17 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json index e229470448..f4bc5e9e20 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json index e2103fd3aa..f83e95e9c8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json index c7365f3655..2ba6389c60 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json index 47581b03eb..c742e7a27c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json index 4139c67ca6..b6286b0fe9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementServiceConfig.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json index 6becde2ab8..46a9440921 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementApps.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json index ceffeec248..57c4bcc23a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json index ba73714015..40740285ca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json index 26b6907b55..836f8affe2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph":{ "delegated":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application":{ "read":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.Read.All" } ], "update":[ + { + "name": "Group.Read.All" + }, { "name":"DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json index 918161498c..5eeb656602 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/settings.json @@ -5,11 +5,17 @@ "graph": { "delegated": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } @@ -17,11 +23,17 @@ }, "application": { "read": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.Read.All" } ], "update": [ + { + "name": "Group.Read.All" + }, { "name": "DeviceManagementConfiguration.ReadWrite.All" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 index bc0a6c9558..8ada1a8d24 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1 @@ -6,7 +6,7 @@ function Get-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $ResourceName, + $ResourceTypeName, [Parameter(Mandatory = $true)] [System.String] @@ -54,7 +54,7 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $ResourceName, + $ResourceTypeName, [Parameter(Mandatory = $true)] [System.String] @@ -103,7 +103,7 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $ResourceName, + $ResourceTypeName, [Parameter(Mandatory = $true)] [System.String] @@ -153,7 +153,7 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of AzureAD Tenant Details' $Global:PartialExportFileName = "$((New-Guid).ToString()).partial" - $module = Join-Path -Path $PSScriptRoot -ChildPath "..\MSFT_$ResourceName\MSFT_$ResourceName.psm1" -Resolve + $module = Join-Path -Path $PSScriptRoot -ChildPath "..\MSFT_$ResourceTypeName\MSFT_$ResourceTypeName.psm1" -Resolve if ($null -ne $module) { $params = @{ @@ -172,7 +172,7 @@ function Test-TargetResource Write-Verbose -Message "Importing module from Path {$($module)}" Import-Module $module -Force -Function 'Export-TargetResource' | Out-Null - $cmdName = "MSFT_$ResourceName\Export-TargetResource" + $cmdName = "MSFT_$ResourceTypeName\Export-TargetResource" [Array]$instances = &$cmdName @params @@ -220,7 +220,7 @@ function Test-TargetResource $message = [System.Text.StringBuilder]::New() [void]$message.AppendLine("") - [void]$message.AppendLine(" $ResourceName") + [void]$message.AppendLine(" $ResourceTypeName") [void]$message.AppendLine(" $RuleDefinition") if ($instances.Length -eq 0) @@ -252,7 +252,7 @@ function Test-TargetResource [void]$message.AppendLine(" ") foreach ($validInstance in $validInstances) { - [void]$message.AppendLine(" [$ResourceName]$validInstance") + [void]$message.AppendLine(" [$ResourceTypeName]$validInstance") } [void]$message.AppendLine(" ") } @@ -268,7 +268,7 @@ function Test-TargetResource [void]$message.AppendLine(" ") foreach ($validInstance in $validInstances) { - [void]$message.AppendLine(" [$ResourceName]$validInstance") + [void]$message.AppendLine(" [$ResourceTypeName]$validInstance") } [void]$message.AppendLine(" ") } @@ -295,7 +295,7 @@ function Test-TargetResource [void]$message.AppendLine(" ") foreach ($validInstance in $validInstances) { - [void]$message.AppendLine(" [$ResourceName]$validInstance") + [void]$message.AppendLine(" [$ResourceTypeName]$validInstance") } [void]$message.AppendLine(" ") } @@ -312,7 +312,7 @@ function Test-TargetResource [void]$message.AppendLine(" ") foreach ($invalidInstance in $invalidInstances) { - [void]$message.AppendLine(" [$ResourceName]$invalidInstance") + [void]$message.AppendLine(" [$ResourceTypeName]$invalidInstance") } [void]$message.AppendLine(" ") } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.schema.mof index 81a1efa3dd..19304c8624 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.schema.mof @@ -1,7 +1,7 @@ [ClassVersion("1.0.0.0"), FriendlyName("M365DSCRuleEvaluation")] class MSFT_M365DSCRuleEvaluation : OMI_BaseResource { - [Key, Description("Name of the resource to monitor")] String ResourceName; + [Key, Description("Name of the resource to monitor")] String ResourceTypeName; [Required, Description("Specify the rules to monitor the resource for.")] String RuleDefinition; [Write, Description("Query to check how many instances exist, using PowerShell format")] String AfterRuleCountQuery; [Write, Description("Credentials of the Azure Active Directory Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 index 08d53e6512..0911739aed 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 @@ -192,7 +192,8 @@ function Get-TargetResource OneDriveForGuestsEnabled = $tenant.OneDriveForGuestsEnabled ODBAccessRequests = $tenant.ODBAccessRequests ODBMembersCanShare = $ODBMembersCanShareValue - NotifyOwnersWhenInvitationsAccepted = $tenant.NotifyOwnersWhenInvitationsAccepted + #DEPRECATED + #NotifyOwnersWhenInvitationsAccepted = $tenant.NotifyOwnersWhenInvitationsAccepted NotificationsInOneDriveForBusinessEnabled = $tenant.NotificationsInOneDriveForBusinessEnabled Ensure = 'Present' ApplicationId = $ApplicationId @@ -239,6 +240,7 @@ function Set-TargetResource [System.Boolean] $OneDriveForGuestsEnabled, + # DEPRECATED [Parameter()] [System.Boolean] $NotifyOwnersWhenInvitationsAccepted, @@ -584,7 +586,6 @@ function Test-TargetResource 'OneDriveForGuestsEnabled', ` 'ODBAccessRequests', ` 'ODBMembersCanShare', ` - 'NotifyOwnersWhenInvitationsAccepted', ` 'NotificationsInOneDriveForBusinessEnabled', 'Ensure') diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.schema.mof index 8480f15bbe..2d62f99630 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.schema.mof @@ -5,7 +5,7 @@ class MSFT_ODSettings : OMI_BaseResource [Write, Description("The resource quota to apply to the OneDrive sites")] uint32 OneDriveStorageQuota; [Write, Description("Number of days after a user's account is deleted that their OneDrive for Business content will be deleted.")] uint32 OrphanedPersonalSitesRetentionPeriod; [Write, Description("Enable guest acess for OneDrive")] Boolean OneDriveForGuestsEnabled; - [Write, Description("When true and when an external user accepts an invitation to a resource in a user’s OneDrive for Business owner is notified by e-mail")] Boolean NotifyOwnersWhenInvitationsAccepted; + [Write, Description("DEPRECATED")] Boolean NotifyOwnersWhenInvitationsAccepted; [Write, Description("Turn notifications on/off OneDrive")] Boolean NotificationsInOneDriveForBusinessEnabled; [Write, Description("Lets administrators set policy on re-sharing behavior in OneDrive for Business"),ValueMap{"On","Off","Unspecified"},Values{"On","Off","Unspecified"}] String ODBMembersCanShare; [Write, Description("Lets administrators set policy on access requests and requests to share in OneDrive for Business"),ValueMap{"On","Off","Unspecified"},Values{"On","Off","Unspecified"}] String ODBAccessRequests; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.psm1 index aa41be362f..c13ca03929 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.psm1 @@ -17,6 +17,20 @@ function Get-TargetResource [ValidateSet('Production', 'Trial', 'Sandbox', 'SubscriptionBasedTrial', 'Teams', 'Developer')] $EnvironmentSKU, + [Parameter()] + [Switch] + $ProvisionDatabase, + + [Parameter()] + [System.String] + [ValidateSet("1033","1025","1069","1026","1027","3076","2052","1028","1050","1029","1030","1043","1061","1035","1036","1110","1031","1032","1037","1081","1038","1040","1041","1087","1042","1062","1063","1044","1045","1046","2070","1048","1049","2074","1051","1060","3082","1053","1054","1055","1058","1066","3098","1086","1057")] + $LanguageName, + + [Parameter()] + [System.String] + [ValidateSet("KZT","ZAR","ETB","AED","BHD","DZD","EGP","IQD","JOD","KWD","LBP","LYD","MAD","OMR","QAR","SAR","SYP","TND","YER","CLP","INR","AZN","RUB","BYN","BGN","NGN","BDT","CNY","EUR","BAM","USD","CZK","GBP","DKK","CHF","MVR","BTN","XCD","AUD","BZD","CAD","HKD","IDR","JMD","MYR","NZD","PHP","SGD","TTD","XDR","ARS","BOB","COP","CRC","CUP","DOP","GTQ","HNL","MXN","NIO","PAB","PEN","PYG","UYU","VES","IRR","XOF","CDF","XAF","HTG","ILS","HUF","AMD","ISK","JPY","GEL","KHR","KRW","KGS","LAK","MKD","MNT","BND","MMK","NOK","NPR","PKR","PLN","AFN","BRL","MDL","RON","RWF","SEK","LKR","SOS","ALL","RSD","KES","TJS","THB","ERN","TMT","BWP","TRY","UAH","UZS","VND","MOP","TWD")] + $CurrencyName, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -120,6 +134,20 @@ function Set-TargetResource [ValidateSet('Production', 'Trial', 'Sandbox', 'SubscriptionBasedTrial', 'Teams', 'Developer')] $EnvironmentSKU, + [Parameter()] + [Switch] + $ProvisionDatabase, + + [Parameter()] + [System.String] + [ValidateSet("1033","1025","1069","1026","1027","3076","2052","1028","1050","1029","1030","1043","1061","1035","1036","1110","1031","1032","1037","1081","1038","1040","1041","1087","1042","1062","1063","1044","1045","1046","2070","1048","1049","2074","1051","1060","3082","1053","1054","1055","1058","1066","3098","1086","1057")] + $LanguageName, + + [Parameter()] + [System.String] + [ValidateSet("KZT","ZAR","ETB","AED","BHD","DZD","EGP","IQD","JOD","KWD","LBP","LYD","MAD","OMR","QAR","SAR","SYP","TND","YER","CLP","INR","AZN","RUB","BYN","BGN","NGN","BDT","CNY","EUR","BAM","USD","CZK","GBP","DKK","CHF","MVR","BTN","XCD","AUD","BZD","CAD","HKD","IDR","JMD","MYR","NZD","PHP","SGD","TTD","XDR","ARS","BOB","COP","CRC","CUP","DOP","GTQ","HNL","MXN","NIO","PAB","PEN","PYG","UYU","VES","IRR","XOF","CDF","XAF","HTG","ILS","HUF","AMD","ISK","JPY","GEL","KHR","KRW","KGS","LAK","MKD","MNT","BND","MMK","NOK","NPR","PKR","PLN","AFN","BRL","MDL","RON","RWF","SEK","LKR","SOS","ALL","RSD","KES","TJS","THB","ERN","TMT","BWP","TRY","UAH","UZS","VND","MOP","TWD")] + $CurrencyName, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -215,6 +243,20 @@ function Test-TargetResource [ValidateSet('Production', 'Trial', 'Sandbox', 'SubscriptionBasedTrial', 'Teams', 'Developer')] $EnvironmentSKU, + [Parameter()] + [Switch] + $ProvisionDatabase, + + [Parameter()] + [System.String] + [ValidateSet("1033","1025","1069","1026","1027","3076","2052","1028","1050","1029","1030","1043","1061","1035","1036","1110","1031","1032","1037","1081","1038","1040","1041","1087","1042","1062","1063","1044","1045","1046","2070","1048","1049","2074","1051","1060","3082","1053","1054","1055","1058","1066","3098","1086","1057")] + $LanguageName, + + [Parameter()] + [System.String] + [ValidateSet("KZT","ZAR","ETB","AED","BHD","DZD","EGP","IQD","JOD","KWD","LBP","LYD","MAD","OMR","QAR","SAR","SYP","TND","YER","CLP","INR","AZN","RUB","BYN","BGN","NGN","BDT","CNY","EUR","BAM","USD","CZK","GBP","DKK","CHF","MVR","BTN","XCD","AUD","BZD","CAD","HKD","IDR","JMD","MYR","NZD","PHP","SGD","TTD","XDR","ARS","BOB","COP","CRC","CUP","DOP","GTQ","HNL","MXN","NIO","PAB","PEN","PYG","UYU","VES","IRR","XOF","CDF","XAF","HTG","ILS","HUF","AMD","ISK","JPY","GEL","KHR","KRW","KGS","LAK","MKD","MNT","BND","MMK","NOK","NPR","PKR","PLN","AFN","BRL","MDL","RON","RWF","SEK","LKR","SOS","ALL","RSD","KES","TJS","THB","ERN","TMT","BWP","TRY","UAH","UZS","VND","MOP","TWD")] + $CurrencyName, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -260,6 +302,10 @@ function Test-TargetResource $ValuesToCheck = $PSBoundParameters $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ProvisionDatabase') | Out-Null + $ValuesToCheck.Remove('LanguageName') | Out-Null + $ValuesToCheck.Remove('CurrencyName') | Out-Null + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.schema.mof index 05ba221555..25942e0588 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppsEnvironment/MSFT_PPPowerAppsEnvironment.schema.mof @@ -4,6 +4,9 @@ class MSFT_PPPowerAppsEnvironment : OMI_BaseResource [Key, Description("Display name for the PowerApps environment")] String DisplayName; [Required, Description("Location of the PowerApps environment."), ValueMap{"canada","unitedstates","europe","asia","australia","india","japan","unitedkingdom","unitedstatesfirstrelease","southamerica","france","usgov","unitedarabemirates","germany","switzerland","norway","korea","southafrica"}, Values{"canada","unitedstates","europe","asia","australia","india","japan","unitedkingdom","unitedstatesfirstrelease","southamerica","france","usgov","unitedarabemirates","germany","switzerland","norway","korea","southafrica"}] string Location; [Required, Description("Environment type."), ValueMap{"Production","Standard","Trial","Sandbox","SubscriptionBasedTrial", "Teams", "Developer"}, Values{"Production","Standard","Trial","Sandbox","SubscriptionBasedTrial", "Teams", "Developer"}] String EnvironmentSKU; + [Write, Description("The switch to provision a Dataverse database when creating the environment. If set, LanguageName and CurrencyName are mandatory to pass as arguments.")] Boolean ProvisionDatabase; + [Write, Description("The default languages for the database, use Get-AdminPowerAppCdsDatabaseLanguages to get the support values."), ValueMap{"1033","1025","1069","1026","1027","3076","2052","1028","1050","1029","1030","1043","1061","1035","1036","1110","1031","1032","1037","1081","1038","1040","1041","1087","1042","1062","1063","1044","1045","1046","2070","1048","1049","2074","1051","1060","3082","1053","1054","1055","1058","1066","3098","1086","1057"}, Values{"1033","1025","1069","1026","1027","3076","2052","1028","1050","1029","1030","1043","1061","1035","1036","1110","1031","1032","1037","1081","1038","1040","1041","1087","1042","1062","1063","1044","1045","1046","2070","1048","1049","2074","1051","1060","3082","1053","1054","1055","1058","1066","3098","1086","1057"}] String LanguageName; + [Write, Description("The default currency for the database, use Get-AdminPowerAppCdsDatabaseCurrencies to get the supported values."), ValueMap{"KZT","ZAR","ETB","AED","BHD","DZD","EGP","IQD","JOD","KWD","LBP","LYD","MAD","OMR","QAR","SAR","SYP","TND","YER","CLP","INR","AZN","RUB","BYN","BGN","NGN","BDT","CNY","EUR","BAM","USD","CZK","GBP","DKK","CHF","MVR","BTN","XCD","AUD","BZD","CAD","HKD","IDR","JMD","MYR","NZD","PHP","SGD","TTD","XDR","ARS","BOB","COP","CRC","CUP","DOP","GTQ","HNL","MXN","NIO","PAB","PEN","PYG","UYU","VES","IRR","XOF","CDF","XAF","HTG","ILS","HUF","AMD","ISK","JPY","GEL","KHR","KRW","KGS","LAK","MKD","MNT","BND","MMK","NOK","NPR","PKR","PLN","AFN","BRL","MDL","RON","RWF","SEK","LKR","SOS","ALL","RSD","KES","TJS","THB","ERN","TMT","BWP","TRY","UAH","UZS","VND","MOP","TWD"}, Values{"KZT","ZAR","ETB","AED","BHD","DZD","EGP","IQD","JOD","KWD","LBP","LYD","MAD","OMR","QAR","SAR","SYP","TND","YER","CLP","INR","AZN","RUB","BYN","BGN","NGN","BDT","CNY","EUR","BAM","USD","CZK","GBP","DKK","CHF","MVR","BTN","XCD","AUD","BZD","CAD","HKD","IDR","JMD","MYR","NZD","PHP","SGD","TTD","XDR","ARS","BOB","COP","CRC","CUP","DOP","GTQ","HNL","MXN","NIO","PAB","PEN","PYG","UYU","VES","IRR","XOF","CDF","XAF","HTG","ILS","HUF","AMD","ISK","JPY","GEL","KHR","KRW","KGS","LAK","MKD","MNT","BND","MMK","NOK","NPR","PKR","PLN","AFN","BRL","MDL","RON","RWF","SEK","LKR","SOS","ALL","RSD","KES","TJS","THB","ERN","TMT","BWP","TRY","UAH","UZS","VND","MOP","TWD"}] String CurrencyName; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the Power Platform Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; @@ -11,3 +14,5 @@ class MSFT_PPPowerAppsEnvironment : OMI_BaseResource [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; }; + + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.psm1 index 5c789791f6..dcfb571714 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.psm1 @@ -69,6 +69,142 @@ function Get-TargetResource [System.UInt32] $ShareWithColleaguesUserLimit, + [Parameter()] + [System.Boolean] + $DisableCopilotFeedback, + + [Parameter()] + [System.Boolean] + $DisableMakerMatch, + + [Parameter()] + [System.Boolean] + $DisableUnusedLicenseAssignment, + + [Parameter()] + [System.Boolean] + $DisableCreateFromImage, + + [Parameter()] + [System.Boolean] + $DisableConnectionSharingWithEveryone, + + [Parameter()] + [System.Boolean] + $AllowNewOrgChannelDefault, + + [Parameter()] + [System.Boolean] + $DisableCopilot, + + [Parameter()] + [System.Boolean] + $DisableCopilotWithBing, + + [Parameter()] + [System.Boolean] + $DisableAdminDigest, + + [Parameter()] + [System.Boolean] + $DisablePreferredDataLocationForTeamsEnvironment, + + [Parameter()] + [System.Boolean] + $DisableDeveloperEnvironmentCreationByNonAdminUsers, + + [Parameter()] + [System.Boolean] + $EnvironmentRoutingAllMakers, + + [Parameter()] + [System.Boolean] + $EnableDefaultEnvironmentRouting, + + [Parameter()] + [System.String] + $EnableDesktopFlowDataPolicyManagement, + + [Parameter()] + [System.Boolean] + $EnableCanvasAppInsights, + + [Parameter()] + [System.Boolean] + $DisableCreateFromFigma, + + [Parameter()] + [System.Boolean] + $DisableBillingPolicyCreationByNonAdminUsers, + + [Parameter()] + [System.UInt32] + $StorageCapacityConsumptionWarningThreshold, + + [Parameter()] + [System.Boolean] + $EnableTenantCapacityReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $EnableTenantLicensingReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $DisableUseOfUnassignedAIBuilderCredits, + + [Parameter()] + [System.String] + $EnableGenerativeAIFeaturesForSiteUsers, + + [Parameter()] + [System.String] + $EnableExternalAuthenticationProvidersInPowerPages, + + [Parameter()] + [System.Boolean] + $DisableChampionsInvitationReachout, + + [Parameter()] + [System.Boolean] + $DisableSkillsMatchInvitationReachout, + + [Parameter()] + [System.Boolean] + $EnableOpenAiBotPublishing, + + [Parameter()] + [System.Boolean] + $DisableAiPrompts, + + [Parameter()] + [System.Boolean] + $DisableCopilotFeedbackMetadata, + + [Parameter()] + [System.Boolean] + $EnableModelDataSharing, + + [Parameter()] + [System.Boolean] + $DisableDataLogging, + + [Parameter()] + [System.String] + $PowerCatalogAudienceSetting, + + [Parameter()] + [System.Boolean] + $EnableDeleteDisabledUserinAllEnvironments, + + [Parameter()] + [System.Boolean] + $DisableHelpSupportCopilot, + + [Parameter()] + [System.Boolean] + $DisableSurveyScreenshots, + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -115,21 +251,87 @@ function Get-TargetResource $PPTenantSettings = Get-TenantSettings -ErrorAction Stop return @{ IsSingleInstance = 'Yes' + + # search + DisableDocsSearch = $PPTenantSettings.powerPlatform.search.disableDocsSearch + DisableCommunitySearch = $PPTenantSettings.powerPlatform.search.disableCommunitySearch + DisableBingVideoSearch = $PPTenantSettings.powerPlatform.search.disableBingVideoSearch + + #teamsIntegration + ShareWithColleaguesUserLimit = $PPTenantSettings.powerPlatform.teamsIntegration.shareWithColleaguesUserLimit + + #powerApps + DisableShareWithEveryone = $PPTenantSettings.powerPlatform.powerApps.disableShareWithEveryone + EnableGuestsToMake = $PPTenantSettings.powerPlatform.powerApps.enableGuestsToMake + DisableMakerMatch = $PPTenantSettings.powerPlatform.powerApps.disableMakerMatch + DisableUnusedLicenseAssignment = $PPTenantSettings.powerPlatform.powerApps.disableUnusedLicenseAssignment + DisableCreateFromImage = $PPTenantSettings.powerPlatform.powerApps.disableCreateFromImage + DisableCreateFromFigma = $PPTenantSettings.powerPlatform.powerApps.disableCreateFromFigma + EnableCanvasAppInsights = $PPTenantSettings.powerPlatform.powerApps.enableCanvasAppInsights + DisableConnectionSharingWithEveryone = $PPTenantSettings.powerPlatform.powerApps.disableConnectionSharingWithEveryone + AllowNewOrgChannelDefault = $PPTenantSettings.powerPlatform.powerApps.allowNewOrgChannelDefault + DisableCopilot = $PPTenantSettings.powerPlatform.powerApps.disableCopilot + + #powerAutomate + DisableCopilotWithBing = $PPTenantSettings.powerPlatform.powerAutomate.disableCopilotWithBing + + #environments + DisablePreferredDataLocationForTeamsEnvironment = $PPTenantSettings.powerPlatform.environments.disablePreferredDataLocationForTeamsEnvironment + + #governance + DisableAdminDigest = $PPTenantSettings.powerPlatform.governance.disableAdminDigest + DisableDeveloperEnvironmentCreationByNonAdminUsers = $PPTenantSettings.powerPlatform.governance.disableDeveloperEnvironmentCreationByNonAdminUsers + EnableDefaultEnvironmentRouting = $PPTenantSettings.powerPlatform.governance.enableDefaultEnvironmentRouting + EnableDesktopFlowDataPolicyManagement = $PPTenantSettings.powerPlatform.governance.policy.enableDesktopFlowDataPolicyManagement + EnvironmentRoutingAllMakers = $PPTenantSettings.powerPlatform.governance.environmentRoutingAllMakers + + #licensing + DisableBillingPolicyCreationByNonAdminUsers = $PPTenantSettings.powerPlatform.licensing.disableBillingPolicyCreationByNonAdminUsers + EnableTenantCapacityReportForEnvironmentAdmins = $PPTenantSettings.powerPlatform.licensing.enableTenantCapacityReportForEnvironmentAdmins + StorageCapacityConsumptionWarningThreshold = $PPTenantSettings.powerPlatform.licensing.storageCapacityConsumptionWarningThreshold + EnableTenantLicensingReportForEnvironmentAdmins = $PPTenantSettings.powerPlatform.licensing.enableTenantLicensingReportForEnvironmentAdmins + DisableUseOfUnassignedAIBuilderCredits = $PPTenantSettings.powerPlatform.licensing.disableUseOfUnassignedAIBuilderCredits + + #powerPages + EnableGenerativeAIFeaturesForSiteUsers = $PPTenantSettings.powerPlatform.powerPages.enableGenerativeAIFeaturesForSiteUsers + EnableExternalAuthenticationProvidersInPowerPages = $PPTenantSettings.powerPlatform.powerPages.enableExternalAuthenticationProvidersInPowerPages + + #champions + DisableChampionsInvitationReachout = $PPTenantSettings.powerPlatform.champions.disableChampionsInvitationReachout + DisableSkillsMatchInvitationReachout = $PPTenantSettings.powerPlatform.champions.disableSkillsMatchInvitationReachout + + #intelligence + DisableCopilotFeedback = $PPTenantSettings.powerPlatforms.intelligence.disableCopilotFeedback + EnableOpenAiBotPublishing = $PPTenantSettings.powerPlatforms.intelligence.enableOpenAiBotPublishing + DisableCopilotFeedbackMetadata = $PPTenantSettings.powerPlatforms.intelligence.disableCopilotFeedbackMetadata + DisableAiPrompts = $PPTenantSettings.powerPlatforms.intelligence.disableAiPrompts + + #modelExperimentation + EnableModelDataSharing = $PPTenantSettings.powerPlatforms.modelExperimentation.enableModelDataSharing + DisableDataLogging = $PPTenantSettings.powerPlatforms.modelExperimentation.disableDataLogging + + #catalogSettings + PowerCatalogAudienceSetting = $PPTenantSettings.powerPlatforms.catalogSettings.powerCatalogAudienceSetting + + #userManagementSettings + EnableDeleteDisabledUserinAllEnvironments = $PPTenantSettings.powerPlatforms.userManagementSettings.enableDeleteDisabledUserinAllEnvironments + + #helpSupportSettings + DisableHelpSupportCopilot = $PPTenantSettings.powerPlatforms.helpSupportSettings.disableHelpSupportCopilot + UseSupportBingSearchByAllUsers = $PPTenantSettings.powerPlatforms.helpSupportSettings.useSupportBingSearchByAllUsers + + #Main WalkMeOptOut = $PPTenantSettings.walkMeOptOut DisableNPSCommentsReachout = $PPTenantSettings.disableNPSCommentsReachout DisableNewsletterSendout = $PPTenantSettings.disableNewsletterSendout DisableEnvironmentCreationByNonAdminUsers = $PPTenantSettings.disableEnvironmentCreationByNonAdminUsers DisablePortalsCreationByNonAdminUsers = $PPTenantSettings.disablePortalsCreationByNonAdminUsers DisableSurveyFeedback = $PPTenantSettings.disableSurveyFeedback + DisableSurveyScreenshots = $PPTenantSettings.disableSurveyScreenshots DisableTrialEnvironmentCreationByNonAdminUsers = $PPTenantSettings.disableTrialEnvironmentCreationByNonAdminUsers DisableCapacityAllocationByEnvironmentAdmins = $PPTenantSettings.disableCapacityAllocationByEnvironmentAdmins DisableSupportTicketsVisibleByAllUsers = $PPTenantSettings.disableSupportTicketsVisibleByAllUsers - DisableDocsSearch = $PPTenantSettings.powerPlatform.search.disableDocsSearch - DisableCommunitySearch = $PPTenantSettings.powerPlatform.search.disableCommunitySearch - DisableBingVideoSearch = $PPTenantSettings.powerPlatform.search.disableBingVideoSearch - DisableShareWithEveryone = $PPTenantSettings.powerPlatform.powerApps.disableShareWithEveryone - EnableGuestsToMake = $PPTenantSettings.powerPlatform.powerApps.enableGuestsToMake - ShareWithColleaguesUserLimit = $PPTenantSettings.powerPlatform.teamsIntegration.shareWithColleaguesUserLimit + Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -219,6 +421,142 @@ function Set-TargetResource [System.UInt32] $ShareWithColleaguesUserLimit, + [Parameter()] + [System.Boolean] + $DisableCopilotFeedback, + + [Parameter()] + [System.Boolean] + $DisableMakerMatch, + + [Parameter()] + [System.Boolean] + $DisableUnusedLicenseAssignment, + + [Parameter()] + [System.Boolean] + $DisableCreateFromImage, + + [Parameter()] + [System.Boolean] + $DisableConnectionSharingWithEveryone, + + [Parameter()] + [System.Boolean] + $AllowNewOrgChannelDefault, + + [Parameter()] + [System.Boolean] + $DisableCopilot, + + [Parameter()] + [System.Boolean] + $DisableCopilotWithBing, + + [Parameter()] + [System.Boolean] + $DisableAdminDigest, + + [Parameter()] + [System.Boolean] + $DisablePreferredDataLocationForTeamsEnvironment, + + [Parameter()] + [System.Boolean] + $DisableDeveloperEnvironmentCreationByNonAdminUsers, + + [Parameter()] + [System.Boolean] + $EnvironmentRoutingAllMakers, + + [Parameter()] + [System.Boolean] + $EnableDefaultEnvironmentRouting, + + [Parameter()] + [System.String] + $EnableDesktopFlowDataPolicyManagement, + + [Parameter()] + [System.Boolean] + $EnableCanvasAppInsights, + + [Parameter()] + [System.Boolean] + $DisableCreateFromFigma, + + [Parameter()] + [System.Boolean] + $DisableBillingPolicyCreationByNonAdminUsers, + + [Parameter()] + [System.UInt32] + $StorageCapacityConsumptionWarningThreshold, + + [Parameter()] + [System.Boolean] + $EnableTenantCapacityReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $EnableTenantLicensingReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $DisableUseOfUnassignedAIBuilderCredits, + + [Parameter()] + [System.String] + $EnableGenerativeAIFeaturesForSiteUsers, + + [Parameter()] + [System.String] + $EnableExternalAuthenticationProvidersInPowerPages, + + [Parameter()] + [System.Boolean] + $DisableChampionsInvitationReachout, + + [Parameter()] + [System.Boolean] + $DisableSkillsMatchInvitationReachout, + + [Parameter()] + [System.Boolean] + $EnableOpenAiBotPublishing, + + [Parameter()] + [System.Boolean] + $DisableAiPrompts, + + [Parameter()] + [System.Boolean] + $DisableCopilotFeedbackMetadata, + + [Parameter()] + [System.Boolean] + $EnableModelDataSharing, + + [Parameter()] + [System.Boolean] + $DisableDataLogging, + + [Parameter()] + [System.String] + $PowerCatalogAudienceSetting, + + [Parameter()] + [System.Boolean] + $EnableDeleteDisabledUserinAllEnvironments, + + [Parameter()] + [System.Boolean] + $DisableHelpSupportCopilot, + + [Parameter()] + [System.Boolean] + $DisableSurveyScreenshots, + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -333,6 +671,142 @@ function Test-TargetResource [System.UInt32] $ShareWithColleaguesUserLimit, + [Parameter()] + [System.Boolean] + $DisableCopilotFeedback, + + [Parameter()] + [System.Boolean] + $DisableMakerMatch, + + [Parameter()] + [System.Boolean] + $DisableUnusedLicenseAssignment, + + [Parameter()] + [System.Boolean] + $DisableCreateFromImage, + + [Parameter()] + [System.Boolean] + $DisableConnectionSharingWithEveryone, + + [Parameter()] + [System.Boolean] + $AllowNewOrgChannelDefault, + + [Parameter()] + [System.Boolean] + $DisableCopilot, + + [Parameter()] + [System.Boolean] + $DisableCopilotWithBing, + + [Parameter()] + [System.Boolean] + $DisableAdminDigest, + + [Parameter()] + [System.Boolean] + $DisablePreferredDataLocationForTeamsEnvironment, + + [Parameter()] + [System.Boolean] + $DisableDeveloperEnvironmentCreationByNonAdminUsers, + + [Parameter()] + [System.Boolean] + $EnvironmentRoutingAllMakers, + + [Parameter()] + [System.Boolean] + $EnableDefaultEnvironmentRouting, + + [Parameter()] + [System.String] + $EnableDesktopFlowDataPolicyManagement, + + [Parameter()] + [System.Boolean] + $EnableCanvasAppInsights, + + [Parameter()] + [System.Boolean] + $DisableCreateFromFigma, + + [Parameter()] + [System.Boolean] + $DisableBillingPolicyCreationByNonAdminUsers, + + [Parameter()] + [System.UInt32] + $StorageCapacityConsumptionWarningThreshold, + + [Parameter()] + [System.Boolean] + $EnableTenantCapacityReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $EnableTenantLicensingReportForEnvironmentAdmins, + + [Parameter()] + [System.Boolean] + $DisableUseOfUnassignedAIBuilderCredits, + + [Parameter()] + [System.String] + $EnableGenerativeAIFeaturesForSiteUsers, + + [Parameter()] + [System.String] + $EnableExternalAuthenticationProvidersInPowerPages, + + [Parameter()] + [System.Boolean] + $DisableChampionsInvitationReachout, + + [Parameter()] + [System.Boolean] + $DisableSkillsMatchInvitationReachout, + + [Parameter()] + [System.Boolean] + $EnableOpenAiBotPublishing, + + [Parameter()] + [System.Boolean] + $DisableAiPrompts, + + [Parameter()] + [System.Boolean] + $DisableCopilotFeedbackMetadata, + + [Parameter()] + [System.Boolean] + $EnableModelDataSharing, + + [Parameter()] + [System.Boolean] + $DisableDataLogging, + + [Parameter()] + [System.String] + $PowerCatalogAudienceSetting, + + [Parameter()] + [System.Boolean] + $EnableDeleteDisabledUserinAllEnvironments, + + [Parameter()] + [System.Boolean] + $DisableHelpSupportCopilot, + + [Parameter()] + [System.Boolean] + $DisableSurveyScreenshots, + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -489,7 +963,7 @@ function Export-TargetResource function Get-M365DSCPowerPlatformTenantSettings { [CmdletBinding()] - [OutputType([System.String])] + [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] @@ -504,6 +978,7 @@ function Get-M365DSCPowerPlatformTenantSettings disableEnvironmentCreationByNonAdminUsers = $Parameters.DisableEnvironmentCreationByNonAdminUsers disablePortalsCreationByNonAdminUsers = $Parameters.DisablePortalsCreationByNonAdminUsers disableSurveyFeedback = $Parameters.DisableSurveyFeedback + disableSurveyScreenshots = $Parameters.DisableSurveyScreenshots disableTrialEnvironmentCreationByNonAdminUsers = $Parameters.DisableTrialEnvironmentCreationByNonAdminUsers disableCapacityAllocationByEnvironmentAdmins = $Parameters.DisableCapacityAllocationByEnvironmentAdmins disableSupportTicketsVisibleByAllUsers = $Parameters.DisableSupportTicketsVisibleByAllUsers @@ -513,13 +988,76 @@ function Get-M365DSCPowerPlatformTenantSettings disableCommunitySearch = $Parameters.DisableCommunitySearch disableBingVideoSearch = $Parameters.DisableBingVideoSearch } + teams = @{ + shareWithColleaguesUserLimit = $Parameters.ShareWithColleaguesUserLimit + } powerApps = @{ - disableShareWithEveryone = $Parameters.DisableShareWithEveryone - enableGuestsToMake = $Parameters.EnableGuestsToMake + disableShareWithEveryone = $Parameters.DisableShareWithEveryone + enableGuestsToMake = $Parameters.EnableGuestsToMake + disableMakerMatch = $Parameters.DisableMakerMatch + disableUnusedLicenseAssignment = $Parameters.DisableUnusedLicenseAssignment + disableCreateFromImage = $Parameters.DisableCreateFromImage + disableCreateFromFigma = $Parameters.DisableCreateFromFigma + enableCanvasAppInsights = $Parameters.EnableCanvasAppInsights + disableConnectionSharingWithEveryone = $Parameters.DisableConnectionSharingWithEveryone + allowNewOrgChannelDefault = $Parameters.AllowNewOrgChannelDefault + disableCopilot = $Parameters.DisableCopilot + } + environments = @{ + disablePreferredDataLocationForTeamsEnvironment = $Parameters.DisablePreferredDataLocationForTeamsEnvironment + } + powerAutomate = @{ + disableCopilotWithBing = $Parameters.DisableCopilotWithBing + } + governance = @{ + disableAdminDigest = $Parameters.DisableAdminDigest + disableDeveloperEnvironmentCreationByNonAdminUsers = $Parameters.DisableDeveloperEnvironmentCreationByNonAdminUsers + enableDefaultEnvironmentRouting = $Parameters.EnableDefaultEnvironmentRouting + policy = @( + @{ + enableDesktopFlowDataPolicyManagement = $Parameters.EnableDesktopFlowDataPolicyManagement + } + ) + environmentRoutingAllMakers = $Parameters.EnvironmentRoutingAllMakers } teamsIntegration = @{ shareWithColleaguesUserLimit = $Parameters.ShareWithColleaguesUserLimit } + licensing = @{ + disableBillingPolicyCreationByNonAdminUsers = $Parameters.DisableBillingPolicyCreationByNonAdminUsers + enableTenantCapacityReportForEnvironmentAdmins = $Parameters.EnableTenantCapacityReportForEnvironmentAdmins + storageCapacityConsumptionWarningThreshold = $Parameters.StorageCapacityConsumptionWarningThreshold + enableTenantLicensingReportForEnvironmentAdmins = $Parameters.EnableTenantLicensingReportForEnvironmentAdmins + disableUseOfUnassignedAIBuilderCredits = $Parameters.DisableUseOfUnassignedAIBuilderCredits + } + powerPages = @{ + enableGenerativeAIFeaturesForSiteUsers = $Parameters.EnableGenerativeAIFeaturesForSiteUsers + enableExternalAuthenticationProvidersInPowerPages = $Parameters.EnableExternalAuthenticationProvidersInPowerPages + } + champions = @{ + disableChampionsInvitationReachout = $Parameters.DisableChampionsInvitationReachout + disableSkillsMatchInvitationReachout = $Parameters.DisableSkillsMatchInvitationReachout + } + intelligence = @{ + disableCopilotFeedback = $Parameters.disableCopilotFeedback + enableOpenAiBotPublishing = $Parameters.enableOpenAiBotPublishing + disableCopilotFeedbackMetadata = $Parameters.disableCopilotFeedbackMetadata + disableAiPrompts = $Parameters.disableAiPrompts + } + modelExperimentation = @{ + enableModelDataSharing = $Parameters.enableModelDataSharing + disableDataLogging = $Parameters.disableDataLogging + } + catalogSettings = @{ + powerCatalogAudienceSetting = $Parameters.powerCatalogAudienceSetting + } + userManagementSettings = @{ + enableDeleteDisabledUserinAllEnvironments = $Parameters.enableDeleteDisabledUserinAllEnvironments + } + helpSupportSettings = @{ + disableHelpSupportCopilot = $Parameters.disableHelpSupportCopilot + useSupportBingSearchByAllUsers = $Parameters.useSupportBingSearchByAllUsers + } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.schema.mof index 7cf4dacb43..52ddef519d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPTenantSettings/MSFT_PPTenantSettings.schema.mof @@ -2,6 +2,42 @@ class MSFT_PPTenantSettings : OMI_BaseResource { [Key, Description("Should be set to yes"),ValueMap{"Yes"},Values{"Yes"}] string IsSingleInstance; + [Write, Description("TBD")] Boolean DisableCopilotFeedback; + [Write, Description("TBD")] Boolean DisableMakerMatch; + [Write, Description("TBD")] Boolean DisableUnusedLicenseAssignment; + [Write, Description("TBD")] Boolean DisableCreateFromImage; + [Write, Description("TBD")] Boolean DisableConnectionSharingWithEveryone; + [Write, Description("TBD")] Boolean AllowNewOrgChannelDefault; + [Write, Description("TBD")] Boolean DisableCopilot; + [Write, Description("TBD")] Boolean DisableCopilotWithBing; + [Write, Description("TBD")] Boolean DisableAdminDigest; + [Write, Description("TBD")] Boolean DisablePreferredDataLocationForTeamsEnvironment; + [Write, Description("TBD")] Boolean DisableDeveloperEnvironmentCreationByNonAdminUsers; + [Write, Description("TBD")] Boolean EnvironmentRoutingAllMakers; + [Write, Description("TBD")] Boolean EnableDefaultEnvironmentRouting; + [Write, Description("TBD")] String EnableDesktopFlowDataPolicyManagement; + [Write, Description("TBD")] Boolean EnableCanvasAppInsights; + [Write, Description("TBD")] Boolean DisableCreateFromFigma; + + [Write, Description("TBD")] Boolean DisableBillingPolicyCreationByNonAdminUsers; + [Write, Description("TBD")] UInt32 StorageCapacityConsumptionWarningThreshold; + [Write, Description("TBD")] Boolean EnableTenantCapacityReportForEnvironmentAdmins; + [Write, Description("TBD")] Boolean EnableTenantLicensingReportForEnvironmentAdmins; + [Write, Description("TBD")] Boolean DisableUseOfUnassignedAIBuilderCredits; + [Write, Description("TBD")] String EnableGenerativeAIFeaturesForSiteUsers; + [Write, Description("TBD")] String EnableExternalAuthenticationProvidersInPowerPages; + [Write, Description("TBD")] Boolean DisableChampionsInvitationReachout; + [Write, Description("TBD")] Boolean DisableSkillsMatchInvitationReachout; + [Write, Description("TBD")] Boolean EnableOpenAiBotPublishing; + [Write, Description("TBD")] Boolean DisableAiPrompts; + [Write, Description("TBD")] Boolean DisableCopilotFeedbackMetadata; + + [Write, Description("TBD")] Boolean EnableModelDataSharing; + [Write, Description("TBD")] Boolean DisableDataLogging; + [Write, Description("TBD")] String PowerCatalogAudienceSetting; + [Write, Description("TBD")] Boolean EnableDeleteDisabledUserinAllEnvironments; + [Write, Description("TBD")] Boolean DisableHelpSupportCopilot; + [Write, Description("TBD")] Boolean DisableSurveyScreenshots; [Write, Description("When set to true this will disable the Walk Me guidance.")] boolean WalkMeOptOut; [Write, Description("When set to true this will disable the NPS Comments Reachout.")] boolean DisableNPSCommentsReachout; [Write, Description("When set to true this will disable the monthly newsletters.")] boolean DisableNewsletterSendout; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.psm1 index baac85f2b7..9f887882f9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.psm1 @@ -676,6 +676,18 @@ function Get-TargetResource [System.Boolean] $RetainSeverityAfterTriage, + [Parameter()] + [System.String[]] + $MDATPTriageStatus, + + [Parameter()] + [System.UInt32] + $CPUUtilizationLimit, + + [Parameter()] + [System.UInt32] + $GPUUtilizationLimit, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -761,6 +773,8 @@ function Get-TargetResource RecordingTimeframePostEventInSec = $SessionRecordingSettings.RecordingTimeframePostEventInSec BandwidthCapInMb = $SessionRecordingSettings.BandwidthCapInMb OfflineRecordingStorageLimitInMb = $SessionRecordingSettings.OfflineRecordingStorageLimitInMb + GPUUtilizationLimit = $SessionRecordingSettings.GPUUtilizationLimit + CPUUtilizationLimit = $SessionRecordingSettings.CPUUtilizationLimit } $results += $forensicSettingsHash } @@ -800,6 +814,7 @@ function Get-TargetResource RaiseAuditAlert = $RaiseAuditAlertValue FileVolCutoffLimits = $tenantSettings.IntelligentDetections.FileVolCutoffLimits AlertVolume = $tenantSettings.IntelligentDetections.AlertVolume + MDATPTriageStatus = $tenantSettings.IntelligentDetections.MDATPTriageStatus AnomalyDetections = ($tenantSettings.Indicators | Where-Object -FilterScript {$_.Name -eq 'AnomalyDetections'}).Enabled CopyToPersonalCloud = ($tenantSettings.Indicators | Where-Object -FilterScript {$_.Name -eq 'CopyToPersonalCloud'}).Enabled CopyToUSB = ($tenantSettings.Indicators | Where-Object -FilterScript {$_.Name -eq 'CopyToUSB'}).Enabled @@ -1713,6 +1728,18 @@ function Set-TargetResource [System.Boolean] $RetainSeverityAfterTriage, + [Parameter()] + [System.String[]] + $MDATPTriageStatus, + + [Parameter()] + [System.UInt32] + $CPUUtilizationLimit, + + [Parameter()] + [System.UInt32] + $GPUUtilizationLimit, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -1817,7 +1844,7 @@ function Set-TargetResource # Tenant Settings $featureSettingsValue = "{`"Anonymization`":$($Anonymization.ToString().ToLower()), `"DLPUserRiskSync`":$($DLPUserRiskSync.ToString().ToLower()), `"OptInIRMDataExport`":$($OptInIRMDataExport.ToString().ToLower()), `"RaiseAuditAlert`":$($RaiseAuditAlert.ToString().ToLower()), `"EnableTeam`":$($EnableTeam.ToString().ToLower())}" - $intelligentDetectionValue = "{`"FileVolCutoffLimits`":`"$($FileVolCutoffLimits)`", `"AlertVolume`":`"$($AlertVolume)`"}" + $intelligentDetectionValue = "{`"FileVolCutoffLimits`":`"$($FileVolCutoffLimits)`", `"AlertVolume`":`"$($AlertVolume)`", `"MDATPTriageStatus`": `"$($MDATPTriageStatus)`"}" $tenantSettingsValue = "{`"Region`":`"WW`", `"FeatureSettings`":$($featureSettingsValue), " + ` @@ -1859,7 +1886,7 @@ function Set-TargetResource if ($InsiderRiskScenario -eq 'SessionRecordingSetting') { - $sessionRecordingValues = "{`"RecordingMode`":`"EventDriven`", `"RecordingTimeframePreEventInSec`":$($RecordingTimeframePreEventInSec),`"RecordingTimeframePostEventInSec`":$($RecordingTimeframePostEventInSec),`"BandwidthCapInMb`":$($BandwidthCapInMb),`"OfflineRecordingStorageLimitInMb`":$($OfflineRecordingStorageLimitInMb),`"ClipDeletionEnabled`":$($ClipDeletionEnabled.ToString().ToLower()),`"Enabled`":$($SessionRecordingEnabled.ToString().ToLower()),`"FpsNumerator`":0,`"FpsDenominator`":0}" + $sessionRecordingValues = "{`"RecordingMode`":`"EventDriven`", `"RecordingTimeframePreEventInSec`":$($RecordingTimeframePreEventInSec),`"RecordingTimeframePostEventInSec`":$($RecordingTimeframePostEventInSec),`"BandwidthCapInMb`":$($BandwidthCapInMb),`"OfflineRecordingStorageLimitInMb`":$($OfflineRecordingStorageLimitInMb),`"ClipDeletionEnabled`":$($ClipDeletionEnabled.ToString().ToLower()),`"Enabled`":$($SessionRecordingEnabled.ToString().ToLower()),`"FpsNumerator`":0,`"FpsDenominator`":0, `"GPUUtilizationLimit`": $($GPUUtilizationLimit), `"CPUUtilizationLimit`": $($CPUUtilizationLimit)}" Write-Verbose -Message 'Updating Session Recording Settings' Set-InsiderRiskPolicy -Identity $Name -SessionRecordingSettings $sessionRecordingValues | Out-Null } @@ -2558,6 +2585,18 @@ function Test-TargetResource [System.Boolean] $RetainSeverityAfterTriage, + [Parameter()] + [System.String[]] + $MDATPTriageStatus, + + [Parameter()] + [System.UInt32] + $CPUUtilizationLimit, + + [Parameter()] + [System.UInt32] + $GPUUtilizationLimit, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof index dccbecd928..af9a3b71e8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof @@ -169,6 +169,9 @@ class MSFT_SCInsiderRiskPolicy : OMI_BaseResource [Write, Description("Official documentation to come.")] Boolean RetainSeverityAfterTriage; [Write, Description("Official documentation to come.")] UInt32 LookbackTimeSpan; [Write, Description("Official documentation to come.")] UInt32 ProfileInScopeTimeSpan; + [Write, Description("Official documentation to come.")] UInt32 GPUUtilizationLimit; + [Write, Description("Official documentation to come.")] UInt32 CPUUtilizationLimit; + [Write, Description("Official documentation to come.")] String MDATPTriageStatus; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 new file mode 100644 index 0000000000..729655eb21 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.psm1 @@ -0,0 +1,1758 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-PolicyConfig -ErrorAction Stop + $EndpointDlpGlobalSettingsValue = ConvertFrom-Json $instance.EndpointDlpGlobalSettings + $DlpPrinterGroupsObject = ConvertFrom-Json $instance.DlpPrinterGroups + $DlpAppGroupsObject = ConvertFrom-Json $instance.DlpAppGroups + $SiteGroupsObject = ConvertFrom-Json $instance.SiteGroups + $DLPRemovableMediaGroupsObject = ConvertFrom-Json $instance.DLPRemovableMediaGroups + $DlpNetworkShareGroupsObject = ConvertFrom-Json $instance.DlpNetworkShareGroups + + # AdvancedClassificationEnabled + $AdvancedClassificationEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'AdvancedClassificationEnabled'}).Value + + # BandwidthLimitEnabled + $BandwidthLimitEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'BandwidthLimitEnabledValue'}).Value + + # DailyBandwidthLimitInMB + $DailyBandwidthLimitInMBValue = [UInt32]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'DailyBandwidthLimitInMB'}).Value + + # PathExclusion + $PathExclusionValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'PathExclusion'}).Value + + # MacPathExclusion + $MacPathExclusionValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'MacPathExclusion'}).Value + + # MacDefaultPathExclusionsEnabled + $MacDefaultPathExclusionsEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'MacDefaultPathExclusionsEnabled'}).Value + + #EvidenceStoreSettings + $entry = $EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'EvidenceStoreSettings'} + if ($null -ne $entry) + { + $entry = ConvertFrom-Json $entry.Value + $EvidenceStoreSettingsValue = @{ + FileEvidenceIsEnabled = $entry.FileEvidenceIsEnabled + NumberOfDaysToRetain = [Uint32]$entry.NumberOfDaysToRetain + StorageAccounts = [Array]$entry.StorageAccounts + Store = $entry.Store + } + } + + # NetworkPathEnforcementEnabled + $NetworkPathEnforcementEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'NetworkPathEnforcementEnabled'}).Value + + # NetworkPathExclusion + $NetworkPathExclusionValue = ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'NetworkPathExclusion'}).Value + + # DlpAppGroups + $DlpAppGroupsValue = @() + foreach ($group in $DlpAppGroupsObject) + { + $entry = @{ + Name = $group.Name + Id = $group.Id + Description = $group.Description + Apps = @() + } + + foreach ($appEntry in $group.Apps) + { + $app = @{ + ExecutableName = $appEntry.ExecutableName + Name = $appEntry.Name + Quarantine = [Boolean]$appEntry.Quarantine + } + $entry.Apps += $app + } + $DlpAppGroupsValue += $entry + } + + # UnallowedApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedApp'}) + $UnallowedAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedAppValue += $current + } + + # UnallowedCloudSyncApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedCloudSyncApp'}) + $UnallowedCloudSyncAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedCloudSyncAppValue += $current + } + + # IncludePredefinedUnallowedBluetoothApps + $IncludePredefinedUnallowedBluetoothAppsValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'IncludePredefinedUnallowedBluetoothApps'}).Value + + # UnallowedBluetoothApp + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedBluetoothApp'}) + $UnallowedBluetoothAppValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedBluetoothAppValue += $current + } + + # UnallowedBrowser + $entries = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'UnallowedBrowser'}) + $UnallowedBrowserValue = @() + foreach ($entry in $entries) + { + $current = @{ + Value = $entry.Value + Executable = $entry.Executable + } + $UnallowedBrowserValue += $current + } + + # CloudAppMode + $CloudAppModeValue = ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CloudAppMode'}).Value + + # CloudAppRestrictionList + $CloudAppRestrictionListValue = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CloudAppRestrictionList'}).Value + + # SiteGroups + $SiteGroupsValue = @() + foreach ($siteGroup in $SiteGroupsObject) + { + $entry = @{ + Id = $siteGroup.Id + Name = $siteGroup.Name + } + + $addresses = @() + foreach ($address in $siteGroup.Addresses) + { + $addresses += @{ + MatchType = $address.MatchType + Url = $address.Url + AddressLower = $address.AddressLower + AddressUpper = $address.AddressUpper + } + } + $entry.Add('Addresses', $addresses) + $SiteGroupsValue += $entry + } + + # CustomBusinessJustificationNotification + $CustomBusinessJustificationNotificationValue = [Uint32]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'CustomBusinessJustificationNotification'}).Value + + if (-not [System.String]::IsNullOrEmpty($EndpointDlpGlobalSettingsValue.Setting)) + { + $entities = $EndpointDlpGlobalSettingsValue | Where-Object -FilterScript {$_.Setting -eq 'BusinessJustificationList'} + + # BusinessJustificationList + if ($null -ne $entities) + { + $entities = ConvertFrom-Json ($entities.value) + $BusinessJustificationListValue = @() + foreach ($entity in $entities) + { + $current = @{ + Id = $entity.Id + Enable = [Boolean]$entity.Enable + justificationText = $entity.justificationText + } + $BusinessJustificationListValue += $current + } + } + + # serverDlpEnabled + $serverDlpEnabledValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'serverDlpEnabled'}).Value + + # AuditFileActivity + $AuditFileActivityValue = [Boolean]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'AuditFileActivity'}).Value + + # VPNSettings + $entity = $EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'VPNSettings'} + if ($null -ne $entity) + { + $entity = ConvertFrom-Json ($entity.value) + $VPNSettingsValue = [Array]$entity.serverAddress + } + } + + # DlpPrinterGroups + $DlpPrinterGroupsValue = @() + foreach ($group in $DlpPrinterGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + groupId = $group.groupId + } + + $printers = @() + foreach ($printer in $group.printers) + { + $current = @{ + universalPrinter = [Boolean]$printer.universalPrinter + usbPrinter = [Boolean]$printer.usbPrinter + usbPrinterId = $printer.usbPrinterPID + name = $printer.name + alias = $printer.alias + usbPrinterVID = $printer.usbPrinterVID + ipRange = @{ + fromAddress = $printer.ipRange.from + toAddress = $printer.ipRange.to + } + corporatePrinter = [Boolean]$printer.CorporatePrinter + printToLocal = [Boolean]$printer.printToLocal + printToFile = [Boolean]$printer.printToFile + } + + $printers += $current + } + $entry.Add('printers', $printers) + $DlpPrinterGroupsValue += $entry + } + + # DLPRemovableMediaGroups + $DLPRemovableMediaGroupsValue = @() + foreach ($group in $DLPRemovableMediaGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + } + + $medias = @() + foreach ($media in $group.removableMedia) + { + $current = @{ + deviceId = $media.deviceId + removableMediaVID = $media.removableMediaVID + name = $media.name + alias = $media.alias + removableMediaPID = $media.removableMediaPID + instancePathId = $media.instancePathId + serialNumberId = $media.serialNumberId + hardwareId = $media.hardwareId + } + $medias += $current + } + $entry.Add('removableMedia', $medias) + + $DLPRemovableMediaGroupsValue += $entry + } + + # DlpNetworkShareGroups + $DlpNetworkShareGroupsValue = @() + foreach ($group in $DlpNetworkShareGroupsObject.groups) + { + $entry = @{ + groupName = $group.groupName + groupId = $group.groupId + networkPaths = [Array]$group.networkPaths + } + $DlpNetworkShareGroupsValue += $entry + } + + $QuarantineParametersValue = @() + if ($null -ne ($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'QuarantineParameters'})) + { + $quarantineInfo = [Array]($EndpointDlpGlobalSettingsValue | Where-Object {$_.Setting -eq 'QuarantineParameters'}).Value + $quarantineInfo = ConvertFrom-Json $quarantineInfo[0] + $QuarantineParametersValue = @{ + EnableQuarantineForCloudSyncApps = $quarantineInfo.EnableQuarantineForCloudSyncApps + QuarantinePath = $quarantineInfo.QuarantinePath + MacQuarantinePath = $quarantineInfo.MacQuarantinePath + ShouldReplaceFile = $quarantineInfo.ShouldReplaceFile + FileReplacementText = $quarantineInfo.FileReplacementText + } + } + + $results = @{ + IsSingleInstance = 'Yes' + AdvancedClassificationEnabled = $AdvancedClassificationEnabledValue + BandwidthLimitEnabled = $BandwidthLimitEnabledValue + DailyBandwidthLimitInMB = $DailyBandwidthLimitInMBValue + PathExclusion = $PathExclusionValue + MacPathExclusion = $MacPathExclusionValue + MacDefaultPathExclusionsEnabled = $MacDefaultPathExclusionsEnabledValue + EvidenceStoreSettings = $EvidenceStoreSettingsValue + NetworkPathEnforcementEnabled = $NetworkPathEnforcementEnabledValue + NetworkPathExclusion = $NetworkPathExclusionValue + DLPAppGroups = $DlpAppGroupsValue + UnallowedApp = $UnallowedAppValue + UnallowedCloudSyncApp = $UnallowedCloudSyncAppValue + IncludePredefinedUnallowedBluetoothApps = $IncludePredefinedUnallowedBluetoothAppsValue + UnallowedBluetoothApp = $UnallowedBluetoothAppValue + UnallowedBrowser = $UnallowedBrowserValue + CloudAppMode = $CloudAppModeValue + CloudAppRestrictionList = $CloudAppRestrictionListValue + SiteGroups = $SiteGroupsValue + CustomBusinessJustificationNotification = $CustomBusinessJustificationNotificationValue + BusinessJustificationList = $BusinessJustificationListValue + serverDlpEnabled = $serverDlpEnabledValue + AuditFileActivity = $AuditFileActivityValue + DLPPrinterGroups = $DlpPrinterGroupsValue + DLPRemovableMediaGroups = $DLPRemovableMediaGroupsValue + DLPNetworkShareGroups = $DlpNetworkShareGroupsValue + VPNSettings = $VPNSettingsValue + EnableLabelCoauth = $instance.EnableLabelCoauth + EnableSpoAipMigration = $instance.EnableSpoAipMigration + QuarantineParameters = $QuarantineParametersValue + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $SiteGroupsValue = @() + foreach ($site in $SiteGroups) + { + $entry = @{ + Name = $site.Name + Description = $site.Description + } + + $addressesValue = @() + foreach ($address in $site.Addresses) + { + $addressesValue += @{ + MatchType = $address.MatchType + Url = $address.Url + AddressLower = $address.AddressLower + AddressUpper = $address.AddressUpper + } + } + + $entry.Add('Addresses', (ConvertTo-Json $addressesValue -Compress -Depth 10)) + $SiteGroupsValue += $entry + } + + $EndpointDlpGlobalSettingsValue = @() + if ($null -ne $AdvancedClassificationEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'AdvancedClassificationEnabled' + Value = "$($AdvancedClassificationEnabled.ToString().ToLower())" + } + } + + if ($null -ne $BandwidthLimitEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'BandwidthLimitEnabled' + Value = "$($BandwidthLimitEnabled.ToString().ToLower())" + } + } + + if ($null -ne $DailyBandwidthLimitInMB -and $BandwidthLimitEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'DailyBandwidthLimitInMB' + Value = "$($DailyBandwidthLimitInMB.ToString().ToLower())" + } + } + + if ($null -ne $EvidenceStoreSettings) + { + $entry += @{ + Setting = 'EvidenceStoreSettings' + Value = @{ + FileEvidenceIsEnabled = $EvidenceStoreSettings.FileEvidenceIsEnabled + Store = $EvidenceStoreSettings.Store + NumberOfDaysToRetain = $EvidenceStoreSettings.NumberOfDaysToRetain + } + } + + $StorageAccountsValue = @() + foreach ($storageAccount in $EvidenceStoreSettings.StorageAccounts) + { + $StorageAccountsValue += @{ + Name = $storageAccount.Name + BlobUri = $storageAccount.BlobUri + } + } + $entry.Value.Add('StorageAccounts', $StorageAccountsValue) + $entry.Value = ConvertTo-Json $entry.Value -Depth 10 -Compress + + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $MacDefaultPathExclusionsEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'MacDefaultPathExclusionsEnabled' + Value = "$($MacDefaultPathExclusionsEnabled.ToString().ToLower())" + } + } + + foreach ($path in $PathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'PathExclusion' + Value = "$($path.ToString())" + } + } + + foreach ($path in $MacPathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'MacPathExclusion' + Value = "$($path.ToString())" + } + } + + foreach ($app in $UnallowedApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($app in $UnallowedCloudSyncApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedCloudSyncApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + if ($null -ne $NetworkPathEnforcementEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'NetworkPathEnforcementEnabled' + Value = "$($NetworkPathEnforcementEnabled.ToString().ToLower())" + } + } + + if ($null -ne $NetworkPathExclusion) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'NetworkPathExclusion' + Value = "$($NetworkPathExclusion.ToString())" + } + } + + if ($null -ne $QuarantineParameters) + { + $entry = @{ + Setting = 'QuarantineParameters' + Value = @{ + EnableQuarantineForCloudSyncApps = $QuarantineParameters.EnableQuarantineForCloudSyncApps + QuarantinePath = $QuarantineParameters.QuarantinePath + MacQuarantinePath = $QuarantineParameters.MacQuarantinePath + ShouldReplaceFile = $QuarantineParameters.ShouldReplaceFile + FileReplacementText = $QuarantineParameters.FileReplacementText + } + } + $entry.Value = (ConvertTo-Json $entry.Value -Depth 10 -Compress) + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $IncludePredefinedUnallowedBluetoothApps) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'IncludePredefinedUnallowedBluetoothApps' + Value = "$($IncludePredefinedUnallowedBluetoothApps.ToString())" + } + } + + foreach ($app in $UnallowedBluetoothApp) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedBluetoothApp' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($app in $UnallowedBrowser) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'UnallowedBrowser' + Value = "$($app.Value.ToString())" + Executable = "$($app.Executable.ToString())" + } + } + + foreach ($domain in $CloudAppRestrictionList) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CloudAppRestrictionList' + Value = "$($domain.ToString())" + } + } + + if ($null -ne $CloudAppMode) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CloudAppMode' + Value = "$($CloudAppMode.ToString())" + } + } + + if ($null -ne $CustomBusinessJustificationNotification) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'CustomBusinessJustificationNotification' + Value = "$($CustomBusinessJustificationNotification.ToString())" + } + } + + if ($null -ne $BusinessJustificationList) + { + $valueEntry = @() + foreach ($justification in $BusinessJustificationList) + { + $valueEntry += @{ + Id = $justification.Id + Enable = $justification.Enable + justificationText = @($justification.justificationText) + } + } + + $entry = @{ + Setting = 'BusinessJustificationList' + Value = (ConvertTo-Json $valueEntry -Depth 10 -Compress) + } + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $VPNSettings) + { + $entry = @{ + Setting = 'VPNSettings' + Value = @{ + serverAddress = @() + } + } + foreach ($vpnAddress in $VPNSettings) + { + $entry.Value.serverAddress += $vpnAddress + } + $EndpointDlpGlobalSettingsValue += $entry + } + + if ($null -ne $serverDlpEnabled) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'serverDlpEnabled' + Value = "$($serverDlpEnabled.ToString().ToLower())" + } + } + + if ($null -ne $AuditFileActivity) + { + $EndpointDlpGlobalSettingsValue += @{ + Setting = 'AuditFileActivity' + Value = "$($AuditFileActivity.ToString().ToLower())" + } + } + + $DLPAppGroupsValue = @() + foreach ($group in $DLPAppGroups) + { + $entry = @{ + Name = "$($group.Name.ToString())" + Description = "$($group.Description.ToString())" + } + + $appsValues = @() + foreach ($app in $group.Apps) + { + $appsValues += @{ + Name = $app.Name + ExecutableName = $app.ExecutableName + Quarantine = $app.Quarantine + } + } + $entry.Add('Apps', (ConvertTo-Json $appsValues -Depth 10 -Compress)) + $DLPAppGroupsValue += $entry + } + + $DlpPrinterGroupsValue = @{ + groups = @() + } + $groupCount = 0 + foreach ($group in $DLPPrinterGroups) + { + $entry = @{ + groupName = "$($group.groupName.ToString())" + printers = @() + } + + foreach ($printer in $group.printers) + { + $entry.printers += @{ + alias = $printer.alias + name = $printer.name + usbPrinterPID = $printer.usbPrinterId + usbPrinterVID = $printer.usbPrinterVID + universalPrinter = "$($printer.universalPrinter.Tostring().ToLower())" + corporatePrinter = "$($printer.corporatePrinter.Tostring().ToLower())" + printToFile = "$($printer.printToFile.Tostring().ToLower())" + printToLocal = "$($printer.printToLocal.Tostring().ToLower())" + ipRange = @( + @{ + from = $printer.ipRange.fromAddress + to = $printer.ipRange.toAddress + } + ) + } + } + $DlpPrinterGroupsValue.groups += $entry + $groupCount++ + } + if ($groupCount -eq 0) + { + $DlpPrinterGroupsValue = $null + } + + $DLPRemovableMediaGroupsValue = @{ + groups = @() + } + $groupCount = 0 + foreach ($group in $DLPRemovableMediaGroups) + { + $entry = @{ + groupName = $group.groupName + removableMedia = @( + ) + } + + foreach ($media in $group.removableMedia) + { + $entry.removableMedia += @{ + alias = $media.alias + name = $media.name + removableMediaPID = $media.removableMediaPID + removableMediaVID = $media.removableMediaVID + serialNumberId = $media.serialNumberId + deviceId = $media.deviceId + instancePathId = $media.instancePathId + hardwareId = $media.hardwareId + } + } + $DLPRemovableMediaGroupsValue.groups += $entry + $groupCount++ + } + if ($groupCount -eq 0) + { + $DLPRemovableMediaGroupsValue = $null + } + + $params = @{ + SiteGroups = $SiteGroupsValue + EnableLabelCoauth = $EnableLabelCoauth + DlpAppGroups = $DLPAppGroupsValue + DlpPrinterGroups = ConvertTo-Json $DlpPrinterGroupsValue -Depth 10 -Compress + DLPRemovableMediaGroups = ConvertTo-Json $DLPRemovableMediaGroupsValue -Depth 10 -Compress + EnableSpoAipMigration = $EnableSpoAipMigration + EndpointDlpGlobalSettings = $EndpointDlpGlobalSettingsValue + } + Write-Verbose -Message "Updating policy config with values:`r`n$(Convert-M365DscHashtableToString -Hashtable $params)" + Set-PolicyConfig @params +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $AdvancedClassificationEnabled, + + [Parameter()] + [System.Boolean] + $AuditFileActivity, + + [Parameter()] + [System.Boolean] + $BandwidthLimitEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $BusinessJustificationList, + + [Parameter()] + [System.String] + $CloudAppMode, + + [Parameter()] + [System.String[]] + $CloudAppRestrictionList, + + [Parameter()] + [System.UInt32] + $CustomBusinessJustificationNotification, + + [Parameter()] + [System.UInt32] + $DailyBandwidthLimitInMB, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPAppGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPNetworkShareGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPPrinterGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DLPRemovableMediaGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EvidenceStoreSettings, + + [Parameter()] + [System.Boolean] + $IncludePredefinedUnallowedBluetoothApps, + + [Parameter()] + [System.Boolean] + $MacDefaultPathExclusionsEnabled, + + [Parameter()] + [System.String[]] + $MacPathExclusion, + + [Parameter()] + [System.Boolean] + $NetworkPathEnforcementEnabled, + + [Parameter()] + [System.String] + $NetworkPathExclusion, + + [Parameter()] + [System.String[]] + $PathExclusion, + + [Parameter()] + [System.Boolean] + $serverDlpEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $SiteGroups, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedCloudSyncApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBluetoothApp, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $UnallowedBrowser, + + [Parameter()] + [System.String[]] + $VPNSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QuarantineParameters, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + $testResult = $true + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $Results = Get-TargetResource @Params + + if ($null -ne $Results.BusinessJustificationList) + { + $Results.BusinessJustificationList = ConvertTo-BusinessJustificationListString -ObjectHash $Results.BusinessJustificationList + } + + if ($null -ne $Results.DLPAppGroups) + { + $Results.DLPAppGroups = ConvertTo-DLPAppGroupsString -ObjectHash $Results.DLPAppGroups + } + + if ($null -ne $Results.DLPNetworkShareGroups) + { + $Results.DLPNetworkShareGroups = ConvertTo-DLPNetworkShareGroupsString -ObjectHash $Results.DLPNetworkShareGroups + } + + if ($null -ne $Results.DLPPrinterGroups -and $Results.DLPPrinterGroups.Length -gt 0) + { + $Results.DLPPrinterGroups = ConvertTo-DLPPrinterGroupsString -ObjectHash $Results.DLPPrinterGroups + } + + if ($null -ne $Results.DLPRemovableMediaGroups) + { + $Results.DLPRemovableMediaGroups = ConvertTo-DLPRemovableMediaGroupsString -ObjectHash $Results.DLPRemovableMediaGroups + } + + if ($null -ne $Results.EvidenceStoreSettings) + { + $Results.EvidenceStoreSettings = ConvertTo-EvidenceStoreSettingsString -ObjectHash $Results.EvidenceStoreSettings + } + + if ($null -ne $Results.SiteGroups) + { + $Results.SiteGroups = ConvertTo-SiteGroupsString -ObjectHash $Results.SiteGroups + } + + if ($null -ne $Results.UnallowedApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedApp)) + { + $Results.UnallowedApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedApp + } + + if ($null -ne $Results.UnallowedCloudSyncApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedCloudSyncApp)) + { + $Results.UnallowedCloudSyncApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedCloudSyncApp + } + + if ($null -ne $Results.UnallowedBluetoothApp -and -not [System.String]::IsNullOrEmpty($Results.UnallowedBluetoothApp)) + { + $Results.UnallowedBluetoothApp = ConvertTo-AppsString -ObjectHash $Results.UnallowedBluetoothApp + } + + if ($null -ne $Results.UnallowedBrowser -and -not [System.String]::IsNullOrEmpty($Results.UnallowedBrowser)) + { + $Results.UnallowedBrowser = ConvertTo-AppsString -ObjectHash $Results.UnallowedBrowser + } + + if ($null -ne $Results.QuarantineParameters -and -not [System.String]::IsNullOrEmpty($Results.QuarantineParameters)) + { + $Results.QuarantineParameters = ConvertTo-QuarantineParametersString -ObjectHash $Results.QuarantineParameters + } + + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.QuarantineParameters) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'QuarantineParameters' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.BusinessJustificationList) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'BusinessJustificationList' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPAppGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPAppGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPNetworkShareGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPNetworkShareGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPPrinterGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPPrinterGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.DLPRemovableMediaGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DLPRemovableMediaGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.SiteGroups) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'SiteGroups' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedCloudSyncApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedCloudSyncApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedBluetoothApp) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedBluetoothApp' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.UnallowedBrowser) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'UnallowedBrowser' ` + -IsCIMArray:$true + } + + if ($null -ne $Results.EvidenceStoreSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'EvidenceStoreSettings' ` + -IsCIMArray:$false + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function ConvertTo-QuarantineParametersString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + + $content = [System.Text.StringBuilder]::new() + [void]$content.AppendLine(" MSFT_PolicyConfigQuarantineParameters") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" EnableQuarantineForCloudSyncApps = `$$($ObjectHash.EnableQuarantineForCloudSyncApps)") + [void]$content.AppendLine(" QuarantinePath = '$($ObjectHash.QuarantinePath.ToString())'") + [void]$content.AppendLine(" MacQuarantinePath = '$($ObjectHash.MacQuarantinePath)'") + [void]$content.AppendLine(" ShouldReplaceFile = `$$($ObjectHash.ShouldReplaceFile.ToString())") + [void]$content.AppendLine(" FileReplacementText = '$($ObjectHash.FileReplacementText)'") + [void]$content.AppendLine(" }") + return $content.ToString() +} + +function ConvertTo-BusinessJustificationListString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigBusinessJustificationList") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Enable = `$$($instance.Enable)") + [void]$content.AppendLine(" justificationText = '$($instance.justificationText)'") + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPAppGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPAppGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Name = '$($instance.Name)'") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Description = '$($instance.Description)'") + [void]$content.AppendLine(" Apps = @(") + foreach ($app in $instance.Apps) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPApp") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" ExecutableName = '$($app.ExecutableName)'") + [void]$content.AppendLine(" Name = '$($app.Name)'") + [void]$content.AppendLine(" Quarantine = `$$($app.Quarantine)") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )}") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPNetworkShareGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPNetworkShareGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" groupId = '$($instance.groupId)'") + [void]$content.Append(" networkPaths = @(") + $countPath = 1 + foreach ($path in $instance.networkPaths) + { + [void]$content.Append("'$path'") + if ($countPath -lt $instance.networkPaths.Length) + { + [void]$content.Append(',') + } + $countPath++ + } + [void]$content.AppendLine(')') + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-EvidenceStoreSettingsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Hashtable] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + [void]$content.AppendLine(" MSFT_PolicyConfigEvidenceStoreSettings") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" FileEvidenceIsEnabled = `$$($ObjectHash.FileEvidenceIsEnabled)") + [void]$content.AppendLine(" NumberOfDaysToRetain = $($ObjectHash.NumberOfDaysToRetain)") + [void]$content.AppendLine(" StorageAccounts = @(") + foreach ($storageAccount in $ObjectHash.StorageAccounts) + { + [void]$content.AppendLine(" MSFT_PolicyConfigStorageAccount") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Name = '$($storageAccount.Name)'") + [void]$content.AppendLine(" BlobUri = '$($storageAccount.BlobUri)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" Store = '$($ObjectHash.Store)'") + [void]$content.AppendLine(" }") + return $content.ToString() +} + +function ConvertTo-DLPPrinterGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPPrinterGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" groupId = '$($instance.groupId)'") + [void]$content.AppendLine(" printers = @(") + foreach ($printer in $instance.printers) + { + [void]$content.AppendLine(" MSFT_PolicyConfigPrinter") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" universalPrinter = `$$($printer.universalPrinter)") + [void]$content.AppendLine(" usbPrinter = `$$($printer.usbPrinter)") + [void]$content.AppendLine(" usbPrinterId = '$($printer.usbPrinterId)'") + [void]$content.AppendLine(" name = '$($printer.name)'") + [void]$content.AppendLine(" alias = '$($printer.alias)'") + [void]$content.AppendLine(" usbPrinterVID = '$($printer.usbPrinterVID)'") + [void]$content.AppendLine(" ipRange = MSFT_PolicyConfigIPRange") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" fromAddress = '$($printer.ipRange.fromAddress)'") + [void]$content.AppendLine(" toAddress = '$($printer.ipRange.toAddress)'") + [void]$content.AppendLine(" }") + [void]$content.AppendLine(" corporatePrinter = `$$($printer.corporatePrinter)") + [void]$content.AppendLine(" printToLocal = `$$($printer.printToLocal)") + [void]$content.AppendLine(" printToFile = `$$($printer.printToFile)") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" }") + } + [void]$content.Append(')') + $result = $content.ToString() + return $result +} + +function ConvertTo-DLPRemovableMediaGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPRemovableMediaGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" groupName = '$($instance.groupName)'") + [void]$content.AppendLine(" removableMedias = @(") + foreach ($media in $instance.removableMedia) + { + [void]$content.AppendLine(" MSFT_PolicyConfigRemovableMedia") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" deviceId = '$($media.deviceId)'") + [void]$content.AppendLine(" removableMediaVID = '$($media.removableMediaVID)'") + [void]$content.AppendLine(" name = '$($media.name)'") + [void]$content.AppendLine(" alias = '$($media.alias)'") + [void]$content.AppendLine(" removableMediaPID = '$($media.removableMediaPID)'") + [void]$content.AppendLine(" instancePathId = '$($media.instancePathId)'") + [void]$content.AppendLine(" serialNumberId = '$($media.serialNumberId)'") + [void]$content.AppendLine(" hardwareId = '$($media.hardwareId)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine( "}") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} +function ConvertTo-SiteGroupsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigDLPSiteGroups") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Id = '$($instance.Id)'") + [void]$content.AppendLine(" Name = '$($instance.Name)'") + [void]$content.AppendLine(" Addresses = @(") + foreach ($address in $instance.addresses) + { + [void]$content.AppendLine(" MSFT_PolicyConfigSiteGroupAddress") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" MatchType = '$($address.MatchType)'") + [void]$content.AppendLine(" Url = '$($address.Url)'") + [void]$content.AppendLine(" AddressLower = '$($address.AddressLower)'") + [void]$content.AppendLine(" AddressUpper = '$($address.AddressUpper)'") + [void]$content.AppendLine(" }") + } + [void]$content.AppendLine(" )") + [void]$content.AppendLine(" }") + } + [void]$content.Append(' )') + $result = $content.ToString() + return $result +} + +function ConvertTo-AppsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $ObjectHash + ) + $content = [System.Text.StringBuilder]::new() + + [void]$content.Append('@(') + foreach ($instance in $ObjectHash) + { + [void]$content.AppendLine(" MSFT_PolicyConfigApp") + [void]$content.AppendLine(" {") + [void]$content.AppendLine(" Value = '$($instance.Value)'") + [void]$content.AppendLine(" Executable = '$($instance.Executable)'") + [void]$content.AppendLine(" }") + } + [void]$content.Append(')') + $result = $content.ToString() + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof new file mode 100644 index 0000000000..adbd968ecd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/MSFT_SCPolicyConfig.schema.mof @@ -0,0 +1,173 @@ +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigApp +{ + [Write, Description("Name of the application.")] String Value; + [Write, Description("Name of the executable file.")] String Executable; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigStorageAccount +{ + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] String BlobUri; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigSiteGroupAddress +{ + [Write, Description("TBD")] String MatchType; + [Write, Description("TBD")] String Url; + [Write, Description("TBD")] String AddressLower; + [Write, Description("TBD")] String AddressUpper; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPSiteGroups +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String Name; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigSiteGroupAddress")] String addresses[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigRemovableMedia +{ + [Write, Description("TBD")] String deviceId; + [Write, Description("TBD")] String removableMediaVID; + [Write, Description("TBD")] String name; + [Write, Description("TBD")] String alias; + [Write, Description("TBD")] String removableMediaPID; + [Write, Description("TBD")] String instancePathId; + [Write, Description("TBD")] String serialNumberId; + [Write, Description("TBD")] String hardwareId; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPRemovableMediaGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigRemovableMedia")] String removableMedia[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigIPRange +{ + [Write, Description("TBD")] String fromAddress; + [Write, Description("TBD")] String toAddress; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigPrinter +{ + [Write, Description("TBD")] Boolean universalPrinter; + [Write, Description("TBD")] Boolean usbPrinter; + [Write, Description("TBD")] String usbPrinterId; + [Write, Description("TBD")] String name; + [Write, Description("TBD")] String alias; + [Write, Description("TBD")] String usbPrinterVID; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigIPRange")] String ipRange; + [Write, Description("TBD")] Boolean corporatePrinter; + [Write, Description("TBD")] Boolean printToLocal; + [Write, Description("TBD")] Boolean printToFile; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPNetworkShareGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD")] String groupId; + [Write, Description("TBD")] String networkPaths[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPApp +{ + [Write, Description("TBD")] String ExecutableName; + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] Boolean Quarantine; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPAppGroups +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String Name; + [Write, Description("TBD")] String Description; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPApp")] String Apps[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigEvidenceStoreSettings +{ + [Write, Description("TBD")] Boolean FileEvidenceIsEnabled; + [Write, Description("TBD")] UInt32 NumberOfDaysToRetain; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigStorageAccount")] String StorageAccounts[]; + [Write, Description("TBD")] String Store; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigBusinessJustificationList +{ + [Write, Description("TBD")] String Id; + [Write, Description("TBD")] String justificationText; + [Write, Description("TBD")] Boolean Enable; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigDLPPrinterGroups +{ + [Write, Description("TBD")] String groupName; + [Write, Description("TBD")] String groupId; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigPrinter")] String printers[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_PolicyConfigQuarantineParameters +{ + [Write, Description("TBD")] Boolean EnableQuarantineForCloudSyncApps; + [Write, Description("TBD")] String QuarantinePath; + [Write, Description("TBD")] String MacQuarantinePath; + [Write, Description("TBD")] Boolean ShouldReplaceFile; + [Write, Description("TBD")] String FileReplacementText; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("SCPolicyConfig")] +class MSFT_SCPolicyConfig : OMI_BaseResource +{ + [Key, Description("Accepted value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("TBD")] Boolean AdvancedClassificationEnabled; + [Write, Description("TBD")] Boolean AuditFileActivity; + [Write, Description("TBD")] Boolean BandwidthLimitEnabled; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigBusinessJustificationList")] String BusinessJustificationList[]; + [Write, Description("TBD")] String CloudAppMode; + [Write, Description("TBD")] String CloudAppRestrictionList[]; + [Write, Description("TBD")] UInt32 CustomBusinessJustificationNotification; + [Write, Description("TBD")] UInt32 DailyBandwidthLimitInMB; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPAppGroups")] String DLPAppGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPNetworkShareGroups")] String DLPNetworkShareGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPPrinterGroups")] String DLPPrinterGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPRemovableMediaGroups")] String DLPRemovableMediaGroups[]; + [Write, Description("TBD")] Boolean IncludePredefinedUnallowedBluetoothApps; + [Write, Description("TBD")] Boolean MacDefaultPathExclusionsEnabled; + [Write, Description("TBD")] String MacPathExclusion[]; + [Write, Description("TBD")] Boolean NetworkPathEnforcementEnabled; + [Write, Description("TBD")] String NetworkPathExclusion; + [Write, Description("TBD")] String PathExclusion[]; + [Write, Description("TBD")] Boolean serverDlpEnabled; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigEvidenceStoreSettings")] String EvidenceStoreSettings; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigDLPSiteGroups")] String SiteGroups[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedCloudSyncApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedBluetoothApp[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigApp")] String UnallowedBrowser[]; + [Write, Description("TBD"), EmbeddedInstance("MSFT_PolicyConfigQuarantineParameters")] String QuarantineParameters; + [Write, Description("TBD")] String VPNSettings[]; + [Write, Description("TBD")] Boolean EnableLabelCoauth; + [Write, Description("TBD")] Boolean EnableSpoAipMigration; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md new file mode 100644 index 0000000000..c227e8e317 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/readme.md @@ -0,0 +1,6 @@ + +# SCPolicyConfig + +## Description + +Configures the Data Loss Prevention settings in Purview. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json new file mode 100644 index 0000000000..2796b2f6ef --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCPolicyConfig/settings.json @@ -0,0 +1,24 @@ +{ + "resourceName": "SCPolicyConfig", + "description": "Configures the Data Loss Prevention settings in Purview.", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Compliance Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 index badac1d9d5..0d5a97675e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1 @@ -1133,14 +1133,14 @@ function Set-TargetResource try { Write-Verbose -Message "Creating Label {$Name}" - New-Label @CreationParams -ErrorAction Stop + $newLabel = New-Label @CreationParams -ErrorAction Stop ## Can't set priority until label created - if ($PSBoundParameters.ContainsKey('Priority')) + if ($PSBoundParameters.ContainsKey('Priority') -and $Priority -lt $newLabel.Priority) { Start-Sleep 5 Write-Verbose -Message "Updating the priority for newly created label {$Name}" - Set-label -Identity $Name -priority $Priority -ErrorAction Stop + Set-Label -Identity $Name -priority $Priority -ErrorAction Stop } } catch @@ -1705,7 +1705,7 @@ function Convert-StringToAdvancedSettings $settingString = $setting.Replace('[', '').Replace(']', '') $settingKey = $settingString.Split(',')[0] - if ($settingKey -notin @('displayname', 'contenttype', 'tooltip')) + if ($settingKey -notin @('displayname', 'contenttype', 'tooltip', 'parentid')) { $startPos = $settingString.IndexOf(',', 0) + 1 $valueString = $settingString.Substring($startPos, $settingString.Length - $startPos).Trim() diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 index e0bccf5548..2d206db2ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 @@ -221,7 +221,9 @@ function Get-TargetResource FolderAnonymousLinkType = $SPOSharingSettings.FolderAnonymousLinkType NotifyOwnersWhenItemsReshared = $SPOSharingSettings.NotifyOwnersWhenItemsReshared DefaultLinkPermission = $DefaultLinkPermission - RequireAcceptingAccountMatchInvitedAccount = $SPOSharingSettings.RequireAcceptingAccountMatchInvitedAccount + + #DEPRECATED + #RequireAcceptingAccountMatchInvitedAccount = $SPOSharingSettings.RequireAcceptingAccountMatchInvitedAccount Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId @@ -439,6 +441,9 @@ function Set-TargetResource $CurrentParameters.Remove('ApplicationSecret') | Out-Null $CurrentParameters.Remove('AccessTokens') | Out-Null + # DEPRECATED + $CurrentParameters.Remove('RequireAcceptingAccountMatchInvitedAccount') | Out-Null + [bool]$SetMySharingCapability = $false if ($null -ne $CurrentParameters['MySiteSharingCapability']) { @@ -446,13 +451,6 @@ function Set-TargetResource } $CurrentParameters.Remove('MySiteSharingCapability') | Out-Null - if ($null -eq $SharingAllowedDomainList -and $null -eq $SharingBlockedDomainList -and - ($null -ne $RequireAcceptingAccountMatchInvitedAccount -and $RequireAcceptingAccountMatchInvitedAccount -eq $false)) - { - Write-Warning -Message 'If SharingAllowedDomainList / SharingBlockedDomainList are set to null RequireAcceptingAccountMatchInvitedAccount must be set to True ' - $CurrentParameters.Remove('RequireAcceptingAccountMatchInvitedAccount') | Out-Null - } - if ($null -eq $SignInAccelerationDomain) { $CurrentParameters.Remove('SignInAccelerationDomain') | Out-Null @@ -498,10 +496,6 @@ function Set-TargetResource Write-Warning -Message 'SharingDomainRestrictionMode is set to BlockList. For that SharingAllowedDomainList cannot be configured' $CurrentParameters.Remove('SharingAllowedDomainList') | Out-Null } - foreach ($value in $CurrentParameters.GetEnumerator()) - { - Write-Verbose -Message "Configuring Tenant with: $value" - } if ($null -ne $CurrentParameters['SharingAllowedDomainList']) { @@ -717,6 +711,7 @@ function Test-TargetResource $ValuesToCheck.Remove('CertificateThumbprint') | Out-Null $ValuesToCheck.Remove('ManagedIdentity') | Out-Null $ValuesToCheck.Remove('AccessTokens') | Out-Null + $ValuesToCheck.Remove('RequireAcceptingAccountMatchInvitedAccount') | Out-Null if ($DefaultLinkPermission -eq 'None') { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.schema.mof index add4742012..b11b46de02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.schema.mof @@ -22,7 +22,7 @@ class MSFT_SPOSharingSettings : OMI_BaseResource [Write, Description("Configures anonymous link types for folders"),ValueMap{"View","Edit"},Values{"View","Edit"}] string FolderAnonymousLinkType; [Write, Description("When this parameter is set to $true and another user re-shares a document from a user’s OneDrive for Business, the OneDrive for Business owner is notified by e-mail.")] boolean NotifyOwnersWhenItemsReshared; [Write, Description("Specifies the link permission on the tenant level. Valid values to set are View and Edit. A value of None will be set to Edit as its the default value."),ValueMap{"None","View","Edit"},Values{"None","View","Edit"}] string DefaultLinkPermission; - [Write, Description("Ensures that an external user can only accept an external sharing invitation with an account matching the invited email address.Administrators who desire increased control over external collaborators should consider enabling this feature. False (default) - When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.True - User must accept this invitation with bob@contoso.com.")] boolean RequireAcceptingAccountMatchInvitedAccount; + [Write, Description("DEPRECATED")] boolean RequireAcceptingAccountMatchInvitedAccount; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 21414fb375..b52a11dd1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -106,6 +106,26 @@ function Get-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -184,41 +204,56 @@ function Get-TargetResource $MaxCompat = $CompatibilityRange[1] } + # Additional Properties via REST + $parametersToRetrieve = @('ExemptNativeUsersFromTenantLevelRestricedAccessControl', + 'AllowSelectSGsInODBListInTenant', + 'DenySelectSGsInODBListInTenant', + 'DenySelectSecurityGroupsInSPSitesList', + 'AllowSelectSecurityGroupsInSPSitesList') + + $response = Invoke-PnPSPRestMethod -Method Get ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant?`$select=$($parametersToRetrieve -join ',')" + + return @{ - IsSingleInstance = 'Yes' - MinCompatibilityLevel = $MinCompat - MaxCompatibilityLevel = $MaxCompat - SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN - OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled - LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled - SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain - UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView - #UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled - PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled - PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes - UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker - NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled - OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification - ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients - FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled - HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes - HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite - MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault - DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds - SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled - CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled - EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration - TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificatePassword = $CertificatePassword - CertificatePath = $CertificatePath - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - Ensure = 'Present' - AccessTokens = $AccessTokens + IsSingleInstance = 'Yes' + ExemptNativeUsersFromTenantLevelRestricedAccessControl = $response.ExemptNativeUsersFromTenantLevelRestricedAccessControl + AllowSelectSGsInODBListInTenant = $response.AllowSelectSGsInODBListInTenant + DenySelectSGsInODBListInTenant = $response.DenySelectSGsInODBListInTenant + DenySelectSecurityGroupsInSPSitesList = $response.DenySelectSecurityGroupsInSPSitesList + AllowSelectSecurityGroupsInSPSitesList = $response.AllowSelectSecurityGroupsInSPSitesList + MinCompatibilityLevel = $MinCompat + MaxCompatibilityLevel = $MaxCompat + SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN + OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled + LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled + SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain + UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView + PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled + PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes + UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker + NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled + OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification + ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients + FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled + HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes + HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite + MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault + DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds + SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled + CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled + EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration + TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificatePassword = $CertificatePassword + CertificatePath = $CertificatePath + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + Ensure = 'Present' + AccessTokens = $AccessTokens } } catch @@ -341,6 +376,26 @@ function Set-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -416,6 +471,11 @@ function Set-TargetResource $CurrentParameters.Remove('ManagedIdentity') | Out-Null $CurrentParameters.Remove('ApplicationSecret') | Out-Null $CurrentParameters.Remove('AccessTokens') | Out-Null + $CurrentParameters.Remove('ExemptNativeUsersFromTenantLevelRestricedAccessControl') | Out-Null + $CurrentParameters.Remove('AllowSelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSGsInODBListInTenant') | Out-Null + $CurrentParameters.Remove('DenySelectSecurityGroupsInSPSitesList') | Out-Null + $CurrentParameters.Remove('AllowSelectSecurityGroupsInSPSitesList') | Out-Null $CurrentParameters.Remove('TenantDefaultTimezone') | Out-Null # this one is updated separately using Graph if ($CurrentParameters.Keys.Contains('UserVoiceForFeedbackEnabled')) @@ -435,6 +495,62 @@ function Set-TargetResource { $tenantGraph = Update-MgAdminSharepointSetting -TenantDefaultTimezone $TenantDefaultTimezone -ErrorAction Stop } + + # Updating via REST + try + { + $paramsToUpdate = @{} + $needToUpdate = $false + + if ($null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + { + $needToUpdate = $true + $paramsToUpdate.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl) + } + + if ($null -ne $AllowSelectSGsInODBListInTenant) + { + $needToUpdate = $true + $paramsToUpdate.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant) + } + + if ($null -ne $DenySelectSGsInODBListInTenant) + { + $needToUpdate = $true + $paramsToUpdate.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant) + } + + if ($null -ne $DenySelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $paramsToUpdate.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList) + } + + if ($null -ne $AllowSelectSecurityGroupsInSPSitesList) + { + $needToUpdate = $true + $paramsToUpdate.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList) + } + + if ($needToUpdate) + { + Write-Verbose -Message "Updating properties via REST PATCH call." + Invoke-PnPSPRestMethod -Method PATCH ` + -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant" ` + -Content $paramsToUpdate + } + } + catch + { + if ($_.Exception.Message.Contains("The requested operation is part of an experimental feature that is not supported in the current environment.")) + { + Write-Verbose -Message "Updating via REST: The associated feature is not available in the given tenant." + } + else + { + throw $_ + } + } } function Test-TargetResource @@ -541,6 +657,26 @@ function Test-TargetResource [System.String] $TenantDefaultTimezone, + [Parameter()] + [System.Boolean] + $ExemptNativeUsersFromTenantLevelRestricedAccessControl, + + [Parameter()] + [System.String[]] + $AllowSelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSGsInODBListInTenant, + + [Parameter()] + [System.String[]] + $DenySelectSecurityGroupsInSPSitesList, + + [Parameter()] + [System.String[]] + $AllowSelectSecurityGroupsInSPSitesList, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof index 45d9efdd69..9f9fca89d5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof @@ -24,6 +24,11 @@ class MSFT_SPOTenantSettings : OMI_BaseResource [Write, Description("Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page.")] boolean SocialBarOnSitePagesDisabled; [Write, Description("Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature.")] boolean CommentsOnSitePagesDisabled; [Write, Description("Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant.")] boolean EnableAIPIntegration; + [Write, Description("Determines whether or not we need to include external participants in shared channels for SharePoint access restriction.")] Boolean ExemptNativeUsersFromTenantLevelRestricedAccessControl; + [Write, Description("List of security groups to include in OneDrive access restrictions")] String AllowSelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in OneDrive access restrictions")] String DenySelectSGsInODBListInTenant[]; + [Write, Description("List of security groups to exclude in SharePoint access restrictions")] String DenySelectSecurityGroupsInSPSitesList[]; + [Write, Description("List of security groups to include in SharePoint access restrictions.")] String AllowSelectSecurityGroupsInSPSitesList[]; [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone; [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 new file mode 100644 index 0000000000..77911ab204 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.psm1 @@ -0,0 +1,1389 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + $instances = Get-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + # EventGroupingSettings + $EventGroupingValueSettingsValue = $null + if ($null -ne $instance.properties.eventGroupingSettings) + { + $EventGroupingValueSettingsValue = @{ + aggregationKind = $instance.properties.eventGroupingSettings.aggregationKind + } + } + + # CustomDetails + $CustomDetailsValue = @() + if ($null -ne $instance.properties.customDetails) + { + $detailAsHash = @{} + $instance.properties.customDetails.psobject.properties | foreach { $detailAsHash[$_.Name] = $_.Value } + foreach ($key in $detailAsHash.Keys) + { + $CustomDetailsValue += @{ + DetailKey = $key + DetailValue = $detailAsHash.$key + } + } + } + + #EntityMappings + $EntityMappingsValue = @() + if ($null -ne $instance.properties.entityMappings) + { + foreach ($mapping in $instance.properties.entityMappings) + { + $entity = @{ + entityType = $mapping.entityType + fieldMappings = @() + } + + foreach ($fieldMapping in $mapping.fieldMappings) + { + $entity.fieldMappings += @{ + identifier = $fieldMapping.identifier + columnName = $fieldMapping.columnName + } + } + + $EntityMappingsValue += $entity + } + } + + #AlertDetailsOverride + if ($null -ne $instance.properties.alertDetailsOverride) + { + $info = $instance.properties.alertDetailsOverride + $AlertDetailsOverrideValue = @{ + alertDisplayNameFormat = $info.alertDisplayNameFormat + alertDescriptionFormat = $info.alertDescriptionFormat + alertDynamicProperties = @() + } + + foreach ($propertyEntry in $info.alertDynamicProperties) + { + $AlertDetailsOverrideValue.alertDynamicProperties += @{ + alertProperty = $propertyEntry.alertProperty + alertPropertyValue = $propertyEntry.value + } + } + } + + #IncidentConfiguration + if ($null -ne $instance.properties.incidentConfiguration) + { + $info = $instance.properties.incidentConfiguration + $IncidentConfigurationValue = @{ + createIncident = [Boolean]::Parse($info.createIncident.ToString()) + groupingConfiguration = @{ + enabled = $info.groupingConfiguration.enabled + reopenClosedIncident = $info.groupingConfiguration.reopenClosedIncident + lookbackDuration = $info.groupingConfiguration.lookbackDuration + matchingMethod = $info.groupingConfiguration.matchingMethod + groupByEntities = $info.groupingConfiguration.groupByEntities + groupByAlertDetails = $info.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $info.groupingConfiguration.groupByCustomDetails + } + } + } + + $results = @{ + ProductFilter = $instance.properties.ProductFilter + Enabled = $instance.properties.Enabled + Severity = $instance.properties.Severity + Tactics = $instance.properties.Tactics + Techniques = $instance.properties.Techniques + SubTechniques = $instance.properties.SubTechniques + Query = $instance.properties.Query + QueryFrequency = $instance.properties.QueryFrequency + QueryPeriod = $instance.properties.QueryPeriod + TriggerOperator = $instance.properties.TriggerOperator + TriggerThreshold = $instance.properties.TriggerThreshold + SuppressionDuration = $instance.properties.SuppressionDuration + SuppressionEnabled = $instance.properties.SuppressionEnabled + AlertRuleTemplateName = $instance.properties.AlertRuleTemplateName + DisplayNamesExcludeFilter = $instance.properties.DisplayNamesExcludeFilter + DisplayNamesFilter = $instance.properties.DisplayNamesFilter + SeveritiesFilter = $instance.properties.SeveritiesFilter + DisplayName = $instance.properties.displayName + EventGroupingSettings = $EventGroupingValueSettingsValue + CustomDetails = $CustomDetailsValue + EntityMappings = $EntityMappingsValue + AlertDetailsOverride = $AlertDetailsOverrideValue + IncidentConfiguration = $IncidentConfigurationValue + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Kind = $instance.kind + Description = $instance.properties.description + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + $instance = @{} + if ($Kind -eq 'Fusion') + { + $instance = @{ + kind = $Kind + properties = @{ + alertRuleTemplateName = $AlertRuleTemplateName + enabled = $Enabled + } + } + } + elseif ($Kind -eq 'MicrosoftSecurityIncidentCreation') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + description = $Description + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + enabled = $Enabled + severitiesFilter = $AlertSeverity + } + } + } + elseif ($Kind -eq 'Scheduled') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + queryFrequency = $QueryFrequency + queryPeriod = $QueryPeriod + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + triggerOperator = $TriggerOperator + triggerThreshold = $TriggerThreshold + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + customDetails = @{} + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + productFilter = $ProductFilter + displayNamesExcludeFilter = $DisplayNamesExcludeFilter + displayNamesFilter = $DisplayNamesFilter + severitiesFilter = $AlertSeverity + } + } + + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } + elseif ($Kind -eq 'NRT') + { + $instance = @{ + kind = $Kind + properties = @{ + displayName = $DisplayName + enabled = $Enabled + description = $Description + query = $Query + severity = $Severity + suppressionDuration = $SuppressionDuration + suppressionEnabled = $SuppressionEnabled + eventGroupingSettings = @{ + aggregationKind = $EventGroupingSettings.aggregationKind + } + alertDetailsOverride = @{ + alertDisplayNameFormat = $AlertDetailsOverride.alertDisplayNameFormat + alertDescriptionFormat = $AlertDetailsOverride.alertDescriptionFormat + alertDynamicProperties = @() + } + entityMappings = @() + customDetails = @{} + incidentConfiguration = @{ + createIncident = $IncidentConfiguration.createIncident + groupingConfiguration = @{ + enabled = $IncidentConfiguration.groupingConfiguration.enabled + reopenClosedIncident = $IncidentConfiguration.groupingConfiguration.reopenClosedIncident + lookbackDuration = $IncidentConfiguration.groupingConfiguration.lookbackDuration + matchingMethod = $IncidentConfiguration.groupingConfiguration.matchingMethod + groupByEntities = $IncidentConfiguration.groupingConfiguration.groupByEntities + groupByAlertDetails = $IncidentConfiguration.groupingConfiguration.groupByAlertDetails + groupByCustomDetails = $IncidentConfiguration.groupingConfiguration.groupByCustomDetails + } + } + techniques = $Techniques + subTechniques = $SubTechniques + tactics = $Tactics + } + } + + if ($null -eq $EntityMappings -or $EntityMappings.Length -eq 0) + { + $instance.properties.Remove('entityMappings') | Out-Null + } + else + { + foreach ($entity in $EntityMappings) + { + $entry = @{ + entityType = $entity.entityType + fieldMappings = @() + } + + foreach ($field in $entity.fieldMappings) + { + $entry.fieldMappings += @{ + identifier = $field.identifier + columnName = $field.columnName + } + } + + $instance.properties.entityMappings += $entry + } + } + + foreach ($detail in $CustomDetails) + { + $instance.properties.customDetails.Add($detail.DetailKey, $detail.DetailValue) + } + + foreach ($dynamicProp in $AlertDetailsOverride.alertDynamicProperties) + { + $instance.properties.alertDetailsOverride.alertDynamicProperties += @{ + alertProperty = $dynamicProp.alertProperty + value = $dynamicProp.alertPropertyValue + } + } + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance + } + # UPDATE + elseif($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Alert Rule {$DisplayName}" + New-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instance ` + -Id $currentInstance.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Alert Rule {$DisplayName}" + Remove-M365DSCSentinelAlertRule -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $ProductFilter, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $Severity, + + [Parameter()] + [System.String[]] + $Tactics, + + [Parameter()] + [System.String[]] + $Techniques, + + [Parameter()] + [System.String[]] + $SubTechniques, + + [Parameter()] + [System.String] + $Query, + + [Parameter()] + [System.String] + $QueryFrequency, + + [Parameter()] + [System.String] + $QueryPeriod, + + [Parameter()] + [System.String] + $TriggerOperator, + + [Parameter()] + [System.UInt32] + $TriggerThreshold, + + [Parameter()] + [System.String] + $SuppressionDuration, + + [Parameter()] + [System.String] + $SuppressionEnabled, + + [Parameter()] + [System.String] + $AlertRuleTemplateName, + + [Parameter()] + [System.String[]] + $DisplayNamesExcludeFilter, + + [Parameter()] + [System.String[]] + $DisplayNamesFilter, + + [Parameter()] + [System.String[]] + $SeveritiesFilter, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EventGroupingSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $CustomDetails, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $EntityMappings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AlertDetailsOverride, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $IncidentConfiguration, + + [Parameter()] + [System.String] + $Kind, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $rules = Get-M365DSCSentinelAlertRule -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($rule in $rules) + { + $displayedKey = $rule.properties.DisplayName + Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $rule.properties.displayName + Id = $rule.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ( $null -ne $Results.EventGroupingSettings) + { + $complexMapping = @( + @{ + Name = 'EventGroupingSettings' + CimInstanceName = 'SentinelAlertRuleEventGroupingSettings' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EventGroupingSettings ` + -CIMInstanceName 'SentinelAlertRuleEventGroupingSettings' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EventGroupingSettings = $complexTypeStringResult + } + else + { + $Results.Remove('EventGroupingSettings') | Out-Null + } + } + + if ($null -ne $Results.CustomDetails) + { + $complexMapping = @( + @{ + Name = 'CustomDetails' + CimInstanceName = 'SentinelAlertRuleCustomDetails' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.CustomDetails ` + -CIMInstanceName 'SentinelAlertRuleCustomDetails' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.CustomDetails = $complexTypeStringResult + } + else + { + $Results.Remove('CustomDetails') | Out-Null + } + } + + if ( $null -ne $Results.EntityMappings) + { + $complexMapping = @( + @{ + Name = 'EntityMappings' + CimInstanceName = 'SentinelAlertRuleEntityMapping' + IsRequired = $False + }, + @{ + Name = 'fieldMappings' + CimInstanceName = 'SentinelAlertRuleEntityMappingFieldMapping' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.EntityMappings ` + -CIMInstanceName 'SentinelAlertRuleEntityMapping' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.EntityMappings = $complexTypeStringResult + } + else + { + $Results.Remove('EntityMappings') | Out-Null + } + } + + if ($null -ne $Results.AlertDetailsOverride) + { + $complexMapping = @( + @{ + Name = 'AlertDetailsOverride' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverride' + IsRequired = $False + }, + @{ + Name = 'alertDynamicProperties' + CimInstanceName = 'SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.AlertDetailsOverride ` + -CIMInstanceName 'SentinelAlertRuleAlertDetailsOverride' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.AlertDetailsOverride = $complexTypeStringResult + } + else + { + $Results.Remove('AlertDetailsOverride') | Out-Null + } + } + + if ($null -ne $Results.IncidentConfiguration) + { + $complexMapping = @( + @{ + Name = 'IncidentConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfiguration' + IsRequired = $False + }, + @{ + Name = 'groupingConfiguration' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfiguration' + IsRequired = $False + } + @{ + Name = 'groupByAlertDetails' + CimInstanceName = 'SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.IncidentConfiguration ` + -CIMInstanceName 'SentinelAlertRuleIncidentConfiguration' ` + -ComplexTypeMapping $complexMapping + + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.IncidentConfiguration = $complexTypeStringResult + } + else + { + $Results.Remove('IncidentConfiguration') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.EventGroupingSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EventGroupingSettings' -IsCIMArray:$False + } + if ($Results.CustomDetails) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CustomDetails' -IsCIMArray:$False + } + if ($Results.EntityMappings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EntityMappings' -IsCIMArray:$True + } + if ($Results.AlertDetailsOverride) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AlertDetailsOverride' -IsCIMArray:$True + } + if ($Results.IncidentConfiguration) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IncidentConfiguration' -IsCIMArray:$True + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules?api-version=2023-12-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + if ($null -eq $Id) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$((New-GUID).ToString())?api-version=2024-04-01-preview" + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertrules/$($Id)?api-version=2024-04-01-preview" + } + $payload = ConvertTo-Json $Body -Depth 10 -Compress + Write-Verbose -Message "Creating new rule against URL:`r`n$($uri)`r`nWith payload:`r`n$payload" + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + Write-Verbose -Message $response.Content + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelAlertRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/alertRules/$($Id)?api-version=2024-04-01-preview" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof new file mode 100644 index 0000000000..e7fa79a05e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/MSFT_SentinelAlertRule.schema.mof @@ -0,0 +1,111 @@ +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEventGroupingSettings +{ + [Write, Description("The event grouping aggregation kinds")] String aggregationKind; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleCustomDetails +{ + [Write, Description("Key of the custom detail.")] String DetailKey; + [Write, Description("Associated value with the custom detail.")] String DetailValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMapping +{ + [Write, Description("Type of entity.")] String entityType; + [Write, Description("List of field mappings."), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMappingFieldMapping")] String fieldMappings[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleEntityMappingFieldMapping +{ + [Write, Description("Name of the column")] String columnName; + [Write, Description("Identifier of the associated field.")] String identifier; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverride +{ + [Write, Description("The format containing columns name(s) to override the alert description")] String alertDescriptionFormat; + [Write, Description("The format containing columns name(s) to override the alert name")] String alertDisplayNameFormat; + [Write, Description("The column name to take the alert severity from")] String alertSeverityColumnName; + [Write, Description("The column name to take the alert tactics from")] String alertTacticsColumnName; + [Write, Description("List of additional dynamic properties to override"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty")] String alertDynamicProperties[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty +{ + [Write, Description("Dynamic property key.")] String alertProperty; + [Write, Description("Dynamic property value.")] String alertPropertyValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfiguration +{ + [Write, Description("Create incidents from alerts triggered by this analytics rule")] Boolean createIncident; + [Write, Description("Set how the alerts that are triggered by this analytics rule, are grouped into incidents"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration")] String groupingConfiguration; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration +{ + [Write, Description("Grouping enabled")] Boolean enabled; + [Write, Description("A list of alert details to group by (when matchingMethod is Selected)"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail")] String groupByAlertDetails[]; + [Write, Description("A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.")] String groupByCustomDetails[]; + [Write, Description("A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.")] String groupByEntities[]; + [Write, Description("Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)")] String lookbackDuration; + [Write, Description("Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.")] String matchingMethod; + [Write, Description("Re-open closed matching incidents")] Boolean reopenClosedIncident; +}; + +[ClassVersion("1.0.0")] +class MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail +{ + [Write, Description("Display name of the alert detail.")] String DisplayName; + [Write, Description("Severity level associated with the alert detail.")] String Severity; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("SentinelAlertRule")] +class MSFT_SentinelAlertRule : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("The alerts' productName on which the cases will be generated")] String ProductFilter; + [Write, Description("Determines whether this alert rule is enabled or disabled.")] Boolean Enabled; + [Write, Description("The severity for alerts created by this alert rule.")] String Severity; + [Write, Description("The tactics of the alert rule")] String Tactics[]; + [Write, Description("The techniques of the alert rule")] String Techniques[]; + [Write, Description("The sub-techniques of the alert rule")] String SubTechniques[]; + [Write, Description("The query that creates alerts for this rule.")] String Query; + [Write, Description("The frequency (in ISO 8601 duration format) for this alert rule to run.")] String QueryFrequency; + [Write, Description("The period (in ISO 8601 duration format) that this alert rule looks at.")] String QueryPeriod; + [Write, Description("The operation against the threshold that triggers alert rule.")] String TriggerOperator; + [Write, Description("The threshold triggers this alert rule.")] UInt32 TriggerThreshold; + [Write, Description("The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.")] String SuppressionDuration; + [Write, Description("Determines whether the suppression for this alert rule is enabled or disabled.")] String SuppressionEnabled; + [Write, Description("The Name of the alert rule template used to create this rule.")] String AlertRuleTemplateName; + [Write, Description("The alerts' displayNames on which the cases will not be generated.")] String DisplayNamesExcludeFilter[]; + [Write, Description("The alerts' displayNames on which the cases will be generated.")] String DisplayNamesFilter[]; + [Write, Description("The alerts' severities on which the cases will be generated")] String SeveritiesFilter[]; + [Write, Description("The event grouping settings."), EmbeddedInstance("MSFT_SentinelAlertRuleEventGroupingSettings")] String EventGroupingSettings; + [Write, Description("Dictionary of string key-value pairs of columns to be attached to the alert"), EmbeddedInstance("MSFT_SentinelAlertRuleCustomDetails")] String CustomDetails[]; + [Write, Description("Array of the entity mappings of the alert rule"), EmbeddedInstance("MSFT_SentinelAlertRuleEntityMapping")] String EntityMappings[]; + [Write, Description("The alert details override settings"), EmbeddedInstance("MSFT_SentinelAlertRuleAlertDetailsOverride")] String AlertDetailsOverride; + [Write, Description("The settings of the incidents that created from alerts triggered by this analytics rule"), EmbeddedInstance("MSFT_SentinelAlertRuleIncidentConfiguration")] String IncidentConfiguration; + [Write, Description("The kind of the alert rule")] String Kind; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md new file mode 100644 index 0000000000..2bdf6ede04 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/readme.md @@ -0,0 +1,6 @@ + +# SentinelAlertRule + +## Description + +Configures alert rules in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json new file mode 100644 index 0000000000..d01973dfcf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelAlertRule/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelAlertRule", + "description": "Configures alert rules in Azure Sentinel.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 new file mode 100644 index 0000000000..5f7e93dfba --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.psm1 @@ -0,0 +1,853 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + try + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Retrieving indicator by id {$Id}" + $instance = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $Id + } + if ($null -eq $instance) + { + Write-Verbose -Message "Retrieving indicator by DisplayName {$DisplayName}" + $instances = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId + $instance = $instances | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName} + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + DisplayName = $instance.properties.displayName + SubscriptionId = $SubscriptionId + ResourceGroupName = $ResourceGroupName + WorkspaceName = $WorkspaceName + Id = $instance.name + Description = $instance.properties.description + PatternType = $instance.properties.patternType + Pattern = $instance.properties.pattern + Revoked = $instance.properties.revoked + ValidFrom = $instance.properties.validFrom + ValidUntil = $instance.properties.validUntil + Labels = $instance.properties.labels + ThreatIntelligenceTags = $instance.properties.threatIntelligenceTags + ThreatTypes = $instance.properties.threatTypes + KillChainPhases = $instance.properties.KillChainPhases.phaseName + Confidence = $instance.properties.confidence + Source = $instance.properties.source + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $instanceParameters = @{ + kind = 'indicator' + properties = @{ + confidence = $Confidence + description = $Description + displayName = $DisplayName + labels = $Labels + pattern = $Pattern + patternType = $patternType + revoked = $revoked + source = $Source + threatIntelligenceTags = $ThreatIntelligenceTags + threatTypes = $ThreatTypes + validFrom = $ValidFrom + validUntil = $ValidUntil + } + } + + if ($null -ne $KillChainPhases) + { + $values = @() + foreach ($phase in $KillChainPhases) + { + $values += @{ + killChainName = 'lockheed-martin-cyber-kill-chain' + phaseName = $phase.phaseName + } + } + $instanceParameters.properties.Add('KillChainPhases', $values) + } + + + if ([System.String]::IsNullOrEmpty($TenantId) -and -not $null -eq $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating a new indicator {$DisplayName}" + New-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating indicator {$DisplayName}" + Set-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Body $instanceParameters ` + -Id $currentInstance.Id + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing indicator {$DisplayName}" + Remove-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $SubscriptionId ` + -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -TenantId $TenantId ` + -Id $currentInstance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter(Mandatory = $true)] + [System.String] + $SubscriptionId, + + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $PatternType, + + [Parameter()] + [System.String] + $Pattern, + + [Parameter()] + [System.Boolean] + $Revoked, + + [Parameter()] + [System.String] + $ValidFrom, + + [Parameter()] + [System.String] + $ValidUntil, + + [Parameter()] + [System.String] + $Source, + + [Parameter()] + [System.String[]] + $Labels, + + [Parameter()] + [System.String[]] + $ThreatIntelligenceTags, + + [Parameter()] + [System.String[]] + $ThreatTypes, + + [Parameter()] + [System.String[]] + $KillChainPhases, + + [Parameter()] + [System.UInt32] + $Confidence, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $workspaces = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + $Script:exportedInstances = @() + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + if ([System.String]::IsNullOrEmpty($TenantId) -and $null -ne $Credential) + { + $TenantId = $Credential.UserName.Split('@')[1] + } + foreach ($workspace in $workspaces) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($workspaces.Length)] $($workspace.Name)" -NoNewline + $subscriptionId = $workspace.ResourceId.Split('/')[2] + $resourceGroupName = $workspace.ResourceGroupName + $workspaceName = $workspace.Name + + $indicators = Get-M365DSCSentinelThreatIntelligenceIndicator -SubscriptionId $subscriptionId ` + -ResourceGroupName $resourceGroupName ` + -WorkspaceName $workspaceName ` + -TenantId $TenantId + + $j = 1 + if ($currentWatchLists.Length -eq 0 ) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($indicator in $indicators) + { + $displayedKey = $indicator.properties.DisplayName + Write-Host " |---[$j/$($indicators.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $indicator.properties.displayName + Id = $indicator.name + SubscriptionId = $subscriptionId + ResourceGroupName = $resourceGroupName + WorkspaceName = $workspaceName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $j++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result + } + else + { + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'GET' + $result = ConvertFrom-Json $response.Content + return $result.value + } + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function New-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'POST' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Set-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Uri $uri -Method 'PUT' -Payload $payload + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +function Remove-M365DSCSentinelThreatIntelligenceIndicator +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter(Mandatory = $true)] + [System.String] + $TenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $Id + ) + + try + { + $hostUrl = Get-M365DSCAPIEndpoint -TenantId $TenantId + $uri = $hostUrl.AzureManagement + "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/" + + $uri += "providers/Microsoft.OperationalInsights/workspaces/$($WorkspaceName)/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/$($Id)?api-version=2024-03-01" + $response = Invoke-AzRest -Uri $uri -Method 'DELETE' + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId + throw $_ + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof new file mode 100644 index 0000000000..8dd7b86807 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/MSFT_SentinelThreatIntelligenceIndicator.schema.mof @@ -0,0 +1,29 @@ +[ClassVersion("1.0.0.0"), FriendlyName("SentinelThreatIntelligenceIndicator")] +class MSFT_SentinelThreatIntelligenceIndicator : OMI_BaseResource +{ + [Key, Description("The display name of the indicator")] String DisplayName; + [Write, Description("The name of the resource group. The name is case insensitive.")] String SubscriptionId; + [Write, Description("The name of the resource group. The name is case insensitive.")] String ResourceGroupName; + [Write, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("The unique id of the indicator.")] String Id; + [Write, Description("The name of the workspace.")] String Description; + [Write, Description("Pattern type of a threat intelligence entity")] String PatternType; + [Write, Description("Pattern of a threat intelligence entity")] String Pattern; + [Write, Description("Is threat intelligence entity revoked")] String Revoked; + [Write, Description("Valid from")] String ValidFrom; + [Write, Description("Valid until")] String ValidUntil; + [Write, Description("Source type.")] String Source; + [Write, Description("Labels of threat intelligence entity")] String Labels[]; + [Write, Description("List of tags")] String ThreatIntelligenceTags[]; + [Write, Description("Threat types")] String ThreatTypes[]; + [Write, Description("Kill chain phases")] String KillChainPhases[]; + [Write, Description("Confidence of threat intelligence entity")] UInt32 Confidence; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md new file mode 100644 index 0000000000..1d4a233d39 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/readme.md @@ -0,0 +1,6 @@ + +# SentinelThreatIntelligenceIndicator + +## Description + +Configures threat intelligence indicators in Azure Sentinel. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json new file mode 100644 index 0000000000..87040bf176 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelThreatIntelligenceIndicator/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelThreatIntelligenceIndicator", + "description": "Configures threat intelligence indicators in Azure Sentinel.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 index 2a49baa46b..e223dc30cf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/MSFT_TeamsComplianceRecordingPolicy.psm1 @@ -83,9 +83,9 @@ function Get-TargetResource return $nullResult } + $ComplexComplianceRecordingApplications = @() if ($instance.ComplianceRecordingApplications.Count -gt 0) { - $ComplexComplianceRecordingApplications = @() foreach ($CurrentComplianceRecordingApplications in $instance.ComplianceRecordingApplications) { $MyComplianceRecordingApplications = @{} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 index 4aa4d6a7c2..ebfd75aaa1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1 @@ -75,8 +75,12 @@ function Get-TargetResource try { Write-Verbose -Message "Getting Group with Id {$GroupId}" - $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue - + if ($GroupId -match '\b[A-Fa-f0-9]{8}(?:-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}\b' -and $GroupId -ne '00000000-0000-0000-0000-000000000000'){ + $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue + } + else { + $Group = $null + } if ($null -eq $Group) { Write-Verbose -Message "Could not find Group with Id {$GroupId}, searching with DisplayName {$GroupDisplayName}" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 index de8dc6c018..3f2224c6af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.psm1 @@ -46,6 +46,7 @@ function Get-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -54,10 +55,14 @@ function Get-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -108,15 +113,15 @@ function Get-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -151,33 +156,78 @@ function Get-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -228,12 +278,18 @@ function Get-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -243,6 +299,7 @@ function Get-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -253,7 +310,7 @@ function Get-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -271,6 +328,11 @@ function Get-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -350,6 +412,7 @@ function Get-TargetResource AllowDocumentCollaboration = $policy.AllowDocumentCollaboration AllowedStreamingMediaInput = $policy.AllowedStreamingMediaInput AllowEngagementReport = $policy.AllowEngagementReport + AllowExternalNonTrustedMeetingChat = $policy.AllowExternalNonTrustedMeetingChat AllowExternalParticipantGiveRequestControl = $policy.AllowExternalParticipantGiveRequestControl AllowIPAudio = $policy.AllowIPAudio AllowIPVideo = $policy.AllowIPVideo @@ -373,13 +436,21 @@ function Get-TargetResource AllowWatermarkForCameraVideo = $policy.AllowWatermarkForCameraVideo AllowWatermarkForScreenSharing = $policy.AllowWatermarkForScreenSharing AllowWhiteboard = $policy.AllowWhiteboard + AttendeeIdentityMasking = $policy.AttendeeIdentityMasking AutoAdmittedUsers = $policy.AutoAdmittedUsers + AutomaticallyStartCopilot = $policy.AutomaticallyStartCopilot + AutoRecording = $policy.AutoRecording BlockedAnonymousJoinClientTypes = $policy.BlockedAnonymousJoinClientTypes ChannelRecordingDownload = $policy.ChannelRecordingDownload + ConnectToMeetingControls = $policy.ConnectToMeetingControls + ContentSharingInExternalMeetings = $policy.ContentSharingInExternalMeetings + Copilot = $policy.Copilot + CopyRestriction = $policy.CopyRestriction DesignatedPresenterRoleMode = $policy.DesignatedPresenterRoleMode + DetectSensitiveContentDuringScreenSharing = $policy.DetectSensitiveContentDuringScreenSharing EnrollUserOverride = $policy.EnrollUserOverride ExplicitRecordingConsent = $policy.ExplicitRecordingConsent - ForceStreamingAttendeeMode = $policy.ForceStreamingAttendeeMode + ExternalMeetingJoin = $policy.ExternalMeetingJoin InfoShownInReportMode = $policy.InfoShownInReportMode IPAudioMode = $policy.IPAudioMode IPVideoMode = $policy.IPVideoMode @@ -390,6 +461,7 @@ function Get-TargetResource MeetingChatEnabledType = $policy.MeetingChatEnabledType MeetingInviteLanguages = $policy.MeetingInviteLanguages NewMeetingRecordingExpirationDays = $policy.NewMeetingRecordingExpirationDays + ParticipantNameChange = $policy.ParticipantNameChange PreferredMeetingProviderForIslandsMode = $policy.PreferredMeetingProviderForIslandsMode QnAEngagementMode = $policy.QnAEngagementMode RoomPeopleNameUserOverride = $policy.RoomPeopleNameUserOverride @@ -397,15 +469,10 @@ function Get-TargetResource SpeakerAttributionMode = $policy.SpeakerAttributionMode StreamingAttendeeMode = $policy.StreamingAttendeeMode VideoFiltersMode = $policy.VideoFiltersMode + VoiceIsolation = $policy.VoiceIsolation TeamsCameraFarEndPTZMode = $policy.TeamsCameraFarEndPTZMode WhoCanRegister = $policy.WhoCanRegister Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens } } catch @@ -467,6 +534,7 @@ function Set-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -475,10 +543,14 @@ function Set-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -529,15 +601,15 @@ function Set-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -572,33 +644,78 @@ function Set-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -649,12 +766,18 @@ function Set-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -664,6 +787,7 @@ function Set-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -674,7 +798,7 @@ function Set-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -692,6 +816,11 @@ function Set-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -755,6 +884,10 @@ function Set-TargetResource $SetParameters.Remove('ManagedIdentity') | Out-Null $SetParameters.Remove('Verbose') | Out-Null # Needs to be implicitly removed for the cmdlet to work $SetParameters.Remove('AccessTokens') | Out-Null + + # Parameter is Deprecated + $SetParameters.Remove('ForceStreamingAttendeeMode') | Out-Null + if ($AllowCloudRecording -eq $false -and $SetParameters.Keys -contains 'AllowRecordingStorageOutsideRegion') { $SetParameters.Remove('AllowRecordingStorageOutsideRegion') | Out-Null @@ -849,6 +982,7 @@ function Test-TargetResource $AllowCloudRecording, [Parameter()] + [ValidateSet('Enabled', 'Disabled')] [System.String] $AllowDocumentCollaboration, @@ -857,10 +991,14 @@ function Test-TargetResource $AllowedStreamingMediaInput, [Parameter()] - [ValidateSet('Enabled', 'Disabled')] + [ValidateSet('Enabled', 'Disabled', 'ForceEnabled')] [System.String] $AllowEngagementReport = 'Disabled', + [Parameter()] + [System.Boolean] + $AllowExternalNonTrustedMeetingChat, + [Parameter()] [System.Boolean] $AllowExternalParticipantGiveRequestControl, @@ -911,15 +1049,15 @@ function Test-TargetResource [Parameter()] [System.Boolean] - $AllowPrivateMeetNow, + $AllowPowerPointSharing, [Parameter()] [System.Boolean] - $AllowPowerPointSharing, + $AllowPrivateMeetingScheduling, [Parameter()] [System.Boolean] - $AllowPrivateMeetingScheduling, + $AllowPrivateMeetNow, [Parameter()] [System.Boolean] @@ -954,33 +1092,78 @@ function Test-TargetResource [System.Boolean] $AllowWhiteboard, + [Parameter()] + [ValidateSet('Disabled', 'Enabled', 'DisabledUserOverride')] + [System.String] + $AttendeeIdentityMasking, + [Parameter()] [System.String] [ValidateSet('EveryoneInCompany', 'Everyone', 'EveryoneInSameAndFederatedCompany', 'OrganizerOnly', 'InvitedUsers', 'EveryoneInCompanyExcludingGuests')] $AutoAdmittedUsers, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutomaticallyStartCopilot, + + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $AutoRecording, + [Parameter()] [System.String] $BlockedAnonymousJoinClientTypes, [Parameter()] + [ValidateSet('Allow', 'Block')] [System.String] $ChannelRecordingDownload, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ConnectToMeetingControls, + + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ContentSharingInExternalMeetings, + + [Parameter()] + [ValidateSet('Enabled', 'EnabledWithTranscript')] + [System.String] + $Copilot, + + [Parameter()] + [System.Boolean] + $CopyRestriction, + [Parameter()] [ValidateSet('OrganizerOnlyUserOverride', 'EveryoneInCompanyUserOverride', 'EveryoneUserOverride')] [System.String] $DesignatedPresenterRoleMode = 'EveryoneUserOverride', + [Parameter()] + [System.Boolean] + $DetectSensitiveContentDuringScreenSharing, + [Parameter()] [ValidateSet('Disabled', 'Enabled')] [System.String] $EnrollUserOverride = 'Disabled', [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $ExplicitRecordingConsent, + [Parameter()] + [ValidateSet('EnabledForAnyone', 'EnabledForTrustedOrgs', 'Disabled')] + [System.String] + $ExternalMeetingJoin, + [Parameter()] [System.String] $ForceStreamingAttendeeMode, @@ -1031,12 +1214,18 @@ function Test-TargetResource [ValidateRange(-1, 99999)] $NewMeetingRecordingExpirationDays, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $ParticipantNameChange, + [Parameter()] [System.String] [ValidateSet('TeamsAndSfb', 'Teams')] $PreferredMeetingProviderForIslandsMode, [Parameter()] + [ValidateSet('Disabled', 'Enabled')] [System.String] $QnAEngagementMode, @@ -1046,6 +1235,7 @@ function Test-TargetResource $RoomAttributeUserOverride = 'Off', [Parameter()] + [ValidateSet('Off', 'On')] [System.String] $RoomPeopleNameUserOverride, @@ -1056,7 +1246,7 @@ function Test-TargetResource [Parameter()] [System.String] - [ValidateSet('Disabled', 'EnabledUserOverride')] + [ValidateSet('Disabled', 'DisabledUserOverride', 'EnabledUserOverride', 'Enabled')] $SpeakerAttributionMode, [Parameter()] @@ -1074,6 +1264,11 @@ function Test-TargetResource [ValidateSet('NoFilters', 'BlurOnly', 'BlurAndDefaultBackgrounds', 'AllFilters')] $VideoFiltersMode, + [Parameter()] + [ValidateSet('Disabled', 'Enabled')] + [System.String] + $VoiceIsolation, + [Parameter()] [ValidateSet('Everyone', 'EveryoneInCompany')] [System.String] @@ -1139,6 +1334,9 @@ function Test-TargetResource # The AllowUserToJoinExternalMeeting doesn't do anything based on official documentation $ValuesToCheck.Remove('AllowUserToJoinExternalMeeting') | Out-Null + # Parameter is Deprecated + $ValuesToCheck.Remove('ForceStreamingAttendeeMode') | Out-Null + if ($AllowCloudRecording -eq $false -and $ValuesToCheck.Keys -contains 'AllowRecordingStorageOutsideRegion') { $ValuesToCheck.Remove('AllowRecordingStorageOutsideRegion') | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof index cec9b406f9..839b879052 100644 Binary files a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof and b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMeetingPolicy/MSFT_TeamsMeetingPolicy.schema.mof differ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 index 500b04fb3d..6038452294 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 @@ -19,7 +19,11 @@ function Get-TargetResource [Parameter()] [System.String[]] - $AccessTokens + $AccessTokens, + + [Parameter()] + [Switch] + $ManagedIdentity ) Write-Verbose -Message 'Checking the Teams Upgrade Configuration' @@ -50,6 +54,7 @@ function Get-TargetResource IsSideloadedAppsInteractionEnabled = $settings.IsSideloadedAppsInteractionEnabled Credential = $Credential AccessTokens = $AccessTokens + ManagedIdentity = $ManagedIdentity.IsPresent } } catch @@ -93,7 +98,11 @@ function Set-TargetResource [Parameter()] [System.String[]] - $AccessTokens + $AccessTokens, + + [Parameter()] + [Switch] + $ManagedIdentity ) Write-Verbose -Message 'Setting Teams Upgrade Configuration' @@ -142,7 +151,11 @@ function Test-TargetResource [Parameter()] [System.String[]] - $AccessTokens + $AccessTokens, + + [Parameter()] + [Switch] + $ManagedIdentity ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 7fd6bbe7fe..8cf9012973 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -12,10 +12,6 @@ ModuleName = 'Az.Resources' RequiredVersion = '7.2.0' }, - @{ - ModuleName = 'Az.ResourceGraph' - RequiredVersion = '1.0.0' - }, @{ ModuleName = 'Az.SecurityInsights' RequiredVersion = '3.1.2' @@ -30,99 +26,103 @@ }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Applications' - Requiredversion = '2.23.0' + Requiredversion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' + }, + @{ + ModuleName = 'Microsoft.Graph.Beta.NetworkAccess' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Search' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Groups' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Sites' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.23.0' + RequiredVersion = '2.24.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' - RequiredVersion = '2.0.191' + RequiredVersion = '2.0.199' }, @{ ModuleName = 'MicrosoftTeams' - RequiredVersion = '6.5.0' + RequiredVersion = '6.6.0' }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.25" + RequiredVersion = "1.1.27" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/1-Create.ps1 new file mode 100644 index 0000000000..5dba7cd251 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/1-Create.ps1 @@ -0,0 +1,118 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/2-Update.ps1 new file mode 100644 index 0000000000..7b6049d3a3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/2-Update.ps1 @@ -0,0 +1,117 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers updated"; # drifted properties + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/3-Remove.ps1 new file mode 100644 index 0000000000..326b0bfbf0 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewDefinition/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Absent"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 new file mode 100644 index 0000000000..3c1dc8a687 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAccessReviewPolicy/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewPolicy "AADAccessReviewPolicy" + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 new file mode 100644 index 0000000000..37d14becd2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 new file mode 100644 index 0000000000..d74c1bc156 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 new file mode 100644 index 0000000000..baa1dcf897 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationMethodPolicyExternal/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/1-Create.ps1 new file mode 100644 index 0000000000..d91d1e9eca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/1-Create.ps1 @@ -0,0 +1,90 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/2-Update.ps1 new file mode 100644 index 0000000000..96ea5927a5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/2-Update.ps1 @@ -0,0 +1,91 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..7986ec5b90 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADClaimsMappingPolicy/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Test1234"; + Ensure = "Absent"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/1-Create.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 new file mode 100644 index 0000000000..7091be751f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/2-Update.ps1 @@ -0,0 +1,52 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 new file mode 100644 index 0000000000..1b48def3ec --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomAuthenticationExtension/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 new file mode 100644 index 0000000000..5f414179b9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADEnrichedAuditLogs/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADEnrichedAuditLogs "AADEnrichedAuditLogs" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/1-Create.ps1 new file mode 100644 index 0000000000..ab4d02fb0f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/1-Create.ps1 @@ -0,0 +1,39 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/2-Update.ps1 new file mode 100644 index 0000000000..30eef27e6b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/2-Update.ps1 @@ -0,0 +1,39 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/drift' # drift + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/3-Remove.ps1 new file mode 100644 index 0000000000..bc84a97529 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFederationConfiguration/3-Remove.ps1 @@ -0,0 +1,39 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Absent' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 new file mode 100644 index 0000000000..5db25c3ec7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 new file mode 100644 index 0000000000..4f9da4429e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..ca9aaae7b4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicy/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 new file mode 100644 index 0000000000..5b80856a90 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/1-Create.ps1 @@ -0,0 +1,55 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 new file mode 100644 index 0000000000..69c04006c1 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 new file mode 100644 index 0000000000..133a330fa5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringPolicyRule/3-Remove.ps1 @@ -0,0 +1,55 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 new file mode 100644 index 0000000000..6f810bd0d2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/1-Create.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 new file mode 100644 index 0000000000..167024212f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/2-Update.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 new file mode 100644 index 0000000000..a9423cb9d9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADFilteringProfile/3-Remove.ps1 @@ -0,0 +1,50 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 new file mode 100644 index 0000000000..c6145aca64 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 new file mode 100644 index 0000000000..12c5f39fff --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..edfc129f1f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADHomeRealmDiscoveryPolicy/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 new file mode 100644 index 0000000000..7382692428 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 new file mode 100644 index 0000000000..d123d0151f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 new file mode 100644 index 0000000000..926a36404f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityAPIConnector/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 new file mode 100644 index 0000000000..ca33cc25d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/1-Create.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 new file mode 100644 index 0000000000..ca33cc25d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/2-Update.ps1 @@ -0,0 +1,79 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 new file mode 100644 index 0000000000..295893f499 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityB2XUserFlow/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 new file mode 100644 index 0000000000..c631224b8b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/1-Create.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 new file mode 100644 index 0000000000..a7ac05d858 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/2-Update.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 new file mode 100644 index 0000000000..64b40d74d4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/3-Remove.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/1-Create.ps1 new file mode 100644 index 0000000000..e6443eb263 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description"; + DisplayName = "Example"; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/2-Update.ps1 new file mode 100644 index 0000000000..1c4ba2fa4d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description Updated"; + DisplayName = "Example"; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/3-Remove.ps1 new file mode 100644 index 0000000000..c73283f957 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceProgram/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Example"; + Ensure = "Absent"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 new file mode 100644 index 0000000000..fdf8f5d246 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityProtectionPolicySettings/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityProtectionPolicySettings "AADIdentityProtectionPolicySettings" + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 new file mode 100644 index 0000000000..87f8e1578a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingPolicy/2-Update.ps1 @@ -0,0 +1,60 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessForwardingPolicy "AADNetworkAccessForwardingPolicy-Custom Bypass" + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 new file mode 100644 index 0000000000..2a7431f519 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessForwardingProfile/Update.ps1 @@ -0,0 +1,50 @@ +# Generated with Microsoft365DSC version 1.24.1016.1 +# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + AADNetworkAccessForwardingProfile "AADNetworkAccessForwardingProfile-Internet traffic forwarding profile" + { + + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Name = "Internet traffic forwarding profile"; + Policies = @(MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'disabled' + PolicyLinkId = 'f8a43f3f-3f44-4738-8025-088bb095a711' + Name = 'Custom Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'b45d1db0-9965-487b-afb1-f4d25174e9db' + Name = 'Default Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'dfd9cd59-90ca-44fc-b997-7cc71f08e438' + Name = 'Default Acquire' + } + ); + State = "disabled"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 new file mode 100644 index 0000000000..0d456e5aca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingConditionalAccess/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingConditionalAccess "AADNetworkAccessSettingConditionalAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 new file mode 100644 index 0000000000..02c4ea6dbe --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADNetworkAccessSettingCrossTenantAccess/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingCrossTenantAccess "AADNetworkAccessSettingCrossTenantAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOnPremisesPublishingProfilesSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOnPremisesPublishingProfilesSettings/2-Update.ps1 new file mode 100644 index 0000000000..fc06798dea --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOnPremisesPublishingProfilesSettings/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADOnPremisesPublishingProfilesSettings "AADOnPremisesPublishingProfilesSettings" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $False; + IsSingleInstance = "Yes"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 new file mode 100644 index 0000000000..b2b618aa5c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 new file mode 100644 index 0000000000..46030224d5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADOrganizationCertificateBasedAuthConfiguration/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/1-Create.ps1 new file mode 100644 index 0000000000..71e939bf3b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/1-Create.ps1 @@ -0,0 +1,65 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Present"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/2-Update.ps1 new file mode 100644 index 0000000000..3b0da1aee7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/2-Update.ps1 @@ -0,0 +1,65 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Present"; + ForwardingProfiles = @(); #creating drift here + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link Random' # creating drift here + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/3-Remove.ps1 new file mode 100644 index 0000000000..65a732a2d5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRemoteNetwork/3-Remove.ps1 @@ -0,0 +1,65 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Absent"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADRoleManagementPolicyRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADRoleManagementPolicyRule/2-Update.ps1 new file mode 100644 index 0000000000..35f1f27219 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADRoleManagementPolicyRule/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + + AADRoleManagementPolicyRule "AADRoleManagementPolicyRule-Expiration_Admin_Eligibility" + { + expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{ + isExpirationRequired = $False + maximumDuration = 'P180D' + }; + id = "Expiration_Admin_Eligibility"; + roleDisplayName = "Global Administrator"; + ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 new file mode 100644 index 0000000000..2c2f3190e9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 new file mode 100644 index 0000000000..2c2f3190e9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 new file mode 100644 index 0000000000..855930be81 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADUserFlowAttribute/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 new file mode 100644 index 0000000000..33858258a7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/1-Create.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 new file mode 100644 index 0000000000..8bbd4acd39 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/2-Update.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 new file mode 100644 index 0000000000..9de3d21339 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthority/3-Remove.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 new file mode 100644 index 0000000000..260b363842 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/1-Create.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 new file mode 100644 index 0000000000..20abab6819 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/2-Update.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 new file mode 100644 index 0000000000..8699f4d04f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADVerifiedIdAuthorityContract/3-Remove.ps1 @@ -0,0 +1,97 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 new file mode 100644 index 0000000000..96f3448026 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 new file mode 100644 index 0000000000..eba2a4ebfb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "NotAllowed"; # Drift + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 new file mode 100644 index 0000000000..cb1d041e05 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsAssociatedTenant/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Absent"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 new file mode 100644 index 0000000000..c08e97899c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 new file mode 100644 index 0000000000..c21d06835a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 new file mode 100644 index 0000000000..3f34f98936 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureBillingAccountsRoleAssignment/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/1-Create.ps1 new file mode 100644 index 0000000000..b26e1d62a9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/1-Create.ps1 @@ -0,0 +1,107 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCategory{ + category = 'AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'SignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NonInteractiveUserSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ManagedIdentitySignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ProvisioningLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ADFSSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyUsers' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'UserRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessTrafficLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyServicePrincipals' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'EnrichedOffice365AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'MicrosoftGraphActivityLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RemoteNetworkHealthLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessAlerts' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'B2CRequestLogs' + enabled = $False + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/2-Update.ps1 new file mode 100644 index 0000000000..75656d861f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/2-Update.ps1 @@ -0,0 +1,107 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCategory{ + category = 'AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'SignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NonInteractiveUserSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ManagedIdentitySignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ProvisioningLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ADFSSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyUsers' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'UserRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessTrafficLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyServicePrincipals' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'EnrichedOffice365AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'MicrosoftGraphActivityLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RemoteNetworkHealthLogs' + enabled = $False #Drift + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessAlerts' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'B2CRequestLogs' + enabled = $False + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/3-Remove.ps1 new file mode 100644 index 0000000000..67b55afca2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettings/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + Name = "TestDiag"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/1-Create.ps1 new file mode 100644 index 0000000000..68f0be604d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $True + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/2-Update.ps1 new file mode 100644 index 0000000000..45960eb955 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $False # Drift + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/3-Remove.ps1 new file mode 100644 index 0000000000..dd41a866b2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureDiagnosticSettingsCustomSecurityAttribute/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $True + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 new file mode 100644 index 0000000000..b8bf0e6559 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/1-Create.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 index 2c95a634c1..58590ef582 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureSubscription/2-Update.ps1 @@ -21,14 +21,15 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AzureVerifiedIdFaceCheck/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AzureVerifiedIdFaceCheck/2-Update.ps1 new file mode 100644 index 0000000000..5246259577 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AzureVerifiedIdFaceCheck/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureVerifiedIdFaceCheck "AzureVerifiedIdFaceCheck" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + FaceCheckEnabled = $True; + ResourceGroupName = "website"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + TenantId = $TenantId; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 new file mode 100644 index 0000000000..6c50bb343f --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/1-Create.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 new file mode 100644 index 0000000000..f768e5a753 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IntervalInHours = 24; # Drift + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 new file mode 100644 index 0000000000..c4d02051b3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/DefenderDeviceAuthenticatedScanDefinition/3-Remove.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + DefenderDeviceAuthenticatedScanDefinition "DefenderDeviceAuthenticatedScanDefinition-MyScan" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + }; + ScannerAgent = MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + }; + ScanType = "Network"; + Target = "172.1.12.1"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 new file mode 100644 index 0000000000..d74747c848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/1-Create.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 new file mode 100644 index 0000000000..130f3fd6d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/2-Update.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..585f9b6658 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOActiveSyncMailboxPolicy/3-Remove.ps1 @@ -0,0 +1,88 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 new file mode 100644 index 0000000000..ede62c46c9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxAuditBypassAssociation/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 new file mode 100644 index 0000000000..3b5392744d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 new file mode 100644 index 0000000000..3b4575000a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 new file mode 100644 index 0000000000..f9f1639575 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOServicePrincipal/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/1-Create.ps1 new file mode 100644 index 0000000000..581eb2a9a3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/1-Create.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/2-Update.ps1 new file mode 100644 index 0000000000..201345bee8 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/2-Update.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Block"; #Drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/3-Remove.ps1 new file mode 100644 index 0000000000..d319d11644 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOTenantAllowBlockListSpoofItems/3-Remove.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/1-Create.ps1 new file mode 100644 index 0000000000..bc609219f1 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/1-Create.ps1 @@ -0,0 +1,61 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + allowedThreats = @("Threat 1"); + Assignments = @(); + Description = ""; + disallowedThreatActions = @("Disallowed Thread Action 1"); + DisplayName = "Test"; + enabled = "true"; + Ensure = "Present"; + exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + threatTypeSettings = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '1' + ThreatTypeSettings_item_value = '1' + } + ); + unmonitoredFilesystems = @("Filesystem 1"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/2-Update.ps1 new file mode 100644 index 0000000000..16a971c59b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/2-Update.ps1 @@ -0,0 +1,61 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + allowedThreats = @("Threat 1"); + Assignments = @(); + Description = ""; + disallowedThreatActions = @("Disallowed Thread Action 1"); + DisplayName = "Test"; + enabled = "true"; + Ensure = "Present"; + exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.vba' # Updated property + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + threatTypeSettings = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '1' + ThreatTypeSettings_item_value = '1' + } + ); + unmonitoredFilesystems = @("Filesystem 1"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/3-Remove.ps1 new file mode 100644 index 0000000000..0324ea22b3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusPolicyLinux/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/1-Create.ps1 new file mode 100644 index 0000000000..ea1bd230f5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example creates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/2-Update.ps1 new file mode 100644 index 0000000000..292eb7ad68 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example updates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/3-Remove.ps1 new file mode 100644 index 0000000000..0739a625df --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example removes a Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 new file mode 100644 index 0000000000..c91949c36a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 new file mode 100644 index 0000000000..1b05d1358a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/2-Update.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Patched cert"; #drift + Certificate = "PatchedFakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; #drift + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 new file mode 100644 index 0000000000..0d1ab117d7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppleMDMPushNotificationCertificate/3-Remove.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "AppleID"; + Certificate = ""; + + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 new file mode 100644 index 0000000000..9bd3d6195b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementEnrollmentAndroidGooglePlay/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementEnrollmentAndroidGooglePlay "RemoveAndroidGooglePlayEnrollment" + { + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 new file mode 100644 index 0000000000..a5095ed687 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 new file mode 100644 index 0000000000..c3fe6117bf --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 new file mode 100644 index 0000000000..6bc56f61c7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 index f7746f29b1..4bb88786ac 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 @@ -38,7 +38,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 new file mode 100644 index 0000000000..6243030b1e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 new file mode 100644 index 0000000000..8765456e07 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 new file mode 100644 index 0000000000..c5529f47ca --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 new file mode 100644 index 0000000000..1753fce3f7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/1-Create.ps1 @@ -0,0 +1,45 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 new file mode 100644 index 0000000000..62a406e09d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/2-Update.ps1 @@ -0,0 +1,45 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '0' #drift + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 new file mode 100644 index 0000000000..7f463cc6f0 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineDefenderForEndpoint/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/M365DSCRuleEvaluation/1-Evaluate a rule.ps1 b/Modules/Microsoft365DSC/Examples/Resources/M365DSCRuleEvaluation/1-Evaluate a rule.ps1 index 0450b5aa3a..7661e8dd81 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/M365DSCRuleEvaluation/1-Evaluate a rule.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/M365DSCRuleEvaluation/1-Evaluate a rule.ps1 @@ -16,9 +16,9 @@ Configuration Example { M365DSCRuleEvaluation 'AllowAnonymousUsersToJoinMeetingAllPolicies' { - ResourceName = 'TeamsMeetingPolicy' - RuleDefinition = "`$_.AllowAnonymousUsersToJoinMeeting -eq `$true" - Credential = $CredsCredential + ResourceTypeName = 'TeamsMeetingPolicy' + RuleDefinition = "`$_.AllowAnonymousUsersToJoinMeeting -eq `$true" + Credential = $CredsCredential } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 new file mode 100644 index 0000000000..37f5df1376 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SCPolicyConfig/2-Update.ps1 @@ -0,0 +1,239 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SCPolicyConfig "SCPolicyConfig" + { + AdvancedClassificationEnabled = $True; + ApplicationId = $ApplicationId; + AuditFileActivity = $False; + BandwidthLimitEnabled = $False; + BusinessJustificationList = @( + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } + ); + CertificateThumbprint = $CertificateThumbprint; + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + MSFT_PolicyConfigDLPAppGroups + { + Name = 'Maracas' + Id = '5c124091-bb75-4d20-9c09-b00d584c6270' + Description = 'Lacucaracha' + Apps = @( + MSFT_PolicyConfigDLPApp + { + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } + ) + } + ); + DLPNetworkShareGroups = @( + MSFT_PolicyConfigDLPNetworkShareGroups + { + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } + ); + DLPPrinterGroups = @( + MSFT_PolicyConfigDLPPrinterGroups + { + groupName = 'MyGroup' + groupId = '928f8844-80af-4740-b563-232b33b29f5d' + printers = @( + MSFT_PolicyConfigPrinter + { + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = MSFT_PolicyConfigIPRange + { + fromAddress = '' + toAddress = '' + } + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } + ) + } + ); + DLPRemovableMediaGroups = @( + MSFT_PolicyConfigDLPRemovableMediaGroups + { + groupName = 'My Removable USB device group' + removablemedia = @( + MSFT_PolicyConfigRemovableMedia + { + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } + ) + } + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = MSFT_PolicyConfigEvidenceStoreSettings + { + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = @( + MSFT_PolicyConfigStorageAccount + { + Name = 'My storage' + BlobUri = 'https://contoso.com' + } + MSFT_PolicyConfigStorageAccount + { + Name = 'My 2nd storage' + BlobUri = 'https://coucou.com' + } + ) + Store = 'CustomerManaged' + }; + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = MSFT_PolicyConfigQuarantineParameters + { + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } + serverDlpEnabled = $True; + SiteGroups = @( + MSFT_PolicyConfigDLPSiteGroups + { + Id = 'cfa0d856-4dc9-4497-b0aa-93584e919a83' + Name = 'Whatever' + Addresses = @( + MSFT_PolicyConfigSiteGroupAddress + { + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } + ) + } + ); + TenantId = $TenantId; + UnallowedApp = @( + MSFT_PolicyConfigApp + { + Value = 'Caramel' + Executable = 'cara.exe' + } + MSFT_PolicyConfigApp + { + Value = 'Fudge' + Executable = 'chocolate.exe' + } + ); + UnallowedBluetoothApp = @( + MSFT_PolicyConfigApp + { + Value = 'bluetooth' + Executable = 'micase.exe' + } + MSFT_PolicyConfigApp + { + Value = 'marmelade' + Executable = 'julia.exe' + } + ); + UnallowedBrowser = @( + MSFT_PolicyConfigApp + { + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } + MSFT_PolicyConfigApp + { + Value = 'CapitainOS' + Executable = 'captn.exe' + } + ); + UnallowedCloudSyncApp = @( + MSFT_PolicyConfigApp + { + Value = 'ikochou' + Executable = 'gillex.msi' + } + MSFT_PolicyConfigApp + { + Value = 'johny' + Executable = 'boo.msi' + } + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 new file mode 100644 index 0000000000..48bcd14ca7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/1-Create.ps1 @@ -0,0 +1,75 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 new file mode 100644 index 0000000000..f2ce0ff25e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/2-Update.ps1 @@ -0,0 +1,75 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 new file mode 100644 index 0000000000..9d40a7633d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelAlertRule/3-Remove.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 new file mode 100644 index 0000000000..8af0d7f657 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 new file mode 100644 index 0000000000..91919b455d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 new file mode 100644 index 0000000000..e2cbe36a01 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelThreatIntelligenceIndicator/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index db41671f0b..786f513b5a 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-10-16 +# Generated on: 2024-11-06 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.1016.1' + ModuleVersion = '1.24.1106.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -77,9 +77,12 @@ 'Modules/M365DSCTelemetryEngine.psm1', 'Modules/M365DSCUtil.psm1', 'Modules/M365DSCDRGUtil.psm1', + 'Modules/M365DSCIntuneSettingsCatalogUtil.psm1', 'Modules/EncodingHelpers/M365DSCEmojis.psm1', 'Modules/EncodingHelpers/M365DSCStringEncoding.psm1', + 'Modules/WorkloadHelpers/M365DSCAzureHelper.psm1', 'Modules/WorkloadHelpers/M365DSCAzureDevOPSHelper.psm1', + 'Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1', 'Modules/WorkloadHelpers/M365DSCFabricHelper.psm1', 'Modules/M365DSCConfigurationHelper.psm1' ) @@ -144,82 +147,220 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADAdminConsentRequestPolicy + ReleaseNotes = '* AADAccessReviewDefinition * Initial release. -* AADApplication - * Fixed an issue trying to retrieve the beta instance. - * Added support for OnPremisesPublishing. - * Added support for ApplicationTemplate. - * Fixes an issue where trying to apply permissions complained about - duplicate entries. -* AADAuthenticationRequirement +* AADAccessReviewPolicy * Initial release. -* AADConnectorGroupApplicationProxy +* AADAuthenticationMethodPolicyExternal * Initial release. -* AADCustomSecurityAttributeDefinition +* AADClaimsMappingPolicy * Initial release. -* AADDeviceRegistrationPolicy +* AADConditionalAccessPolicy + * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282) + * Added support for InsiderRiskLevels. +* AADCustomSecurityAttributeDefinition + * Fixed missing permissions in settings.json +* AADEnrichedAuditLogs * Initial release. -* AADEntitlementManagementSettings - * Added support for ApplicationSecret -* AADIdentityGovernanceLifecycleWorkflow +* AADFederationConfiguration * Initial release. -* AADLifecycleWorkflowSettings +* AADFilteringPolicy * Initial release. -* AADServicePrincipal - * Adding Delegated Permission Classification Property -* ADOPermissionGroupSettings +* AADFilteringPolicyRule * Initial release. -* EXOATPBuiltInProtectionRule +* AADFilteringProfile * Initial release. -* EXOMigrationEndpoint +* AADGroup + * Added support for custom roles assignment. + FIXES [#5322](https://github.com/microsoft/Microsoft365DSC/issues/5322) +* AADHomeRealmDiscoveryPolicy * Initial Release -* IntuneAccountProtectionPolicy - * Added deprecation notice. -* IntuneAccountProtectionPolicyWindows10 +* AADIdentityAPIConnector + * Initial release. +* AADIdentityB2XUserFlow + * Initial release. +* AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + * Initial release. +* AADIdentityGovernanceProgram + * Initial release. +* AADIdentityProtectionPolicySettings + * Initial release. +* AADNamedLocationPolicy + * Fixed issue where duplicate names were not detected correctly. +* AADNetworkAccessForwardingPolicy + * Initial release. +* AADNetworkAccessForwardingProfile + * Initial release. +* AADNetworkAccessSettingConditionalAccess + * Initial release. +* AADNetworkAccessSettingCrossTenantAccess + * Initial release. +* AADOnPremisesPublishingProfilesSettings + * Initial release. +* AADOrganizationCertificateBasedAuthConfiguration + * Initial release. +* AADRemoteNetwork + * Initial release. +* AADRoleEligibilityScheduleRequest + * Fixes for Custom roles. + FIXES [#5330](https://github.com/microsoft/Microsoft365DSC/issues/5330) + * Fixes to remove elegibility schedule for custom roles. + FIXES [#5331](https://github.com/microsoft/Microsoft365DSC/issues/5331) +* AADRoleManagementPolicyRule + * Initial release. +* AADServicePrincipal + * Added the notes field. + FIXES [#5312](https://github.com/microsoft/Microsoft365DSC/issues/5312) + * Added support for KeyCredentials and PasswordCredentials. + * Added support for SAML. + * Fixed issue with Owners. +* AADSocialIdentityProvider + * Fixed missing permissions in settings.json +* AADUserFlowAttribute * Initial Release - FIXES [#5073](https://github.com/microsoft/Microsoft365DSC/issues/5073) -* IntuneAppAndBrowserIsolationPolicyWindows10 +* AADVerifiedIdAuthority + * Initial release. +* AADVerifiedIdAuthorityContract * Initial release. - FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* AzureBillingAccountsAssociatedTenant + * Initial release. +* AzureBillingAccountsRoleAssignment + * Initial release. +* AzureDiagnosticSettings + * Initial release. +* AzureDiagnosticSettingsCustomSecurityAttribute + * Initial release. +* AzureSubscription + * Renamed parameters and added logic flow to create new subscriptions. +* AzureVerifiedIdFaceCheck + * Initial release. +* DefenderDeviceAuthenticatedScanDefinition + * Initial release. +* EXOActiveSyncMailboxPolicy + * Initial release. +* EXOArcConfig + * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` + when it has an array +* EXOMailboxAuditBypassAssociation + * Initial release. +* EXOMailboxSettings + * Added support for AddressBookPolicy, RetentionPolicy, RoleAssignmentPolicy + and SharingPolicy. +* EXOServicePrincipal + * Initial release. +* EXOTenantAllowBlockListItems + * Fixed `Test-TargetResource` to correctly mark when this resource is removed +* EXOTenantAllowBlockListSpoofItems + * Initial release. +* IntuneAccountProtectionLocalUserGroupMembershipPolicy + * Updates values in `UserSelectionType`. + FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318) +* IntuneAntivirusPolicyLinux + * Initial release. +* IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr + * Initial release. +* IntuneAppCategory + * Fixed retrieval of resource which could then result in multiple categories + being created with same name. +* IntuneAppleMDMPushNotificationCertificate + * Initial release. +* IntuneAppProtectionPolicyiOS + * Fixes an issue that could cause multiple instances to be created when multiple + instances with the same display name exist. * IntuneDerivedCredential + * Fixed export and deployment when `NotificationType` had more than one option + selected + * Fixed retrieval of resource when it cannot be found by `Id` + * Added a few verbose messages +* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile * Initial release. -* IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 - * Added deprecation notice. * IntuneEndpointDetectionAndResponsePolicyWindows10 - * Migrate to new Settings Catalog cmdlets. -* IntuneMobileAppsMacOSLobApp - * Initial release -* IntuneMobileAppsWindowsOfficeSuiteApp - * Initial release -* IntuneSecurityBaselineMicrosoft365AppsForEnterprise - * Initial release -* IntuneSecurityBaselineMicrosoftEdge - * Initial release -* PPAdminDLPPolicy - * Initial release. -* PPDLPPolicyConnectorConfigurations - * Initial release. -* PPPowerAppPolicyUrlPatterns - * Initial release. -* TeamsClientConfiguration - * Fixed bug where RestrictedSenderList was always empty in the MSFT_TeamsClientConfiguration resource - FIXES [#5190](https://github.com/microsoft/Microsoft365DSC/issues/5190) - * Changed Set-TargetResource to always use semicolon as separator as mentioned in the MS documentation -* TeamsUpgradePolicy - * Added support for tenant wide changes using the * value for users. - FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) + * Fixes an issue with `AutoFromConnector` as the Configuration package type. + FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246) +* IntuneMobileThreatDefenseConnector + * Initial release. +* IntuneSecurityBaselineDefenderForEndpoint + * Initial release. +* IntuneSettingCatalogCustomPolicyWindows10 + * Fixes an issue with limited results when more than 25 results are present. +* Intune workload + * Fixed missing permissions in settings.json +* M365DSCRuleEvaluation + * Changed the name of the Key property from ResourceName to ResourceTypeName. + While this is considered a breaking change, the old property name was + breaking the DSCParser process. The impact of this breaking the parsing + process is important enough to justify an out-of-band breaking change of + this resource. +* ODSettings + * Deprecated property NotifyOwnersWhenInvitationsAccepted. + FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) +* PPPowerAppsEnvironment + * Add ProvisionDatabase attribute + FIXES [#5207](https://github.com/microsoft/Microsoft365DSC/issues/5207) +* PPTenantSettings + * Updated to support latest settings. +* SCInsiderRiskPolicy + * Added support for property MDATPTriageStatus. + * Added support for GPUUtilizationLimit and CPUUtilizationLimit. +* SCPolicyConfig + * Initial release. +* SCSensitivityLabel + * Fixed issue with setting label priority + FIXES [#5266](https://github.com/microsoft/Microsoft365DSC/issues/5266) +* SentinelAlertRule + * Initial release. +* SentinelThreatIntelligenceIndicator + * Initial release. +* SPOSharingSettings + * Deprecated property RequireAcceptingAccountMatchInvitedAccount. + FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) +* SPOTenantSettings + * Added support for AllowSelectSGsInODBListInTenant, + DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, + AllowSelectSecurityGroupsInSPSitesList, + ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. + * TenantDefaultTimezone changed to String instead of Array. +* TeamsMeetingPolicy + * Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking, + AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls, + ContentSharingInExternalMeetings, Copilot, CopyRestriction, + DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange, + VoiceIsolation +* TeamsOrgWideAppSettings + * Fixed an issue where ManagedIdentity was not define in the methods signatures. + FIXES [#5188](https://github.com/microsoft/Microsoft365DSC/issues/5188) * M365DSCDRGUtil - * Fixes an issue for the handling of skipped one-property elements in the - Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) - * Add Set support for secret Settings Catalog values - * Removed unused functions - * Add support for device / user scoped settings. -* ResourceGenerator - * Add support for device / user scoped settings. + * Fixes an issue where non-unique properties were not combined + properly with their respective parent setting. +* MISC + * Fixed references to graph.microsoft.com with dynamic domain name based on target cloud. + Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup, + AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10, + IntuneAccountProtectionLocalUsersGroupMembershipPolicy, IntuneAccountProtectionPolicy, + IntuneAppProtectionPolicyiOS,IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10, + IntuneDeviceConfigurationSCEPCertificatePolicyWindows10, IntuneDeviceConfigurationWiredNetworkPolicyWindows10, + IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets, + IntuneSettingCatalogCustomPolicyWindows10, M365DSCRGUtil + * Exponential performance improvements by reducing complexity and roundtrips. + * Changed the logic that appends GUID in the resource name when primary key is not found during an + export. We will only append a GUID if the IsSingleInstance property is not found on the resource. + * Add check in AADGroupSettings for NewUnifiedGroupWritebackDefault not existing in Government by default + FIXES [#5213](https://github.com/microsoft/Microsoft365DSC/issues/5213) + * Fix static refrences to graph.microsoft.com + FIXES [#5339](https://github.com/microsoft/Microsoft365DSC/issues/5339) + AADNetworkAccessForwardingPolicy. AADOrganizationCertificateBasedAuthConfiguration, + AADAuthenticationMethodPolicyExternal, AADEnrichedAuditLogs + FIXES [#5340](https://github.com/microsoft/Microsoft365DSC/issues/5340) + IntuneDeviceManagementEnrollmentAndroidGooglePlay, IntuneAppleMDMPushNotificationCertificate + * Fixes static OData refrences to graph.microsoft.com + AADApplication, AADEntitlementManagementAccessPackage, AADEntitlementManagementConnectedOrganization + AADServicePrincipal + FIXES [#5342](https://github.com/microsoft/Microsoft365DSC/issues/5342) * DEPENDENCIES - * Updated DSCParser to version 2.0.0.11 - * Updated ReverseDSC to version 2.0.0.22' + * Updated Microsoft.Graph to version 2.24.0. + * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. + * Updated MSCloudLoginAssistant to version 1.1.27 + * Updated MicrosoftTeams to version 6.6.0.' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index e5ff29e4b2..c6ac727450 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -190,7 +190,7 @@ function Get-M365DSCDRGComplexTypeToHashtable } else { - $keys = $ComplexObject | Get-Member | Where-Object -FilterScript { $_.MemberType -eq 'Property' } + $keys = $ComplexObject | Get-Member | Where-Object -FilterScript { $_.MemberType -eq 'Property' -or $_.MemberType -eq 'NoteProperty' } } foreach ($key in $keys) @@ -606,12 +606,12 @@ function Compare-M365DSCComplexObject if ($Source.GetType().FullName -like '*CimInstance[[\]]' -or $Source.GetType().FullName -like '*Hashtable[[\]]') { - if ($Source.Count -ne $Target.Count) + if ($Source.Length -ne $Target.Length) { - Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($Source.Count)} Target {$($Target.Count)}" + Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($Source.Length)} Target {$($Target.Length)}" return $false } - if ($Source.Count -eq 0) + if ($Source.Length -eq 0) { return $true } @@ -712,7 +712,7 @@ function Compare-M365DSCComplexObject } #One of the item is null and not the other - if (($null -eq $Source.$key) -xor ($null -eq $targetValue)) + if (($Source.$key.Length -eq 0) -xor ($targetValue.Length -eq 0)) { if ($null -eq $Source.$key) { @@ -1574,8 +1574,8 @@ function Get-IntuneSettingCatalogPolicySetting { [CmdletBinding()] [OutputType([System.Array])] - param( - [Parameter(Mandatory = 'true')] + param ( + [Parameter(Mandatory = $true)] [System.Collections.Hashtable] $DSCParams, @@ -1598,7 +1598,10 @@ function Get-IntuneSettingCatalogPolicySetting $ContainsDeviceAndUserSettings ) - $global:excludedDefinitionIds = @() + if ($null -eq (Get-Command Get-SettingsCatalogSettingName -ErrorAction SilentlyContinue)) + { + Import-Module -Name (Join-Path $PSScriptRoot M365DSCIntuneSettingsCatalogUtil.psm1) -Force + } $DSCParams.Remove('Identity') | Out-Null $DSCParams.Remove('DisplayName') | Out-Null @@ -1631,11 +1634,12 @@ function Get-IntuneSettingCatalogPolicySetting } } - # Iterate over all setting instance templates in the setting template - foreach ($settingInstanceTemplate in $SettingTemplates.SettingInstanceTemplate) + # Iterate over all setting templates + foreach ($settingTemplate in $SettingTemplates) { + $settingInstanceTemplate = $settingTemplate.SettingInstanceTemplate $settingInstance = @{} - $settingDefinition = $SettingTemplates.SettingDefinitions | Where-Object { + $settingDefinition = $settingTemplate.SettingDefinitions | Where-Object { $_.Id -eq $settingInstanceTemplate.SettingDefinitionId -and ` ($_.AdditionalProperties.dependentOn.Count -eq 0 -and $_.AdditionalProperties.options.dependentOn.Count -eq 0) } @@ -1647,7 +1651,7 @@ function Get-IntuneSettingCatalogPolicySetting { $settingDefinition = $settingDefinition[0] } - $settingName = $settingDefinition.Name + $settingType = $settingInstanceTemplate.AdditionalProperties.'@odata.type'.Replace('InstanceTemplate', 'Instance') $settingInstance.Add('@odata.type', $settingType) if (-not [string]::IsNullOrEmpty($settingInstanceTemplate.settingInstanceTemplateId)) @@ -1661,14 +1665,23 @@ function Get-IntuneSettingCatalogPolicySetting { $settingValueType = $settingValueType.Replace('ValueTemplate', 'Value') } + $settingValueTemplateId = $settingInstanceTemplate.AdditionalProperties."$($settingValueName)Template".settingValueTemplateId + # Only happened on property ThreatTypeSettings from IntuneAntivirusPolicyLinux + # SettingValueTemplateIds are from the child settings and not from the parent setting because it is a groupSettingCollection + if ($settingValueTemplateId -is [array]) + { + $settingValueTemplateId = $null + } + # Get all the values in the setting instance $settingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` -DSCParams $DSCParams ` -SettingDefinition $settingDefinition ` - -SettingTemplates $settingTemplates ` - -SettingName $settingName ` + -SettingInstanceTemplate $settingInstanceTemplate ` + -AllSettingDefinitions $SettingTemplates.SettingDefinitions ` + -CurrentInstanceDefinitions $settingTemplate.SettingDefinitions ` -SettingType $settingType ` -SettingValueName $settingValueName ` -SettingValueType $settingValueType ` @@ -1709,15 +1722,19 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $SettingDefinition, [Parameter()] - $SettingTemplates, + $SettingInstanceTemplate, [Parameter()] - [System.String] - $SettingType, + [System.Array] + $AllSettingDefinitions, + + [Parameter()] + [System.Array] + $CurrentInstanceDefinitions, [Parameter()] [System.String] - $SettingName, + $SettingType, [Parameter()] [System.String] @@ -1741,14 +1758,6 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue ) $settingValuesToReturn = @{} - if ($null -eq $global:excludedDefinitionIds) - { - $global:excludedDefinitionIds = @() - } - if ($null -eq $global:excludedDscParams) - { - $global:excludedDscParams = @() - } # Depending on the setting type, there is other logic involved switch ($SettingType) @@ -1759,18 +1768,16 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $groupSettingCollectionValue = @() $groupSettingCollectionDefinitionChildren = @() - $templates = $SettingTemplates | Where-Object { - $_.settingInstanceTemplate.settingDefinitionId -eq $SettingDefinition.RootDefinitionId - } - $groupSettingCollectionDefinitionChildren += $templates.SettingDefinitions | Where-Object { + $groupSettingCollectionDefinitionChildren += $CurrentInstanceDefinitions | Where-Object { ($_.AdditionalProperties.dependentOn.Count -gt 0 -and $_.AdditionalProperties.dependentOn.parentSettingId -contains $SettingDefinition.Id) -or ($_.AdditionalProperties.options.dependentOn.Count -gt 0 -and $_.AdditionalProperties.options.dependentOn.parentSettingId -contains $SettingDefinition.Id) } $instanceCount = 1 - if ($Level -ge 2 -and $groupSettingCollectionDefinitionChildren.Count -gt 1) + if (($Level -gt 1 -and $groupSettingCollectionDefinitionChildren.Count -gt 1) -or + ($Level -eq 1 -and $groupSettingCollectionDefinitionChildren.Count -ge 1 -and $groupSettingCollectionDefinitionChildren.AdditionalProperties.'@odata.type' -notcontains "#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition")) { - $SettingInstanceName += $SettingDefinition.Name + $SettingInstanceName += Get-SettingsCatalogSettingName -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions $cimDSCParams = @() $cimDSCParamsName = "" $DSCParams.GetEnumerator() | Where-Object -FilterScript { @@ -1786,7 +1793,10 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $newInstanceDSCParams = @{} # Preserve CIM instances when converting to hashtable foreach ($property in $instance.CimInstanceProperties) { - $newInstanceDSCParams.Add($property.Name, $property.Value) + if ($property.IsValueModified) + { + $newInstanceDSCParams.Add($property.Name, $property.Value) + } } $newDSCParams.$cimDSCParamsName += $newInstanceDSCParams } @@ -1794,6 +1804,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $DSCParams = @{ $cimDSCParamsName = if ($instanceCount -eq 1) { $newDSCParams.$cimDSCParamsName[0] } else { $newDSCParams.$cimDSCParamsName } } + $AllSettingDefinitions = $groupSettingCollectionDefinitionChildren } for ($i = 0; $i -lt $instanceCount; $i++) @@ -1820,18 +1831,24 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) { - $childSettingName = $childDefinition.Name $childSettingType = $childDefinition.AdditionalProperties.'@odata.type'.Replace('Definition', 'Instance').Replace('SettingGroup', 'GroupSetting') $childSettingValueName = $childSettingType.Replace('#microsoft.graph.deviceManagementConfiguration', '').Replace('Instance', 'Value') $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - $childSettingInstanceTemplate = $SettingTemplates.SettingInstanceTemplate | Where-Object { $_.SettingDefinitionId -eq $childDefinition.Id } - $childSettingValueTemplateId = $childSettingInstanceTemplate.AdditionalProperties."$($childSettingValueName)Template".settingValueTemplateId + $childSettingInstanceTemplate = if ($null -ne $SettingInstanceTemplate.AdditionalProperties) { + $SettingInstanceTemplate.AdditionalProperties.groupSettingCollectionValueTemplate.children | Where-Object { $_.settingDefinitionId -eq $childDefinition.Id } | Select-Object -First 1 + } else { + $SettingInstanceTemplate.groupSettingCollectionValueTemplate.children | Where-Object { $_.settingDefinitionId -eq $childDefinition.Id } | Select-Object -First 1 + } + + $childSettingValueTemplateId = $childSettingInstanceTemplate."$($childSettingValueName)Template".settingValueTemplateId + $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` -DSCParams $currentDSCParams ` -SettingDefinition $childDefinition ` - -SettingTemplates $SettingTemplates ` - -SettingName $childSettingName ` + -SettingInstanceTemplate $childSettingInstanceTemplate ` + -AllSettingDefinitions $AllSettingDefinitions ` + -CurrentInstanceDefinitions $CurrentInstanceDefinitions ` -SettingType $childDefinition.AdditionalProperties.'@odata.type' ` -SettingValueName $childSettingValueName ` -SettingValueType $childSettingValueType ` @@ -1864,12 +1881,14 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue ) settingDefinitionId = $childDefinition.Id } + <# GroupSettingCollection do not have a setting instance template reference if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) { $childSettingValueInner.children[0].groupSettingCollectionValue.settingInstanceTemplateReference = @{ 'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId } } + #> $childSettingValue += $childSettingValueInner } $groupSettingCollectionValue += $childSettingValue @@ -1880,10 +1899,12 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) } + <# GroupSettingCollection do not have a setting instance template reference if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) { - $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) + $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId | Select-Object -First 1 }) } + #> $childSettingValue.Add('@odata.type', $childSettingType) $groupSettingCollectionValueChildren += $childSettingValue } @@ -1913,28 +1934,32 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue # Choice settings almost always have child settings, so we need to fetch those if ($null -ne $SettingDefinition) { - $templates = $SettingTemplates | Where-Object { - $_.settingInstanceTemplate.settingDefinitionId -eq $SettingDefinition.RootDefinitionId - } - $choiceSettingDefinitionChildren += $templates.SettingDefinitions | Where-Object { + $choiceSettingDefinitionChildren += $CurrentInstanceDefinitions | Where-Object { ($_.AdditionalProperties.dependentOn.Count -gt 0 -and $_.AdditionalProperties.dependentOn.parentSettingId.Contains($SettingDefinition.Id)) -or ($_.AdditionalProperties.options.dependentOn.Count -gt 0 -and $_.AdditionalProperties.options.dependentOn.parentSettingId.Contains($SettingDefinition.Id)) } } + foreach ($childDefinition in $choiceSettingDefinitionChildren) { - $childSettingName = $childDefinition.Name $childSettingType = $childDefinition.AdditionalProperties.'@odata.type'.Replace('Definition', 'Instance') $childSettingValueName = $childSettingType.Replace('#microsoft.graph.deviceManagementConfiguration', '').Replace('Instance', 'Value') $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.Length - 1 ) - $childSettingInstanceTemplate = $SettingTemplates.SettingInstanceTemplate | Where-Object { $_.SettingDefinitionId -eq $childDefinition.Id } - $childSettingValueTemplateId = $childSettingInstanceTemplate.AdditionalProperties."$($childSettingValueName)Template".settingValueTemplateId + $childSettingInstanceTemplate = if ($null -ne $SettingInstanceTemplate.AdditionalProperties) { + $SettingInstanceTemplate.AdditionalProperties.choiceSettingValueTemplate.children | Where-Object { $_.settingDefinitionId -eq $childDefinition.Id } + } else { + $SettingInstanceTemplate.choiceSettingValueTemplate.children | Where-Object { $_.settingDefinitionId -eq $childDefinition.Id } + } + $childSettingValueTemplateId = $childSettingInstanceTemplate."$($childSettingValueName)Template" | Where-Object { + $_.settingDefinitionId -eq $childDefinition.Id + } | Select-Object -ExpandProperty settingValueTemplateId $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` -DSCParams $DSCParams ` -SettingDefinition $childDefinition ` - -SettingTemplates $SettingTemplates ` - -SettingName $childSettingName ` + -AllSettingDefinitions $AllSettingDefinitions ` + -CurrentInstanceDefinitions $CurrentInstanceDefinitions ` + -SettingInstanceTemplate $childSettingInstanceTemplate ` -SettingType $childDefinition.AdditionalProperties.'@odata.type' ` -SettingValueName $childSettingValueName ` -SettingValueType $childSettingValueType ` @@ -1964,9 +1989,8 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue } $valueResult = Get-IntuneSettingCatalogPolicySettingDSCValue ` - -SettingName $SettingName ` -SettingValueType $SettingValueType ` - -SettingTemplates $SettingTemplates ` + -AllSettingDefinitions $AllSettingDefinitions ` -SettingDefinition $SettingDefinition ` -DSCParams $DSCParams @@ -1996,9 +2020,8 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $choiceSettingValueCollection = @() $valueResult = Get-IntuneSettingCatalogPolicySettingDSCValue ` - -SettingName $SettingName ` -SettingValueType $SettingValueType ` - -SettingTemplates $SettingTemplates ` + -AllSettingDefinitions $AllSettingDefinitions ` -SettingDefinition $SettingDefinition ` -DSCParams $DSCParams @@ -2023,9 +2046,8 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $_ -eq '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' -or $_ -eq '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' } { $valuesResult = Get-IntuneSettingCatalogPolicySettingDSCValue ` - -SettingName $SettingName ` -SettingValueType $SettingValueType ` - -SettingTemplates $SettingTemplates ` + -AllSettingDefinitions $AllSettingDefinitions ` -SettingDefinition $SettingDefinition ` -DSCParams $DSCParams @@ -2053,9 +2075,8 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue Default { $valueResult = Get-IntuneSettingCatalogPolicySettingDSCValue ` - -SettingName $SettingName ` -SettingValueType $SettingValueType ` - -SettingTemplates $SettingTemplates ` + -AllSettingDefinitions $AllSettingDefinitions ` -SettingDefinition $SettingDefinition ` -DSCParams $DSCParams @@ -2095,385 +2116,79 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue { param ( - [Parameter(Mandatory = $true)] - [System.String] - $SettingName, - [Parameter()] [System.String] $SettingValueType = "", - [Parameter(Mandatory = $true)] - [System.Array] - $SettingTemplates, - [Parameter()] $SettingDefinition, + [Parameter(Mandatory = $true)] + [System.Array] + $AllSettingDefinitions, + [Parameter(Mandatory = $true)] [System.Collections.Hashtable] $DSCParams ) - # Go over all the values that have not yet been processed - foreach ($key in ($DSCParams.Keys | Where-Object { $_ -notin $global:excludedDscParams })) + $key = Get-SettingsCatalogSettingName -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions + + if (-not $DSCParams.ContainsKey($key)) { - $matchCombined = $false - $matchesId = $false - $matchesOffsetUri = $false - $offsetUriFound = $false - $settingDefinitions = $SettingTemplates.SettingDefinitions ` - | Where-Object -FilterScript { $_.Name -eq $key } + return $null + } - # Edge case where the same setting is defined twice in the template, with the same name and id - if ($settingDefinitions.Count -eq 2) + $isArray = $false + if ($SettingValueType -like "*Simple*") + { + if ($DSCParams[$key] -is [System.String]) { - if ($settingDefinitions[0].Id -eq $settingDefinitions[1].Id -and ` - $settingDefinitions[0].Name -eq $settingDefinitions[1].Name) - { - $settingDefinitions = $settingDefinitions[0] - } + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationStringSettingValue" } - $name = $settingDefinitions.Name - - if ($name.Count -ne 1) + elseif ($DSCParams[$key] -is [System.Int32]) { - # Key might have been combined with parent setting, try to split it - if ($key -like "*_*") - { - $parentSettingName = $key.Split('_')[0] - $parentDefinition = $SettingTemplates.SettingDefinitions | Where-Object -FilterScript { $_.Name -eq $parentSettingName } - - # If no parent definition is found, it might have been combined with the OffsetUri - if ($null -eq $parentDefinition) - { - $newKey = $key - switch -wildcard ($newKey) - { - '*_HTTPAuthentication_*' { $newKey = $newKey.Replace('HTTPAuthentication', '~HTTPAuthentication') } - '*TrustCenterTrustedLocations_*' { $newKey = $newKey.Replace('TrustCenterTrustedLocations', 'TrustCenter~L_TrustedLocations') } - '*TrustCenterFileBlockSettings_*' { $newKey = $newKey.Replace('TrustCenterFileBlockSettings', 'TrustCenter~L_FileBlockSettings') } - '*TrustCenterProtectedView_*' { $newKey = $newKey.Replace('TrustCenterProtectedView', 'TrustCenter~L_ProtectedView') } - '*_TrustCenter*' { $newKey = $newKey.Replace('_TrustCenter', '~L_TrustCenter') } - '*_Security_*' { $newKey = $newKey.Replace('Security', '~L_Security') } - 'MicrosoftEdge_*' { $newKey = $newKey.Replace('MicrosoftEdge_', 'microsoft_edge~Policy~microsoft_edge') } - 'MicrosoftPublisherV3_*' { $newKey = $newKey.Replace('MicrosoftPublisherV3_', 'pub16v3~Policy~L_MicrosoftOfficePublisher') } - 'MicrosoftPublisherV2_*' { $newKey = $newKey.Replace('MicrosoftPublisherV2_', 'pub16v2~Policy~L_MicrosoftOfficePublisher') } - 'MicrosoftVisio_*' { $newKey = $newKey.Replace('MicrosoftVisio_', 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions') } - 'MicrosoftProject_*' { $newKey = $newKey.Replace('MicrosoftProject_', 'proj16v2~Policy~L_Proj~L_ProjectOptions') } - 'MicrosoftPowerPoint_*' { $newKey = $newKey.Replace('MicrosoftPowerPoint_', 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions') } - 'MicrosoftWord_*' { $newKey = $newKey.Replace('MicrosoftWord_', 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions') } - 'MicrosoftExcel_*' { $newKey = $newKey.Replace('MicrosoftExcel_', 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions') } - 'MicrosoftAccess_*' { $newKey = $newKey.Replace('MicrosoftAccess_', 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings') } - } - $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $newKey -SettingDefinitions $SettingTemplates.SettingDefinitions - if ($null -ne $definition) - { - $offsetUriFound = $true - if ($SettingDefinition.Id -eq $definition.Id) - { - $matchesOffsetUri = $true - } - } - } - $childDefinition = $SettingTemplates.SettingDefinitions | Where-Object -FilterScript { - $_.Name -eq $SettingName -and - (($_.AdditionalProperties.dependentOn.Count -gt 0 -and $_.AdditionalProperties.dependentOn.parentSettingId -contains $parentDefinition.Id) -or - ($_.AdditionalProperties.options.dependentOn.Count -gt 0 -and $_.AdditionalProperties.options.dependentOn.parentSettingId -contains $parentDefinition.Id) - ) - } - if ($null -ne $parentDefinition -and $null -ne $childDefinition -and $childDefinition.Id -eq $SettingDefinition.Id) - { - # Parent was combined with child setting. Since there can be multiple settings with the same Name, we need to check the Id as well - if ($SettingDefinition.Id -eq $childDefinition.Id) - { - # Only exclude the combined setting if it is not part of a group setting collection (which could be of a separate CIM type) - if ($parentDefinition.AdditionalProperties.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition') - { - $global:excludedDscParams += $key - } - $matchCombined = $true - } - } - } - - if (-not $matchCombined -and -not $offsetUriFound) - { - # Parent was not combined, look for the combination of name and id - $SettingTemplates.SettingDefinitions | ForEach-Object { - if ($_.Id -notin $global:excludedDefinitionIds -and $_.Name -eq $SettingName -and $_.Id -like "*$key") - { - $global:excludedDefinitionIds += $_.Id - $global:excludedDscParams += $key - $matchesId = $true - $SettingDefinition = $_ - } - } - - if (-not $matchesId) - { - $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $key -SettingDefinitions $SettingTemplates.SettingDefinitions - if ($null -ne $definition) - { - $offsetUriFound = $true - if ($SettingDefinition.Id -eq $definition.Id) - { - $matchesOffsetUri = $true - } - } - } - } - } - - # If there is exactly one setting with the name, the setting is combined or the id matches, we get the DSC value and update the real setting value type - if (($name.Count -eq 1 -and $SettingName -eq $key) -or $matchCombined -or $matchesId -or $matchesOffsetUri) - { - $isArray = $false - if ($SettingValueType -like "*Simple*") - { - if ($DSCParams[$key] -is [System.String]) - { - $SettingValueType = "#microsoft.graph.deviceManagementConfigurationStringSettingValue" - } - elseif ($DSCParams[$key] -is [System.Int32]) - { - $SettingValueType = "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue" - } - elseif ($DSCParams[$key] -is [System.String[]]) - { - $SettingValueType = "#microsoft.graph.deviceManagementConfigurationStringSettingValue" - $isArray = $true - } - elseif ($DSCParams[$key] -is [System.Int32[]]) - { - $SettingValueType = "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue" - $isArray = $true - } - } - - if ($SettingValueType -like "*Simple*" -or $SettingValueType -in @("#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", "#microsoft.graph.deviceManagementConfigurationStringSettingValue")) - { - return @{ - SettingDefinition = $SettingDefinition - SettingValueType = $SettingValueType - Value = if ($isArray) { ,$DSCParams[$key] } else { $DSCParams[$key] } - } - } - elseif ($SettingValueType -like "*ChoiceSettingCollection*") - { - $values = @() - foreach ($value in $DSCParams[$key]) - { - $values += "$($SettingDefinition.Id)_$value" - } - - return @{ - Value = $values - } - } - else - { - return @{ - SettingDefinition = $SettingDefinition - SettingValueType = $SettingValueType - Value = "$($SettingDefinition.Id)_$($DSCParams[$key])" - } - } - break + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue" } - } -} - -function Get-SettingDefinitionFromNameWithParentFromOffsetUri -{ - param( - [Parameter(Mandatory = $true)] - [System.String] - $OffsetUriName, - - [Parameter(Mandatory = $true)] - [System.Array] - $SettingDefinitions - ) - - $offsetUriParts = [System.Collections.ArrayList]::new() - $SettingDefinitions | ForEach-Object { - $splittedOffsetUri = $_.OffsetUri.Split('/') - # Remove first element since it is always empty - $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] - foreach ($part in $splittedOffsetUri) + elseif ($DSCParams[$key] -is [System.String[]]) { - if (-not $offsetUriParts.Contains($part)) - { - $offsetUriParts.Add($part) | Out-Null - } + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationStringSettingValue" + $isArray = $true } - } - - $settingName = $OffsetUriName - $offsetUriPrefix = "" - for ($i = 0; $i -lt $offsetUriParts.Count; $i++) - { - $part = $offsetUriParts[$i] - if ($settingName -like "$($part)_*") + elseif ($DSCParams[$key] -is [System.Int32[]]) { - $settingName = $settingName.Replace("$($part)_", "") - # Add wildcards to match removed parts with invalid characters - $offsetUriPrefix += "*$($part)*" - $i = 0 + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue" + $isArray = $true } } - if ($settingName -eq "v2") + if ($SettingValueType -like "*Simple*" -or $SettingValueType -in @("#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", "#microsoft.graph.deviceManagementConfigurationStringSettingValue")) { - $settingName = $offsetUriPrefix.Split("*")[-2] + "_v2" # Add the last element of the offset Uri parts before the v2 - $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { - ($_.Id -like "*$settingName" -and $_.Name -eq $settingName.Replace('_v2', '') -and $_.OffsetUri -like "*$offsetUriPrefix*") -or - ($_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*") + return @{ + SettingDefinition = $SettingDefinition + SettingValueType = $SettingValueType + Value = if ($isArray) { ,$DSCParams[$key] } else { $DSCParams[$key] } } } - else + elseif ($SettingValueType -like "*ChoiceSettingCollection*") { - $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { - $_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*" - } - } - - if ($filteredDefinitions.Count -eq 1) - { - return $filteredDefinitions - } - else - { - $settingsWithSameName = $filteredDefinitions - foreach ($definition in $filteredDefinitions) - { - $parentSetting = Get-ParentSettingDefinition -SettingDefinition $definition -AllSettingDefinitions $SettingDefinitions - $skip = 0 - $breakCounter = 0 - $newSettingName = $settingName - do { - $previousSettingName = $newSettingName - $newSettingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $definition.OffsetUri -SettingName $newSettingName -Skip $skip - - $combinationMatchesWithOffsetUri = @() - $settingsWithSameName | ForEach-Object { - $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip - if ($newName -eq $newSettingName) - { - # Exclude v2 versions from the comparison - if ($definition.Id -like "*_v2" -and $_.Id -ne $definition.Id.Replace('_v2', '') -or - $definition.Id -notlike "*_v2" -and $_.Id -ne $definition.Id + "_v2") - { - $combinationMatchesWithOffsetUri += $_ - } - } - } - $settingsWithSameName = $combinationMatchesWithOffsetUri - $breakCounter++ - $skip++ - } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt 8) - - if ($breakCounter -eq 8) - { - if ($null -ne $parentSetting) - { - # Alternative way if no unique setting name can be found - $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] - $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") - # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id - $settingNameV2 = $definition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") - if ($settingNameV2 -eq $OffsetUriName) - { - $newSettingName = $settingNameV2 - } - } - } - - if ($newSettingName -eq $OffsetUriName) - { - return $definition - } - } - } -} - -function Get-ParentSettingDefinition { - param( - [Parameter(Mandatory = $true)] - $SettingDefinition, - - [Parameter(Mandatory = $true)] - $AllSettingDefinitions - ) - - $parentSetting = $null - if ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId.Count -gt 0) - { - $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { - $_.Id -eq ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId | Select-Object -Unique -First 1) - } - } - elseif ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId.Count -gt 0) - { - $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { - $_.Id -eq ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId | Select-Object -Unique -First 1) - } - } - - $parentSetting -} - -<# - This function also exists in M365DSCResourceGenerator.psm1. Changes here must be added there as well for compatibility. -#> -function Get-SettingDefinitionNameWithParentFromOffsetUri { - param ( - [Parameter(Mandatory = $true)] - [System.String] - $OffsetUri, - - [Parameter(Mandatory = $true)] - [System.String] - $SettingName, - - [Parameter(Mandatory = $false)] - [System.Int32] - $Skip = 0 - ) - - # If the last part of the OffsetUri is the same as the setting name or it contains invalid characters, we traverse up until we reach the first element - # Invalid characters are { and } which are used in the OffsetUri to indicate a variable - $splittedOffsetUri = $OffsetUri.Split("/") - if ([string]::IsNullOrEmpty($splittedOffsetUri[0])) - { - $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] - } - - if ($Skip -gt $splittedOffsetUri.Length - 1) - { - return $SettingName - } - - $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] - $traversed = $false - while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri - { - $traversed = $true - if ($splittedOffsetUri[-1] -eq $SettingName -or $splittedOffsetUri[-1] -match "[\{\}]" -or $SettingName.StartsWith($splittedOffsetUri[-1])) + $values = @() + foreach ($value in $DSCParams[$key]) { - $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 2)] - $traversed = $false + $values += "$($SettingDefinition.Id)_$value" } - } - if ($splittedOffsetUri.Length -gt 1) - { - $splittedOffsetUri[-1] + "_" + $SettingName + return @{ + Value = $values + } } else { - $SettingName + return @{ + SettingDefinition = $SettingDefinition + SettingValueType = $SettingValueType + Value = "$($SettingDefinition.Id)_$($DSCParams[$key])" + } } } @@ -2509,6 +2224,9 @@ function Export-IntuneSettingCatalogPolicySettings Mandatory = $true, ParameterSetName = 'Setting' )] + [Parameter( + ParameterSetName = 'Start' + )] [System.Array] $AllSettingDefinitions, @@ -2531,18 +2249,39 @@ function Export-IntuneSettingCatalogPolicySettings $deviceSettings = $Settings | Where-Object -FilterScript { $_.SettingInstance.settingDefinitionId.StartsWith("device_") } + if ($AllSettingDefinitions.Count -eq 0) + { + $allDeviceSettingDefinitions = $deviceSettings.SettingDefinitions + } + else + { + $allDeviceSettingDefinitions = $AllSettingDefinitions | Where-Object -FilterScript { + $_.Id.StartsWith("device_") + } + } foreach ($setting in $deviceSettings) { - Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $deviceSettingsReturnHashtable -AllSettingDefinitions $deviceSettings.SettingDefinitions -IsRoot + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $deviceSettingsReturnHashtable -AllSettingDefinitions $allDeviceSettingDefinitions -IsRoot } + $userSettingsReturnHashtable = @{} $userSettings = $Settings | Where-Object -FilterScript { $_.SettingInstance.settingDefinitionId.StartsWith("user_") } - $userSettingsReturnHashtable = @{} + if ($AllSettingDefinitions.Count -eq 0) + { + $allUserSettingDefinitions = $userSettings.SettingDefinitions + } + else + { + $allUserSettingDefinitions = $AllSettingDefinitions | Where-Object -FilterScript { + $_.Id.StartsWith("user_") + } + } + foreach ($setting in $userSettings) { - Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $userSettingsReturnHashtable -AllSettingDefinitions $userSettings.SettingDefinitions -IsRoot + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $userSettingsReturnHashtable -AllSettingDefinitions $allUserSettingDefinitions -IsRoot } if ($deviceSettingsReturnHashtable.Keys.Count -gt 0) @@ -2556,9 +2295,13 @@ function Export-IntuneSettingCatalogPolicySettings } else { + if ($AllSettingDefinitions.Count -eq 0) + { + $AllSettingDefinitions = $Settings.SettingDefinitions + } foreach ($setting in $Settings) { - Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $ReturnHashtable -AllSettingDefinitions $Settings.SettingDefinitions -IsRoot + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $ReturnHashtable -AllSettingDefinitions $AllSettingDefinitions -IsRoot } } return $ReturnHashtable @@ -2566,102 +2309,7 @@ function Export-IntuneSettingCatalogPolicySettings $addToParameters = $true $settingDefinition = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $SettingInstance.settingDefinitionId } - $settingName = $settingDefinition.Name - - # Check if the name is unique - $settingsWithSameName = @($AllSettingDefinitions | Where-Object -FilterScript { $_.Name -eq $settingName }) - if ($settingsWithSameName.Count -gt 1) - { - $parentSetting = Get-ParentSettingDefinition -SettingDefinition $settingDefinition -AllSettingDefinitions $AllSettingDefinitions - - if ($null -ne $parentSetting) - { - $combinationMatchesWithParent = $settingsWithSameName | Where-Object -FilterScript { - "$($parentSetting.Name)_$($_.Name)" -eq "$($parentSetting.Name)_$settingName" - } - - # If the combination of parent setting and setting name is unique, add the parent setting name to the setting name - if ($combinationMatchesWithParent.Count -eq 1) - { - $settingName = $($parentSetting.Name) + "_" + $settingName - } - # If the combination of parent setting and setting name is still not unique, do it with the OffsetUri of the current setting - else - { - $skip = 0 - $breakCounter = 0 - $newSettingName = $settingName - do { - $previousSettingName = $newSettingName - $newSettingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $settingDefinition.OffsetUri -SettingName $newSettingName -Skip $skip - - $combinationMatchesWithOffsetUri = @() - $settingsWithSameName | ForEach-Object { - $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip - if ($newName -eq $newSettingName) - { - # Exclude v2 versions from the comparison - if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or - $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") - { - $combinationMatchesWithOffsetUri += $_ - } - } - } - $settingsWithSameName = $combinationMatchesWithOffsetUri - $skip++ - $breakCounter++ - } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt 8) - - if ($breakCounter -lt 8) - { - if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") - { - $newSettingName += "_v2" - } - $settingName = $newSettingName - } - else - { - # Alternative way if no unique setting name can be found - $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] - $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") - # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id - $settingName = $settingDefinition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") - } - } - } - - # When there is no parent, we can't use the parent setting name to make the setting name unique - # Instead, we traverse up the OffsetUri. Since no parent setting can only happen at the root level, the result - # of Get-SettingDefinitionNameWithParentFromOffsetUri is absolute and cannot change. There cannot be multiple settings with the same name - # in the same level of OffsetUri - if ($null -eq $parentSetting) - { - $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $settingDefinition.OffsetUri -SettingName $settingName - } - - # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. - switch -wildcard ($settingName) - { - 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } - 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } - 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } - 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } - 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } - 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } - 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } - 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } - 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } - '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } - '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } - '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } - '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } - '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } - '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } - } - } - + $settingName = Get-SettingsCatalogSettingName -SettingDefinition $settingDefinition -AllSettingDefinitions $AllSettingDefinitions $odataType = if ($IsRoot) { $SettingInstance.AdditionalProperties.'@odata.type' } else { $SettingInstance.'@odata.type' } switch ($odataType) { @@ -2692,9 +2340,10 @@ function Export-IntuneSettingCatalogPolicySettings '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' { $groupSettingCollectionValue = if ($IsRoot) { $SettingInstance.AdditionalProperties.groupSettingCollectionValue } else { $SettingInstance.groupSettingCollectionValue } - $childSettingDefinitions = $SettingDefinitions | Where-Object -FilterScript { + [array]$childSettingDefinitions = $SettingDefinitions | Where-Object -FilterScript { $settingDefinition.AdditionalProperties.childIds -contains $_.Id } + $parentSettingDefinition = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $settingDefinition.AdditionalProperties.dependentOn.parentSettingId } if ($settingDefinition.AdditionalProperties.maximumCount -gt 1 -and $childSettingDefinitions.Count -eq 1) { @@ -2709,15 +2358,28 @@ function Export-IntuneSettingCatalogPolicySettings } $addToParameters = $false } - elseif (-not $IsRoot -and $childSettingDefinitions.Count -gt 1) + elseif (($settingDefinition.AdditionalProperties.maximumCount -gt 1 -or $parentSettingDefinition.AdditionalProperties.maximumCount -gt 1) -and $childSettingDefinitions.Count -gt 1) { + # If the GroupSettingCollection can appear multiple times (either itself or from the parent), we need to add its name as a property + # and the child settings as its value $childValue = $null - $parentSettingDefinition = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $settingDefinition.AdditionalProperties.dependentOn.parentSettingId } - if ($settingDefinition.AdditionalProperties.maximumCount -gt 1 -or - $parentSettingDefinition.AdditionalProperties.maximumCount -gt 1) + if (-not $IsRoot) { - $childValue = @() + $parentSettingDefinition = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $settingDefinition.AdditionalProperties.dependentOn.parentSettingId } + if ($settingDefinition.AdditionalProperties.maximumCount -gt 1 -or + $parentSettingDefinition.AdditionalProperties.maximumCount -gt 1) + { + $childValue = @() + } + } + else + { + if ($settingDefinition.AdditionalProperties.maximumCount -gt 1) + { + $childValue = @() + } } + foreach ($child in $groupSettingCollectionValue) { $childHashtable = @{} @@ -2731,6 +2393,7 @@ function Export-IntuneSettingCatalogPolicySettings } else { + # Skip GroupSettingCollection that only appears once, go straight to the child properties $childSettings = $groupSettingCollectionValue.children foreach ($value in $childSettings) { @@ -2806,7 +2469,7 @@ function Update-IntuneDeviceConfigurationPolicy try { - $Uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$DeviceConfigurationPolicyId" + $Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/deviceManagement/configurationPolicies/$DeviceConfigurationPolicyId" $policy = @{ 'name' = $Name diff --git a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 new file mode 100644 index 0000000000..65613fd700 --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 @@ -0,0 +1,243 @@ +function Get-SettingsCatalogSettingName { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + $SettingDefinition, + + [Parameter(Mandatory = $true)] + [System.Array] + $AllSettingDefinitions + ) + + # Remove invalid characters + $settingName = [regex]::Replace($SettingDefinition.Name, "[\{\}\$]", "") + + $settingsWithSameName = $AllSettingDefinitions | Where-Object -FilterScript { $_.Name -eq $settingName } + + # Edge case where the same setting is defined twice in the template, with the same name and id + # Example is RDVAllowBDE_Name from the IntuneDiskEncryptionWindows10 resource + if ($settingsWithSameName.Count -eq 2) + { + if ($settingsWithSameName[0].Id -eq $settingsWithSameName[1].Id -and ` + $settingsWithSameName[0].Name -eq $settingsWithSameName[1].Name) + { + $settingsWithSameName = $settingsWithSameName[0] + } + } + + if ($settingsWithSameName -is [array] -and $settingsWithSameName.Count -gt 1) + { + # Get the parent setting of the current setting + $parentSetting = Get-ParentSettingDefinition -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions + if ($null -ne $parentSetting) + { + $combinationMatchesWithParent = @() + $settingsWithSameName | ForEach-Object { + $innerParentSetting = Get-ParentSettingDefinition -SettingDefinition $_ -AllSettingDefinitions $AllSettingDefinitions + if ($null -ne $innerParentSetting) + { + if ("$($innerParentSetting.Name)_$($_.Name)" -eq "$($parentSetting.Name)_$settingName") + { + $combinationMatchesWithParent += $_ + } + } + } + # If the combination of parent setting and setting name is unique, add the parent setting name to the setting name + if ($combinationMatchesWithParent.Count -eq 1) + { + $settingName = $parentSetting.Name + "_" + $settingName + } + # If the combination of parent setting and setting name is still not unique, do it with the OffsetUri of the current setting + else + { + $settingResult = Get-UniqueSettingDefinitionNameFromMultipleMatches -SettingDefinition $SettingDefinition -SettingName $settingName -SettingsWithSameName $settingsWithSameName + if ($settingResult.Success) + { + $settingName = $settingResult.SettingName + } + else + { + # Alternative way if no unique setting name can be found + $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] + $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") + # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id + $settingName = $SettingDefinition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") + } + } + } + + # When there is no parent, we can't use the parent setting name to make the setting name unique + # Instead, we traverse up the OffsetUri. + if ($null -eq $parentSetting) + { + $settingResult = Get-UniqueSettingDefinitionNameFromMultipleMatches -SettingDefinition $SettingDefinition -SettingName $settingName -SettingsWithSameName $settingsWithSameName + if ($settingResult.Success) + { + $settingName = $settingResult.SettingName + } + else + { + # Can happen if both settings have the same name and the same OffsetUri, e.g. "enforcementLevel" in the IntuneAntivirusPolicyLinux resource + # Potential risk of overwriting settings with the same name but different OffsetUri + $settingIdWithoutName = $SettingDefinition.Id -replace "_$settingName", "" + $settingIdWithoutNameSplitted = $settingIdWithoutName.Split("_")[-1] + $settingName = $settingIdWithoutNameSplitted + "_" + $settingName + } + } + + # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. + switch -wildcard ($settingName) + { + 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } + 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } + 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } + 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } + 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } + 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } + 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } + 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } + 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } + '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } + '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } + '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } + '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } + '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } + } + } + + $settingName +} + +function Get-ParentSettingDefinition { + param( + [Parameter(Mandatory = $true)] + $SettingDefinition, + + [Parameter(Mandatory = $true)] + $AllSettingDefinitions + ) + + $parentSetting = $null + if ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId.Count -gt 0) + { + $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { + $_.Id -eq ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId | Select-Object -Unique -First 1) + } + } + elseif ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId.Count -gt 0) + { + $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { + $_.Id -eq ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId | Select-Object -Unique -First 1) + } + } + + $parentSetting +} + +function Get-UniqueSettingDefinitionNameFromMultipleMatches { + param ( + [Parameter(Mandatory = $true)] + $SettingDefinition, + + [Parameter(Mandatory = $true)] + [System.String] + $SettingName, + + [Parameter(Mandatory = $true)] + [System.Array] + $SettingsWithSameName + ) + + $skip = 0 + $breakCounter = 0 + $threshold = 8 + $newSettingName = $SettingName + do { + $previousSettingName = $newSettingName + $newSettingName = Get-SettingDefinitionNameFromOffsetUri -OffsetUri $SettingDefinition.OffsetUri -SettingName $newSettingName -Skip $skip + + $combinationMatchesWithOffsetUri = @() + $SettingsWithSameName | ForEach-Object { + $newName = Get-SettingDefinitionNameFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip + if ($newName -eq $newSettingName) + { + # Exclude v2 versions from the comparison + if ($SettingDefinition.Id -like "*_v2" -and $_.Id -ne $SettingDefinition.Id.Replace('_v2', '') -or + $SettingDefinition.Id -notlike "*_v2" -and $_.Id -ne $SettingDefinition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } + } + } + $SettingsWithSameName = $combinationMatchesWithOffsetUri + $skip++ + $breakCounter++ + } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt $threshold) + + $success = $false + if ($breakCounter -lt $threshold) + { + if ($SettingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") + { + $newSettingName += "_v2" + } + $settingName = $newSettingName + $success = $true + } + + @{ + Success = $success + SettingName = $settingName + } +} + +function Get-SettingDefinitionNameFromOffsetUri { + param ( + [Parameter(Mandatory = $true)] + [System.String] + $OffsetUri, + + [Parameter(Mandatory = $true)] + [System.String] + $SettingName, + + [Parameter(Mandatory = $false)] + [System.Int32] + $Skip = 0 + ) + + # If the last part of the OffsetUri is the same as the setting name or it contains invalid characters, we traverse up until we reach the first element + # Invalid characters are { and } which are used in the OffsetUri to indicate a variable + $splittedOffsetUri = $OffsetUri.Split("/") + if ([string]::IsNullOrEmpty($splittedOffsetUri[0])) + { + $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] + } + + if ($Skip -gt $splittedOffsetUri.Length - 1) + { + return $SettingName + } + + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] + $traversed = $false + while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri + { + $traversed = $true + if ($splittedOffsetUri[-1] -eq $SettingName -or $splittedOffsetUri[-1] -match "[\{\}]" -or $SettingName.StartsWith($splittedOffsetUri[-1])) + { + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 2)] + $traversed = $false + } + } + + if ($splittedOffsetUri.Length -gt 1) + { + $splittedOffsetUri[-1] + "_" + $SettingName + } + else + { + $SettingName + } +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index c5300bf1ec..279b6d470d 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -691,7 +691,7 @@ function Start-M365DSCConfigurationExtract # Azure Automation Check $AzureAutomation = $false - if ('AzureAutomation/' -eq $env:AZUREPS_HOST_ENVIRONMENT) + if ($env:AZUREPS_HOST_ENVIRONMENT -like 'AzureAutomation*') { $AzureAutomation = $true } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 93e4d39e0f..0eae31dd77 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1829,9 +1829,9 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('Azure', 'AzureDevOPS', 'Defender', 'ExchangeOnline', 'Fabric', 'Intune', ` + [ValidateSet('AdminAPI', 'Azure', 'AzureDevOPS', 'DefenderForEndPoint', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` - 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks')] + 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks', 'AdminAPI')] [System.String] $Workload, @@ -3835,7 +3835,7 @@ function Get-M365DSCExportContentForResource { $instanceName += "-$primaryKey" } - else + elseif (-not $Keys.Contains('IsSingleInstance')) { $instanceName += "-" + (New-Guid).ToString() } @@ -4671,7 +4671,7 @@ function Test-M365DSCModuleValidity [CmdletBinding()] param() - if ('AzureAutomation/' -eq $env:AZUREPS_HOST_ENVIRONMENT) + if ($env:AZUREPS_HOST_ENVIRONMENT -like 'AzureAutomation*') { $message = 'Skipping check for newer version of Microsoft365DSC due to Azure Automation Environment restrictions.' Write-Verbose -Message $message diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 new file mode 100644 index 0000000000..1c7249a7b9 --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCAzureHelper.psm1 @@ -0,0 +1,155 @@ +function Get-M365DSCAzureBillingAccount +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param() + + $uri = 'https://management.azure.com/providers/Microsoft.Billing/billingAccounts?api-version=2024-04-01&?includeAll=true' + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants?api-version=2024-04-01" + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Remove-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants/$($AssociatedTenantId)?api-version=2024-04-01" + $response = Invoke-AzRest -Method DELETE -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} +function New-M365DSCAzureBillingAccountsAssociatedTenant +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssociatedTenantId, + + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $Body + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/associatedTenants/$($AssociatedTenantId)?api-version=2024-04-01" + $payload = ConvertTo-Json $body -Depth 10 -Compress + $response = Invoke-AzRest -Method PUT -Uri $uri -Payload $payload + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleAssignments?api-version=2024-04-01" + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function Get-M365DSCAzureBillingAccountsRoleDefinition +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter()] + [System.String] + $RoleDefinitionId + ) + + if ($null -eq $RoleDefinitionId) + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleDefinitions?api-version=2024-04-01" + } + else + { + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleDefinitions/$($RoleDefinitionId)?api-version=2024-04-01" + } + $response = Invoke-AzRest -Method GET -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} + +function New-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $Body + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/createBillingRoleAssignment?api-version=2024-04-01" + $payload = ConvertTo-Json $Body -Depth 10 -Compress + $response = Invoke-AzRest -Method POST -Uri $uri -Payload $payload + $result = ConvertFrom-Json $response.Content + return $result +} + +function Remove-M365DSCAzureBillingAccountsRoleAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $BillingAccountId, + + [Parameter(Mandatory = $true)] + [System.String] + $AssignmentId + ) + + $uri = "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/$($BillingAccountId)/billingRoleAssignments/$($AssignmentId)?api-version=2024-04-01" + $response = Invoke-AzRest -Method DELETE -Uri $uri + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 new file mode 100644 index 0000000000..ebbec02b6e --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCDefenderHelper.psm1 @@ -0,0 +1,30 @@ +function Invoke-M365DSCDefenderREST +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $bodyJSON = ConvertTo-Json $Body -Depth 10 -Compress + $headers = @{ + Authorization = $Global:MSCloudLoginConnectionProfile.DefenderForEndpoint.AccessToken + "Content-Type" = "application/json" + } + $response = Invoke-WebRequest -Method $Method ` + -Uri $Uri ` + -Headers $headers ` + -Body $bodyJSON + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 7ed3b00e3d..8197b6ed9d 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -1,4 +1,389 @@ [ + { + "ClassName": "MSFT_MicrosoftGraphAccessReviewScope", + "Parameters": [ + { + "CIMType": "String", + "Name": "Query", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryRoot", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryType", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphAccessReviewScope[]", + "Name": "PrincipalScopes", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphAccessReviewScope[]", + "Name": "ResourceScopes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAccessReviewScheduleSettings", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphAccessReviewApplyAction[]", + "Name": "ApplyActions", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AutoApplyDecisionsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DecisionHistoriesForReviewersEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DefaultDecision", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DefaultDecisionEnabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "InstanceDurationInDays", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "JustificationRequiredOnApproval", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MailNotificationsEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[]", + "Name": "RecommendationInsightSettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecommendationLookBackDuration", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RecommendationsEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphPatternedRecurrence", + "Name": "Recurrence", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ReminderNotificationsEnabled", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAccessReviewApplyAction", + "Parameters": [ + { + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "RecommendationLookBackDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SignInScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphPatternedRecurrence", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphRecurrencePattern", + "Name": "Pattern", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphRecurrenceRange", + "Name": "Range", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphRecurrencePattern", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "DayOfMonth", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DaysOfWeek", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FirstDayOfWeek", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Index", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Interval", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Month", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphRecurrenceRange", + "Parameters": [ + { + "CIMType": "String", + "Name": "EndDate", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "NumberOfOccurrences", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecurrenceTimeZone", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StartDate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAccessReviewStageSettings", + "Parameters": [ + { + "CIMType": "String[]", + "Name": "DecisionsThatWillMoveToNextStage", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DependsOnValue", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DurationInDays", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[]", + "Name": "RecommendationInsightSettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecommendationLookBackDuration", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RecommendationsEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StageId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAccessReviewDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "DescriptionForAdmins", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DescriptionForReviewers", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphaccessReviewScope", + "Name": "ScopeValue", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphaccessReviewScheduleSettings", + "Name": "SettingsValue", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphaccessReviewStageSettings[]", + "Name": "StageSettings", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAccessReviewPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsGroupOwnerManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADActivityBasedTimeoutPolicy", "Parameters": [ @@ -122,6 +507,11 @@ "Name": "ApplicationId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantId", @@ -1499,6 +1889,126 @@ } ] }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClientId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DiscoveryUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAuthenticationMethodPolicyExternal", + "Parameters": [ + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[]", + "Name": "ExcludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[]", + "Name": "IncludeTargets", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting", + "Name": "OpenIdConnectSetting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphFido2KeyRestrictions", "Parameters": [ @@ -2534,6 +3044,191 @@ } ] }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter", + "Parameters": [ + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClaimTypeReferenceId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TransformationClaimType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TransformationMethod", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter[]", + "Name": "InputParameters", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims[]", + "Name": "OutputClaims", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema", + "Parameters": [ + { + "CIMType": "String", + "Name": "Source", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SamlClaimType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy", + "Parameters": [ + { + "CIMType": "uint32", + "Name": "Version", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IncludeBasicClaimSet", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema[]", + "Name": "ClaimsSchema", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation[]", + "Name": "ClaimsTransformation", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicyDefinition", + "Parameters": [ + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy", + "Name": "ClaimsMappingPolicy", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADClaimsMappingPolicy", + "Parameters": [ + { + "CIMType": "MSFT_AADClaimsMappingPolicyDefinition[]", + "Name": "Definition", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsOrganizationDefault", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADConditionalAccessPolicy", "Parameters": [ @@ -2637,6 +3332,26 @@ "Name": "ExcludeExternalTenantsMembers", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "IncludeServicePrincipals", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludeServicePrincipals", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ServicePrincipalFilterMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ServicePrincipalFilterRule", + "Option": "Write" + }, { "CIMType": "String[]", "Name": "IncludePlatforms", @@ -2762,6 +3477,11 @@ "Name": "AuthenticationContexts", "Option": "Write" }, + { + "CIMType": "String", + "Name": "InsiderRiskLevels", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -3159,6 +3879,136 @@ } ] }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "EndpointType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LogicAppWorkflowName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "ClaimIdInApiResponse", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADCustomAuthenticationExtension", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomAuthenticationExtensionType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthenticationConfigurationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthenticationConfigurationResourceId", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "ClientConfigurationTimeoutMilliseconds", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "ClientConfigurationMaximumRetries", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADCustomAuthenticationExtensionEndPointConfiguration", + "Name": "EndpointConfiguration", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[]", + "Name": "ClaimsForTokenConfiguration", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADCustomSecurityAttributeDefinition", "Parameters": [ @@ -3227,6 +4077,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -3417,6 +4272,66 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADEnrichedAuditLogs", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Exchange", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SharePoint", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Teams", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -4590,22 +5505,7 @@ ] }, { - "ClassName": "MSFT_AADGroupLicense", - "Parameters": [ - { - "CIMType": "String[]", - "Name": "DisabledPlans", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "SkuId", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADGroup", + "ClassName": "MSFT_AADFederationConfiguration", "Parameters": [ { "CIMType": "String", @@ -4614,86 +5514,96 @@ }, { "CIMType": "String", - "Name": "MailNickname", - "Option": "Key" + "Name": "IssuerUri", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "MetadataExchangeUri", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "PassiveSignInUri", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Owners", + "CIMType": "String", + "Name": "PreferredAuthenticationProtocol", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "SigningCertificate", "Option": "Write" }, { "CIMType": "String[]", - "Name": "GroupAsMembers", + "Name": "Domains", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MemberOf", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "GroupTypes", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "MembershipRule", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "MembershipRuleProcessingState", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityEnabled", - "Option": "Required" - }, - { - "CIMType": "Boolean", - "Name": "MailEnabled", - "Option": "Required" + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsAssignableToRole", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AssignedToRole", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "Visibility", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_AADGroupLicense[]", - "Name": "AssignedLicenses", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -4712,11 +5622,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -4735,30 +5640,50 @@ ] }, { - "ClassName": "MSFT_AADGroupLifecyclePolicy", + "ClassName": "MSFT_AADFilteringPolicyRuleDestination", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "Name": "name", + "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "GroupLifetimeInDays", - "Option": "Required" + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringPolicyRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "ManagedGroupTypes", - "Option": "Required" + "Name": "Policy", + "Option": "Key" }, { - "CIMType": "String[]", - "Name": "AlternateNotificationEmails", - "Option": "Required" + "CIMType": "String", + "Name": "Id", + "Option": "Write" }, { "CIMType": "String", + "Name": "RuleType", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADFilteringPolicyRuleDestination[]", + "Name": "Destinations", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -4777,11 +5702,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -4800,25 +5720,65 @@ ] }, { - "ClassName": "MSFT_AADGroupsNamingPolicy", + "ClassName": "MSFT_AADFilteringProfilePolicyLink", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "LoggingState", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADFilteringProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", "Option": "Key" }, { "CIMType": "String", - "Name": "PrefixSuffixNamingRequirement", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "CustomBlockedWordsList", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", + "Name": "State", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADFilteringProfilePolicyLink[]", + "Name": "Policies", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -4837,11 +5797,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -4860,56 +5815,106 @@ ] }, { - "ClassName": "MSFT_AADGroupsSettings", + "ClassName": "MSFT_AADGroupLicense", "Parameters": [ + { + "CIMType": "String[]", + "Name": "DisabledPlans", + "Option": "Write" + }, { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "SkuId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADGroup", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "EnableGroupCreation", + "CIMType": "String", + "Name": "MailNickname", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableMIPLabels", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowGuestsToBeGroupOwner", + "CIMType": "String[]", + "Name": "Owners", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowGuestsToAccessGroups", + "CIMType": "String[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "GroupAsMembers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "GroupTypes", "Option": "Write" }, { "CIMType": "String", - "Name": "GuestUsageGuidelinesUrl", + "Name": "MembershipRule", "Option": "Write" }, { "CIMType": "String", - "Name": "GroupCreationAllowedGroupName", + "Name": "MembershipRuleProcessingState", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowToAddGuests", + "Name": "SecurityEnabled", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "MailEnabled", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "IsAssignableToRole", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AssignedToRole", "Option": "Write" }, { "CIMType": "String", - "Name": "UsageGuidelinesUrl", + "Name": "Visibility", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NewUnifiedGroupWritebackDefault", + "CIMType": "MSFT_AADGroupLicense[]", + "Name": "AssignedLicenses", "Option": "Write" }, { @@ -4955,160 +5960,185 @@ ] }, { - "ClassName": "MSFT_IdentityGovernanceScope", + "ClassName": "MSFT_AADGroupLifecyclePolicy", "Parameters": [ { "CIMType": "String", - "Name": "OdataType", - "Option": "Write" + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "UInt32", + "Name": "GroupLifetimeInDays", + "Option": "Required" }, { "CIMType": "String", - "Name": "Rule", + "Name": "ManagedGroupTypes", + "Option": "Required" + }, + { + "CIMType": "String[]", + "Name": "AlternateNotificationEmails", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IdentityGovernanceTrigger", - "Parameters": [ + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, { "CIMType": "String", - "Name": "OdataType", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "TimeBasedAttribute", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "OffsetInDays", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IdentityGovernanceWorkflowExecutionConditions", - "Parameters": [ + }, { "CIMType": "String", - "Name": "OdataType", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_IdentityGovernanceScope", - "Name": "ScopeValue", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_IdentityGovernanceTrigger", - "Name": "TriggerValue", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADIdentityGovernanceTaskArguments", + "ClassName": "MSFT_AADGroupsNamingPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "IsSingleInstance", "Option": "Key" }, { "CIMType": "String", - "Name": "Value", + "Name": "PrefixSuffixNamingRequirement", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADIdentityGovernanceTask", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "String[]", + "Name": "CustomBlockedWordsList", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "Category", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "ExecutionSequence", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ContinueOnError", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "TaskDefinitionId", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_AADIdentityGovernanceTaskArguments[]", - "Name": "Arguments", + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflow", + "ClassName": "MSFT_AADGroupsSettings", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", + "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "EnableGroupCreation", "Option": "Write" }, { - "CIMType": "String", - "Name": "Category", + "CIMType": "Boolean", + "Name": "EnableMIPLabels", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsEnabled", + "Name": "AllowGuestsToBeGroupOwner", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsSchedulingEnabled", + "Name": "AllowGuestsToAccessGroups", "Option": "Write" }, { - "CIMType": "MSFT_AADIdentityGovernanceTask[]", - "Name": "Tasks", + "CIMType": "String", + "Name": "GuestUsageGuidelinesUrl", "Option": "Write" }, { - "CIMType": "MSFT_IdentityGovernanceWorkflowExecutionConditions", - "Name": "ExecutionConditions", + "CIMType": "String", + "Name": "GroupCreationAllowedGroupName", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "Boolean", + "Name": "AllowToAddGuests", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UsageGuidelinesUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NewUnifiedGroupWritebackDefault", + "Option": "Write" + }, + { + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -5127,6 +6157,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -5145,105 +6180,65 @@ ] }, { - "ClassName": "MSFT_AADLifecycleWorkflowSettings", + "ClassName": "MSFT_AADHomeRealDiscoveryPolicyDefinition", "Parameters": [ - { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "SenderDomain", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "WorkflowScheduleIntervalInHours", - "Option": "Write" - }, { "CIMType": "Boolean", - "Name": "UseCompanyBranding", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "Name": "AccelerateToFederatedDomain", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "AllowCloudPasswordValidation", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin", + "Name": "AlternateIdLogin", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "PreferredDomain", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin", + "Parameters": [ { "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "Enabled", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADNamedLocationPolicy", + "ClassName": "MSFT_AADHomeRealmDiscoveryPolicy", "Parameters": [ - { - "CIMType": "string", - "Name": "OdataType", - "Option": "Write" - }, { "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, - { - "CIMType": "string", "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "String[]", - "Name": "IpRanges", + "CIMType": "MSFT_AADHomeRealDiscoveryPolicyDefinition[]", + "Name": "Definition", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsTrusted", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "CountriesAndRegions", + "Name": "IsOrganizationDefault", "Option": "Write" }, { "CIMType": "String", - "Name": "CountryLookupMethod", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IncludeUnknownCountriesAndRegions", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -5285,45 +6280,65 @@ ] }, { - "ClassName": "MSFT_AADPasswordRuleSettings", + "ClassName": "MSFT_AADIdentityAPIConnectionCertificate", "Parameters": [ { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "CIMType": "MSFT_Credential", + "Name": "Pkcs12Value", + "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "LockoutThreshold", + "CIMType": "String", + "Name": "Thumbprint", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "LockoutDurationInSeconds", + "CIMType": "MSFT_Credential", + "Name": "Password", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableBannedPasswordCheck", + "Name": "IsActive", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityAPIConnector", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" }, { - "CIMType": "String[]", - "Name": "BannedPasswordList", + "CIMType": "String", + "Name": "TargetUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "BannedPasswordCheckOnPremisesMode", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Username", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableBannedPasswordCheckOnPremises", + "CIMType": "MSFT_Credential", + "Name": "Password", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "MSFT_AADIdentityAPIConnectionCertificate[]", + "Name": "Certificates", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -5365,50 +6380,95 @@ ] }, { - "ClassName": "MSFT_AADRoleDefinition", + "ClassName": "MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "postFederationSignupConnectorName", + "Option": "Write" }, { - "CIMType": "string", - "Name": "Id", + "CIMType": "String", + "Name": "postAttributeCollectionConnectorName", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues", + "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ResourceScopes", + "CIMType": "String", + "Name": "Value", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsEnabled", - "Option": "Required" - }, + "Name": "IsDefault", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment", + "Parameters": [ { - "CIMType": "String[]", - "Name": "RolePermissions", - "Option": "Required" + "CIMType": "String", + "Name": "Id", + "Option": "Write" }, { "CIMType": "String", - "Name": "TemplateId", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsOptional", "Option": "Write" }, { "CIMType": "String", - "Name": "Version", + "Name": "UserInputType", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[]", + "Name": "UserAttributeValues", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityB2XUserFlow", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration", + "Name": "ApiConnectorConfiguration", "Option": "Write" }, { "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "IdentityProviders", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[]", + "Name": "UserAttributeAssignments", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -5450,201 +6510,156 @@ ] }, { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrenceRange", + "ClassName": "MSFT_IdentityGovernanceScope", "Parameters": [ { "CIMType": "String", - "Name": "endDate", - "Option": "Required" - }, - { - "CIMType": "UInt32", - "Name": "numberOfOccurrences", + "Name": "OdataType", "Option": "Write" }, { "CIMType": "String", - "Name": "recurrenceTimeZone", + "Name": "Rule", "Option": "Write" - }, - { - "CIMType": "String", - "Name": "startDate", - "Option": "Required" - }, - { - "CIMType": "String", - "Name": "type", - "Option": "Required" } ] }, { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrencePattern", + "ClassName": "MSFT_IdentityGovernanceTrigger", "Parameters": [ { - "CIMType": "UInt32", - "Name": "dayOfMonth", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "daysOfWeek", + "CIMType": "String", + "Name": "OdataType", "Option": "Write" }, { "CIMType": "String", - "Name": "firstDayOfWeek", + "Name": "TimeBasedAttribute", "Option": "Write" }, { - "CIMType": "String", - "Name": "index", + "CIMType": "SInt32", + "Name": "OffsetInDays", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Parameters": [ { - "CIMType": "UInt32", - "Name": "interval", + "CIMType": "String", + "Name": "OdataType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "month", + "CIMType": "MSFT_IdentityGovernanceScope", + "Name": "ScopeValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "type", + "CIMType": "MSFT_IdentityGovernanceTrigger", + "Name": "TriggerValue", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrence", + "ClassName": "MSFT_AADIdentityGovernanceTaskArguments", "Parameters": [ { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrencePattern", - "Name": "pattern", - "Option": "Write" + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrenceRange", - "Name": "range", + "CIMType": "String", + "Name": "Value", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration", + "ClassName": "MSFT_AADIdentityGovernanceTask", "Parameters": [ { "CIMType": "String", - "Name": "duration", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "endDateTime", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "type", + "Name": "Category", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestSchedule", - "Parameters": [ + }, { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration", - "Name": "expiration", + "CIMType": "Boolean", + "Name": "IsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrence", - "Name": "recurrence", + "CIMType": "SInt32", + "Name": "ExecutionSequence", "Option": "Write" }, { - "CIMType": "String", - "Name": "startDateTime", + "CIMType": "Boolean", + "Name": "ContinueOnError", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequestTicketInfo", - "Parameters": [ + }, { "CIMType": "String", - "Name": "ticketNumber", + "Name": "TaskDefinitionId", "Option": "Write" }, { - "CIMType": "String", - "Name": "ticketSystem", + "CIMType": "MSFT_AADIdentityGovernanceTaskArguments[]", + "Name": "Arguments", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADRoleEligibilityScheduleRequest", + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflow", "Parameters": [ { "CIMType": "String", - "Name": "Principal", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "RoleDefinition", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "PrincipalType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "DirectoryScopeId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AppScopeId", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "Action", + "Name": "Category", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsValidationOnly", + "Name": "IsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Justification", + "CIMType": "Boolean", + "Name": "IsSchedulingEnabled", "Option": "Write" }, { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestSchedule", - "Name": "ScheduleInfo", + "CIMType": "MSFT_AADIdentityGovernanceTask[]", + "Name": "Tasks", "Option": "Write" }, { - "CIMType": "MSFT_AADRoleEligibilityScheduleRequestTicketInfo", - "Name": "TicketInfo", + "CIMType": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Name": "ExecutionConditions", "Option": "Write" }, { @@ -5690,226 +6705,256 @@ ] }, { - "ClassName": "MSFT_AADRoleSetting", + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration", "Parameters": [ { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "timeoutInMilliseconds", + "Option": "Write" }, + { + "CIMType": "UInt32", + "Name": "maximumRetries", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration", + "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "logicAppWorkflowName", "Option": "Write" }, { "CIMType": "String", - "Name": "ActivationMaxDuration", + "Name": "resourceGroupName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActivationReqJustification", + "CIMType": "String", + "Name": "subscriptionId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActivationReqTicket", + "CIMType": "String", + "Name": "url", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ActivationReqMFA", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ApprovaltoActivate", + "CIMType": "String", + "Name": "timeoutDuration", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ActivateApprover", + "Name": "authorizedApps", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "PermanentEligibleAssignmentisExpirationRequired", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "ExpireEligibleAssignment", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PermanentActiveAssignmentisExpirationRequired", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExpireActiveAssignment", + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration", + "Name": "ClientConfiguration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AssignmentReqMFA", + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration", + "Name": "EndpointConfiguration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AssignmentReqJustification", + "CIMType": "MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration", + "Name": "CallbackConfiguration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ElegibilityAssignmentReqMFA", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ElegibilityAssignmentReqJustification", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EligibleAlertNotificationDefaultRecipient", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EligibleAlertNotificationAdditionalRecipient", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EligibleAlertNotificationOnlyCritical", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EligibleAssigneeNotificationDefaultRecipient", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "EligibleAssigneeNotificationAdditionalRecipient", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EligibleAssigneeNotificationOnlyCritical", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceProgram", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "EligibleApproveNotificationDefaultRecipient", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EligibleApproveNotificationAdditionalRecipient", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "EligibleApproveNotificationOnlyCritical", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveAlertNotificationDefaultRecipient", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ActiveAlertNotificationAdditionalRecipient", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveAlertNotificationOnlyCritical", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveAssigneeNotificationDefaultRecipient", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ActiveAssigneeNotificationAdditionalRecipient", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveAssigneeNotificationOnlyCritical", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ActiveApproveNotificationDefaultRecipient", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ActiveApproveNotificationAdditionalRecipient", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADIdentityProtectionPolicySettings", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ActiveApproveNotificationOnlyCritical", - "Option": "Write" + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "EligibleAssignmentAlertNotificationDefaultRecipient", + "Name": "IsUserRiskClearedOnPasswordReset", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EligibleAssignmentAlertNotificationAdditionalRecipient", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EligibleAssignmentAlertNotificationOnlyCritical", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EligibleAssignmentAssigneeNotificationDefaultRecipient", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EligibleAssignmentAssigneeNotificationAdditionalRecipient", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EligibleAssignmentAssigneeNotificationOnlyCritical", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AuthenticationContextRequired", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADLifecycleWorkflowSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "String", - "Name": "AuthenticationContextName", + "Name": "SenderDomain", "Option": "Write" }, { - "CIMType": "String", - "Name": "AuthenticationContextId", + "CIMType": "UInt32", + "Name": "WorkflowScheduleIntervalInHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "UseCompanyBranding", "Option": "Write" }, { @@ -5927,11 +6972,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -5950,26 +6990,46 @@ ] }, { - "ClassName": "MSFT_AADSecurityDefaults", + "ClassName": "MSFT_AADNamedLocationPolicy", "Parameters": [ { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "CIMType": "string", + "Name": "OdataType", + "Option": "Write" }, { "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "IpRanges", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsTrusted", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "CountriesAndRegions", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "CountryLookupMethod", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsEnabled", + "Name": "IncludeUnknownCountriesAndRegions", "Option": "Write" }, { @@ -5978,18 +7038,18 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "TenantId", "Option": "Write" }, { @@ -5998,8 +7058,8 @@ "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -6015,156 +7075,196 @@ ] }, { - "ClassName": "MSFT_AADServicePrincipalRoleAssignment", + "ClassName": "MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule", "Parameters": [ { "CIMType": "String", - "Name": "PrincipalType", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Identity", + "Name": "ActionValue", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AADServicePrincipalDelegatedPermissionClassification", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Classification", + "Name": "RuleType", + "Option": "Write" + }, + { + "CIMType": "UInt32[]", + "Name": "Ports", "Option": "Write" }, { "CIMType": "String", - "Name": "PermissionName", + "Name": "Protocol", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Destinations", "Option": "Write" } ] }, { - "ClassName": "MSFT_AADServicePrincipal", + "ClassName": "MSFT_AADNetworkAccessForwardingPolicy", "Parameters": [ { "CIMType": "String", - "Name": "AppId", + "Name": "Name", "Option": "Key" }, { - "CIMType": "MSFT_AADServicePrincipalRoleAssignment[]", - "Name": "AppRoleAssignedTo", + "CIMType": "MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule[]", + "Name": "PolicyRules", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ObjectID", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AlternativeNames", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AccountEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppRoleAssignmentRequired", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphNetworkaccessPolicyLink", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "ErrorUrl", + "Name": "PolicyLinkId", "Option": "Write" }, { "CIMType": "String", - "Name": "Homepage", + "Name": "state", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessForwardingProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "LogoutUrl", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "PublisherName", + "Name": "State", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Owners", + "CIMType": "MSFT_MicrosoftGraphNetworkaccessPolicyLink[]", + "Name": "Policies", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ReplyUrls", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "SamlMetadataUrl", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ServicePrincipalNames", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "ServicePrincipalType", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Tags", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_AADServicePrincipalDelegatedPermissionClassification[]", - "Name": "DelegatedPermissionClassifications", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADNetworkAccessSettingConditionalAccess", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "SignalingStatus", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -6180,31 +7280,61 @@ ] }, { - "ClassName": "MSFT_AADSocialIdentityProvider", + "ClassName": "MSFT_AADNetworkAccessSettingCrossTenantAccess", "Parameters": [ { "CIMType": "String", - "Name": "ClientId", + "Name": "IsSingleInstance", "Option": "Key" }, { "CIMType": "String", - "Name": "ClientSecret", + "Name": "NetworkPacketTaggingStatus", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "IdentityProviderType", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADOnPremisesPublishingProfilesSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", "Option": "Write" }, { @@ -6222,11 +7352,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6245,31 +7370,46 @@ ] }, { - "ClassName": "MSFT_AADTenantDetails", + "ClassName": "MSFT_MicrosoftGraphCertificateAuthority", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "Name": "Certificate", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MarketingNotificationEmails", + "CIMType": "String", + "Name": "CertificateRevocationListUrl", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SecurityComplianceNotificationMails", + "CIMType": "String", + "Name": "DeltaCertificateRevocationListUrl", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SecurityComplianceNotificationPhones", + "CIMType": "Boolean", + "Name": "IsRootAuthority", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADOrganizationCertificateBasedAuthConfiguration", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphcertificateAuthority[]", + "Name": "CertificateAuthorities", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TechnicalNotificationMails", + "CIMType": "String", + "Name": "OrganizationId", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -6310,31 +7450,41 @@ ] }, { - "ClassName": "MSFT_AADTokenLifetimePolicy", + "ClassName": "MSFT_AADPasswordRuleSettings", "Parameters": [ { - "CIMType": "string", - "Name": "DisplayName", + "CIMType": "String", + "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "UInt32", + "Name": "LockoutThreshold", "Option": "Write" }, { - "CIMType": "string", - "Name": "Description", + "CIMType": "UInt32", + "Name": "LockoutDurationInSeconds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableBannedPasswordCheck", "Option": "Write" }, { "CIMType": "String[]", - "Name": "Definition", + "Name": "BannedPasswordList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BannedPasswordCheckOnPremisesMode", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsOrganizationDefault", + "Name": "EnableBannedPasswordCheckOnPremises", "Option": "Write" }, { @@ -6380,181 +7530,166 @@ ] }, { - "ClassName": "MSFT_AADUser", + "ClassName": "MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "UserPrincipalName", - "Option": "Key" + "Name": "LocalIPAddress", + "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "PeerIPAddress", "Option": "Write" }, { - "CIMType": "String", - "Name": "FirstName", + "CIMType": "UInt32", + "Name": "Asn", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration", + "Parameters": [ { "CIMType": "String", - "Name": "LastName", + "Name": "ZoneLocalIPAddress", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Roles", + "CIMType": "String", + "Name": "RedundancyTier", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration", + "Parameters": [ { "CIMType": "String", - "Name": "UsageLocation", + "Name": "PreSharedKey", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "LicenseAssignment", + "CIMType": "String", + "Name": "ZoneRedundancyPreSharedKey", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Password", + "CIMType": "UInt32", + "Name": "SaLifeTimeSeconds", "Option": "Write" }, { "CIMType": "String", - "Name": "City", + "Name": "IPSecEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "Country", + "Name": "IPSecIntegrity", "Option": "Write" }, { "CIMType": "String", - "Name": "Department", + "Name": "IKEEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "Fax", + "Name": "IKEIntegrity", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MemberOf", + "CIMType": "String", + "Name": "DHGroup", "Option": "Write" }, { "CIMType": "String", - "Name": "MobilePhone", + "Name": "PFSGroup", "Option": "Write" }, { "CIMType": "String", - "Name": "Office", + "Name": "ODataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRemoteNetworkDeviceLink", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "PasswordNeverExpires", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordPolicies", + "Name": "IPAddress", "Option": "Write" }, { "CIMType": "String", - "Name": "PhoneNumber", + "Name": "BandwidthCapacityInMbps", "Option": "Write" }, { "CIMType": "String", - "Name": "PostalCode", + "Name": "DeviceVendor", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreferredLanguage", + "CIMType": "MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration", + "Name": "BgpConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "State", + "CIMType": "MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration", + "Name": "RedundancyConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "StreetAddress", + "CIMType": "MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration", + "Name": "TunnelConfiguration", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADRemoteNetwork", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "Title", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "UserType", + "Name": "Region", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "ForwardingProfiles", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "MSFT_AADRemoteNetworkDeviceLink[]", + "Name": "DeviceLinks", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_ADOOrganizationOwner", - "Parameters": [ - { - "CIMType": "String", - "Name": "OrganizationName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Owner", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -6590,21 +7725,16 @@ ] }, { - "ClassName": "MSFT_ADOPermissionGroup", + "ClassName": "MSFT_AADRoleDefinition", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "PrincipalName", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "string", + "Name": "Id", "Option": "Write" }, { @@ -6614,26 +7744,31 @@ }, { "CIMType": "String[]", - "Name": "Members", + "Name": "ResourceScopes", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", - "Option": "Write" + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Required" + }, + { + "CIMType": "String[]", + "Name": "RolePermissions", + "Option": "Required" }, { "CIMType": "String", - "Name": "Descriptor", + "Name": "TemplateId", "Option": "Write" }, { "CIMType": "String", - "Name": "Level", + "Name": "Version", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -6652,6 +7787,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6670,191 +7810,201 @@ ] }, { - "ClassName": "MSFT_ADOPermission", + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrenceRange", "Parameters": [ { "CIMType": "String", - "Name": "NamespaceId", + "Name": "endDate", + "Option": "Required" + }, + { + "CIMType": "UInt32", + "Name": "numberOfOccurrences", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "recurrenceTimeZone", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Bit", - "Option": "Write" + "CIMType": "String", + "Name": "startDate", + "Option": "Required" }, { "CIMType": "String", - "Name": "Token", - "Option": "Write" + "Name": "type", + "Option": "Required" } ] }, { - "ClassName": "MSFT_ADOPermissionGroupSettings", + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrencePattern", "Parameters": [ { - "CIMType": "String", - "Name": "GroupName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "OrganizationName", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Descriptor", + "CIMType": "UInt32", + "Name": "dayOfMonth", "Option": "Write" }, { - "CIMType": "MSFT_ADOPermission[]", - "Name": "AllowPermissions", + "CIMType": "String[]", + "Name": "daysOfWeek", "Option": "Write" }, { - "CIMType": "MSFT_ADOPermission[]", - "Name": "DenyPermissions", + "CIMType": "String", + "Name": "firstDayOfWeek", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "index", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "UInt32", + "Name": "interval", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "UInt32", + "Name": "month", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "type", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrence", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrencePattern", + "Name": "pattern", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrenceRange", + "Name": "range", "Option": "Write" } ] }, { - "ClassName": "MSFT_ADOSecurityPolicy", + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", - "Option": "Key" + "Name": "duration", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowAadGuestUserAccess", + "CIMType": "String", + "Name": "endDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowOAuthAuthentication", + "CIMType": "String", + "Name": "type", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestSchedule", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "DisallowSecureShell", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration", + "Name": "expiration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LogAuditEvents", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestScheduleRecurrence", + "Name": "recurrence", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnonymousAccess", + "CIMType": "String", + "Name": "startDateTime", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleEligibilityScheduleRequestTicketInfo", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ArtifactsExternalPackageProtectionToken", + "CIMType": "String", + "Name": "ticketNumber", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnforceAADConditionalAccess", + "CIMType": "String", + "Name": "ticketSystem", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADRoleEligibilityScheduleRequest", + "Parameters": [ + { + "CIMType": "String", + "Name": "Principal", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AllowTeamAdminsInvitationsAccessToken", - "Option": "Write" + "CIMType": "String", + "Name": "RoleDefinition", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AllowRequestAccessToken", + "CIMType": "String", + "Name": "PrincipalType", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "DirectoryScopeId", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "AppScopeId", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Action", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "IsValidationOnly", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_AzureSubscription", - "Parameters": [ { "CIMType": "String", - "Name": "Name", - "Option": "Key" + "Name": "Justification", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestSchedule", + "Name": "ScheduleInfo", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "MSFT_AADRoleEligibilityScheduleRequestTicketInfo", + "Name": "TicketInfo", "Option": "Write" }, { @@ -6877,6 +8027,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -6895,171 +8050,206 @@ ] }, { - "ClassName": "MSFT_DefenderSubscriptionPlan", + "ClassName": "MSFT_AADRoleManagementPolicyExpirationRule", "Parameters": [ { - "CIMType": "String", - "Name": "SubscriptionName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "isExpirationRequired", + "Option": "Write" }, { "CIMType": "String", - "Name": "PlanName", - "Option": "Key" - }, + "Name": "maximumDuration", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyNotificationRule", + "Parameters": [ { "CIMType": "String", - "Name": "SubscriptionId", + "Name": "notificationType", "Option": "Write" }, { "CIMType": "String", - "Name": "PricingTier", + "Name": "recipientType", "Option": "Write" }, { "CIMType": "String", - "Name": "SubPlanName", + "Name": "notificationLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "Extensions", + "CIMType": "Boolean", + "Name": "isDefaultRecipientsEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "notificationRecipients", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyEnablementRule", + "Parameters": [ { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "enabledRules", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicySubjectSet", + "Parameters": [ { "CIMType": "String", - "Name": "ApplicationId", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyApprovalStage", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "approvalStageTimeOutInDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "UInt32", + "Name": "escalationTimeInMinutes", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "isApproverJustificationRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "isEscalationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_AADRoleManagementPolicySubjectSet[]", + "Name": "escalationApprovers", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADRoleManagementPolicySubjectSet[]", + "Name": "primaryApprovers", "Option": "Write" } ] }, { - "ClassName": "MSFT_EXOAcceptedDomain", + "ClassName": "MSFT_AADRoleManagementPolicyApprovalSettings", "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "approvalMode", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "MSFT_AADRoleManagementPolicyApprovalStage[]", + "Name": "approvalStages", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainType", + "CIMType": "Boolean", + "Name": "isApprovalRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MatchSubDomains", + "Name": "isApprovalRequiredForExtension", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OutboundOnly", + "Name": "isRequestorJustificationRequired", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyApprovalRule", + "Parameters": [ { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "MSFT_AADRoleManagementPolicyApprovalSettings", + "Name": "setting", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyAuthenticationContextRule", + "Parameters": [ { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "isEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "claimValue", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADRoleManagementPolicyRule", + "Parameters": [ { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" + "Name": "id", + "Option": "Key" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" + "CIMType": "String", + "Name": "roleDisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "ruleType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "policyId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_AADRoleManagementPolicyExpirationRule", + "Name": "expirationRule", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOActiveSyncDeviceAccessRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" }, { - "CIMType": "String", - "Name": "AccessLevel", + "CIMType": "MSFT_AADRoleManagementPolicyNotificationRule", + "Name": "notificationRule", "Option": "Write" }, { - "CIMType": "String", - "Name": "Characteristic", + "CIMType": "MSFT_AADRoleManagementPolicyEnablementRule", + "Name": "enablementRule", "Option": "Write" }, { - "CIMType": "String", - "Name": "QueryString", + "CIMType": "MSFT_AADRoleManagementPolicyApprovalRule", + "Name": "approvalRule", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "MSFT_AADRoleManagementPolicyAuthenticationContextRule", + "Name": "authenticationContextRule", "Option": "Write" }, { @@ -7077,19 +8267,14 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -7105,191 +8290,221 @@ ] }, { - "ClassName": "MSFT_EXOAddressBookPolicy", + "ClassName": "MSFT_AADRoleSetting", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "String[]", - "Name": "AddressLists", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "GlobalAddressList", + "Name": "ActivationMaxDuration", "Option": "Write" }, { - "CIMType": "String", - "Name": "OfflineAddressBook", + "CIMType": "Boolean", + "Name": "ActivationReqJustification", "Option": "Write" }, { - "CIMType": "String", - "Name": "RoomList", + "CIMType": "Boolean", + "Name": "ActivationReqTicket", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "ActivationReqMFA", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "ApprovaltoActivate", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "String[]", + "Name": "ActivateApprover", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "PermanentEligibleAssignmentisExpirationRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "ExpireEligibleAssignment", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "PermanentActiveAssignmentisExpirationRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "ExpireActiveAssignment", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "AssignmentReqMFA", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "AssignmentReqJustification", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOAddressList", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String[]", - "Name": "ConditionalCompany", + "CIMType": "Boolean", + "Name": "ElegibilityAssignmentReqMFA", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute1", + "CIMType": "Boolean", + "Name": "ElegibilityAssignmentReqJustification", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute10", + "CIMType": "Boolean", + "Name": "EligibleAlertNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalCustomAttribute11", + "Name": "EligibleAlertNotificationAdditionalRecipient", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute12", + "CIMType": "Boolean", + "Name": "EligibleAlertNotificationOnlyCritical", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute13", + "CIMType": "Boolean", + "Name": "EligibleAssigneeNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalCustomAttribute14", + "Name": "EligibleAssigneeNotificationAdditionalRecipient", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute15", + "CIMType": "Boolean", + "Name": "EligibleAssigneeNotificationOnlyCritical", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute2", + "CIMType": "Boolean", + "Name": "EligibleApproveNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalCustomAttribute3", + "Name": "EligibleApproveNotificationAdditionalRecipient", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute4", + "CIMType": "Boolean", + "Name": "EligibleApproveNotificationOnlyCritical", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute5", + "CIMType": "Boolean", + "Name": "ActiveAlertNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalCustomAttribute6", + "Name": "ActiveAlertNotificationAdditionalRecipient", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute7", + "CIMType": "Boolean", + "Name": "ActiveAlertNotificationOnlyCritical", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConditionalCustomAttribute8", + "CIMType": "Boolean", + "Name": "ActiveAssigneeNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalCustomAttribute9", + "Name": "ActiveAssigneeNotificationAdditionalRecipient", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ActiveAssigneeNotificationOnlyCritical", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ActiveApproveNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalDepartment", + "Name": "ActiveApproveNotificationAdditionalRecipient", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ActiveApproveNotificationOnlyCritical", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EligibleAssignmentAlertNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ConditionalStateOrProvince", + "Name": "EligibleAssignmentAlertNotificationAdditionalRecipient", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "Boolean", + "Name": "EligibleAssignmentAlertNotificationOnlyCritical", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EligibleAssignmentAssigneeNotificationDefaultRecipient", "Option": "Write" }, { "CIMType": "String[]", - "Name": "IncludedRecipients", + "Name": "EligibleAssignmentAssigneeNotificationAdditionalRecipient", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EligibleAssignmentAssigneeNotificationOnlyCritical", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AuthenticationContextRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "RecipientFilter", + "Name": "AuthenticationContextName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuthenticationContextId", "Option": "Write" }, { @@ -7312,19 +8527,14 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -7340,301 +8550,261 @@ ] }, { - "ClassName": "MSFT_EXOAntiPhishPolicy", + "ClassName": "MSFT_AADSecurityDefaults", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "IsSingleInstance", "Option": "Key" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "AdminDisplayName", + "Name": "Description", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PhishThresholdLevel", + "CIMType": "Boolean", + "Name": "IsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "AuthenticationFailAction", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetedUserProtectionAction", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EnableFirstContactSafetyTips", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EnableMailboxIntelligence", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EnableMailboxIntelligenceProtection", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableOrganizationDomainsProtection", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSimilarDomainsSafetyTips", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSimilarUsersSafetyTips", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSpoofIntelligence", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableTargetedDomainsProtection", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableTargetedUserProtection", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalRoleAssignment", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "EnableUnauthenticatedSender", + "CIMType": "String", + "Name": "PrincipalType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableUnusualCharactersSafetyTips", + "CIMType": "String", + "Name": "Identity", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalDelegatedPermissionClassification", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "EnableViaTag", + "CIMType": "String", + "Name": "Classification", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MakeDefault", + "CIMType": "String", + "Name": "PermissionName", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeValue", + "Parameters": [ { - "CIMType": "String[]", - "Name": "ExcludedDomains", + "CIMType": "String", + "Name": "AttributeName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExcludedSenders", + "Name": "StringArrayValue", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HonorDmarcPolicy", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ImpersonationProtectionState", + "CIMType": "UInt32[]", + "Name": "IntArrayValue", "Option": "Write" }, { "CIMType": "String", - "Name": "MailboxIntelligenceProtectionAction", + "Name": "StringValue", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MailboxIntelligenceProtectionActionRecipients", + "CIMType": "UInt32", + "Name": "IntValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "MailboxIntelligenceQuarantineTag", + "CIMType": "Boolean", + "Name": "BoolValue", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipalAttributeSet", + "Parameters": [ { "CIMType": "String", - "Name": "SpoofQuarantineTag", + "Name": "AttributeSetName", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TargetedDomainActionRecipients", + "CIMType": "MSFT_AADServicePrincipalAttributeValue[]", + "Name": "AttributeValues", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AADServicePrincipal", + "Parameters": [ { "CIMType": "String", - "Name": "TargetedDomainProtectionAction", - "Option": "Write" + "Name": "AppId", + "Option": "Key" }, { - "CIMType": "String[]", - "Name": "TargetedDomainsToProtect", + "CIMType": "MSFT_AADServicePrincipalRoleAssignment[]", + "Name": "AppRoleAssignedTo", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetedDomainQuarantineTag", + "Name": "ObjectID", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TargetedUserActionRecipients", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "TargetedUsersToProtect", + "Name": "AlternativeNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "TargetedUserQuarantineTag", + "CIMType": "Boolean", + "Name": "AccountEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DmarcQuarantineAction", + "CIMType": "Boolean", + "Name": "AppRoleAssignmentRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "DmarcRejectAction", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "Name": "ErrorUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Homepage", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "LogoutUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "Notes", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "PublisherName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOAntiPhishRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Ensure", + "Name": "Owners", "Option": "Write" }, { "CIMType": "String", - "Name": "AntiPhishPolicy", - "Option": "Required" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", + "Name": "PreferredSingleSignOnMode", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "String[]", + "Name": "ReplyUrls", "Option": "Write" }, { "CIMType": "String", - "Name": "Comments", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "Name": "SamlMetadataUrl", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "Name": "ServicePrincipalNames", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "String", + "Name": "ServicePrincipalType", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RecipientDomainIs", + "Name": "Tags", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "MSFT_AADServicePrincipalDelegatedPermissionClassification[]", + "Name": "DelegatedPermissionClassifications", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "MSFT_AADServicePrincipalAttributeSet[]", + "Name": "CustomSecurityAttributes", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { @@ -7654,12 +8824,12 @@ }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { @@ -7671,39 +8841,44 @@ "CIMType": "String[]", "Name": "AccessTokens", "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphpasswordCredential[]", + "Name": "PasswordCredentials", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphkeyCredential[]", + "Name": "KeyCredentials", + "Option": "Write" } ] }, { - "ClassName": "MSFT_EXOApplicationAccessPolicy", + "ClassName": "MSFT_AADSocialIdentityProvider", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "ClientId", "Option": "Key" }, { "CIMType": "String", - "Name": "AccessRight", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AppID", + "Name": "ClientSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "PolicyScopeGroupId", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "IdentityProviderType", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -7722,19 +8897,14 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -7750,7 +8920,7 @@ ] }, { - "ClassName": "MSFT_EXOArcConfig", + "ClassName": "MSFT_AADTenantDetails", "Parameters": [ { "CIMType": "String", @@ -7758,13 +8928,23 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "Identity", + "CIMType": "String[]", + "Name": "MarketingNotificationEmails", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ArcTrustedSealers", + "Name": "SecurityComplianceNotificationMails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SecurityComplianceNotificationPhones", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "TechnicalNotificationMails", "Option": "Write" }, { @@ -7782,6 +8962,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -7800,35 +8985,35 @@ ] }, { - "ClassName": "MSFT_EXOATPBuiltInProtectionRule", + "ClassName": "MSFT_AADTokenLifetimePolicy", "Parameters": [ { - "CIMType": "String", - "Name": "Identity", + "CIMType": "string", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "Comments", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "string", + "Name": "Description", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "Name": "Definition", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "Boolean", + "Name": "IsOrganizationDefault", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -7847,6 +9032,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -7865,150 +9055,130 @@ ] }, { - "ClassName": "MSFT_EXOAtpPolicyForO365", + "ClassName": "MSFT_AADUser", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "UserPrincipalName", "Option": "Key" }, { "CIMType": "String", - "Name": "Identity", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "FirstName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowSafeDocsOpen", + "CIMType": "String", + "Name": "LastName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableATPForSPOTeamsODB", + "CIMType": "String[]", + "Name": "Roles", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSafeDocs", + "CIMType": "String", + "Name": "UsageLocation", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "LicenseAssignment", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "MSFT_Credential", + "Name": "Password", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "City", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "Country", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "Department", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "Fax", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOAtpProtectionPolicyRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", + "Name": "MemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "Comments", + "Name": "MobilePhone", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "String", + "Name": "Office", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "Boolean", + "Name": "PasswordNeverExpires", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "String", + "Name": "PasswordPolicies", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "PhoneNumber", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "String", + "Name": "PostalCode", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "String", + "Name": "PreferredLanguage", "Option": "Write" }, { "CIMType": "String", - "Name": "SafeAttachmentPolicy", + "Name": "State", "Option": "Write" }, { "CIMType": "String", - "Name": "SafeLinksPolicy", + "Name": "StreetAddress", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "String", + "Name": "Title", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "String", + "Name": "UserType", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -8027,6 +9197,11 @@ "Name": "TenantId", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -8045,75 +9220,125 @@ ] }, { - "ClassName": "MSFT_EXOAuthenticationPolicy", + "ClassName": "MSFT_AADUserFlowAttribute", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthActiveSync", - "Option": "write" + "CIMType": "String", + "Name": "Description", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthAutodiscover", - "Option": "write" + "CIMType": "String", + "Name": "DataType", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthImap", - "Option": "write" + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthMapi", - "Option": "write" + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthOfflineAddressBook", - "Option": "write" + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthOutlookService", - "Option": "write" + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthPop", - "Option": "write" + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthPowershell", - "Option": "write" + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowBasicAuthReportingWebServices", - "Option": "write" + "Name": "ManagedIdentity", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthRpc", - "Option": "write" + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityKeyVaultMetadata", + "Parameters": [ + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthSmtp", - "Option": "write" + "CIMType": "String", + "Name": "ResourceGroup", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBasicAuthWebServices", - "Option": "write" + "CIMType": "String", + "Name": "ResourceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthority", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LinkedDomainUrl", + "Option": "Key" }, { "CIMType": "String", + "Name": "DidMethod", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADVerifiedIdAuthorityKeyVaultMetadata", + "Name": "KeyVaultMetadata", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -8132,19 +9357,14 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -8160,105 +9380,246 @@ ] }, { - "ClassName": "MSFT_EXOAuthenticationPolicyAssignment", + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo", "Parameters": [ { "CIMType": "String", - "Name": "UserName", - "Option": "Key" + "Name": "uri", + "Option": "Write" }, { "CIMType": "String", - "Name": "AuthenticationPolicyName", - "Option": "write" + "Name": "description", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayCard", + "Parameters": [ + { + "CIMType": "String", + "Name": "title", + "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "issuedBy", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "backgroundColor", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "textColor", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "description", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayConsent", + "Parameters": [ + { + "CIMType": "String", + "Name": "title", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "instructions", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayClaims", + "Parameters": [ + { + "CIMType": "String", + "Name": "label", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "claim", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "description", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractDisplayModel", + "Parameters": [ + { + "CIMType": "String", + "Name": "locale", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractClaimMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "inputClaim", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "outputClaim", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "indexed", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "required", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "type", "Option": "Write" } ] }, { - "ClassName": "MSFT_EXOAvailabilityAddressSpace", + "ClassName": "MSFT_AADVerifiedIdAuthorityContractAttestationValues", "Parameters": [ + { + "CIMType": "Boolean", + "Name": "required", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "trustedIssuers", + "Option": "Write" + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "credentialType", + "Option": "Write" }, { "CIMType": "String", - "Name": "AccessMethod", + "Name": "configuration", "Option": "Write" }, { "CIMType": "String", - "Name": "Credentials", + "Name": "clientId", "Option": "Write" }, { "CIMType": "String", - "Name": "ForestName", + "Name": "redirectUri", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetAutodiscoverEpr", + "Name": "scopeValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractAttestations", + "Parameters": [ + + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "url", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetServiceEpr", + "Name": "type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractVcType", + "Parameters": [ + { + "CIMType": "String[]", + "Name": "type", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContractRulesModel", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "validityInterval", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADVerifiedIdAuthorityContract", + "Parameters": [ + { + "CIMType": "String", + "Name": "id", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetTenantId", + "Name": "linkedDomainUrl", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "authorityId", "Option": "Write" }, { "CIMType": "String", + "Name": "name", + "Option": "Key" + }, + { + "CIMType": "MSFT_AADVerifiedIdAuthorityContractDisplayModel[]", + "Name": "displays", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADVerifiedIdAuthorityContractRulesModel", + "Name": "rules", + "Option": "Write" + }, + { + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -8277,19 +9638,14 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -8305,16 +9661,16 @@ ] }, { - "ClassName": "MSFT_EXOAvailabilityConfig", + "ClassName": "MSFT_ADOOrganizationOwner", "Parameters": [ { "CIMType": "String", - "Name": "OrgWideAccount", + "Name": "OrganizationName", "Option": "Key" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "Owner", "Option": "Write" }, { @@ -8337,16 +9693,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -8360,201 +9706,221 @@ ] }, { - "ClassName": "MSFT_EXOCalendarProcessing", + "ClassName": "MSFT_ADOPermissionGroup", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "OrganizationName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AddAdditionalResponse", - "Option": "Write" + "CIMType": "String", + "Name": "PrincipalName", + "Option": "Key" }, { "CIMType": "String", - "Name": "AdditionalResponse", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AddNewRequestsTentatively", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AddOrganizerToSubject", + "CIMType": "String[]", + "Name": "Members", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllBookInPolicy", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowConflicts", + "CIMType": "String", + "Name": "Descriptor", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowRecurringMeetings", + "CIMType": "String", + "Name": "Level", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllRequestInPolicy", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllRequestOutOfPolicy", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "AutomateProcessing", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "BookingType", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "BookingWindowInDays", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BookInPolicy", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ConflictPercentageAllowed", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_ADOPermission", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "DeleteAttachments", + "CIMType": "String", + "Name": "NamespaceId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeleteComments", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeleteNonCalendarItems", + "CIMType": "UInt32", + "Name": "Bit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeleteSubject", + "CIMType": "String", + "Name": "Token", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOPermissionGroupSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "GroupName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "EnableAutoRelease", + "CIMType": "String", + "Name": "OrganizationName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableResponseDetails", + "CIMType": "String", + "Name": "Descriptor", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnforceCapacity", + "CIMType": "MSFT_ADOPermission[]", + "Name": "AllowPermissions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnforceSchedulingHorizon", + "CIMType": "MSFT_ADOPermission[]", + "Name": "DenyPermissions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ForwardRequestsToDelegates", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumConflictInstances", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumDurationInMinutes", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumDurationInMinutes", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OrganizerInfo", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PostReservationMaxClaimTimeInMinutes", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_ADOSecurityPolicy", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ProcessExternalMeetingMessages", - "Option": "Write" + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "RemoveCanceledMeetings", + "Name": "DisallowAadGuestUserAccess", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RemoveForwardedMeetingNotifications", + "Name": "DisallowOAuthAuthentication", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RemoveOldMeetingMessages", + "Name": "DisallowSecureShell", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RemovePrivateProperty", + "Name": "LogAuditEvents", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RequestInPolicy", + "CIMType": "Boolean", + "Name": "AllowAnonymousAccess", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RequestOutOfPolicy", + "CIMType": "Boolean", + "Name": "ArtifactsExternalPackageProtectionToken", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ResourceDelegates", + "CIMType": "Boolean", + "Name": "EnforceAADConditionalAccess", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ScheduleOnlyDuringWorkHours", + "Name": "AllowTeamAdminsInvitationsAccessToken", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TentativePendingApproval", + "Name": "AllowRequestAccessToken", "Option": "Write" }, { @@ -8562,11 +9928,6 @@ "Name": "Credential", "Option": "Write" }, - { - "CIMType": "String", - "Name": "Ensure", - "Option": "Write" - }, { "CIMType": "String", "Name": "ApplicationId", @@ -8582,16 +9943,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -8605,11 +9956,11 @@ ] }, { - "ClassName": "MSFT_EXOCASMailboxPlan", + "ClassName": "MSFT_AzureBillingAccountsAssociatedTenant", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "AssociatedTenantId", "Option": "Key" }, { @@ -8619,27 +9970,22 @@ }, { "CIMType": "String", - "Name": "Ensure", + "Name": "BillingAccount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveSyncEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ImapEnabled", + "CIMType": "String", + "Name": "BillingManagementState", "Option": "Write" }, { "CIMType": "String", - "Name": "OwaMailboxPolicy", + "Name": "ProvisioningManagementState", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PopEnabled", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { @@ -8662,16 +10008,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -8685,181 +10021,121 @@ ] }, { - "ClassName": "MSFT_EXOCASMailboxSettings", + "ClassName": "MSFT_AzureBillingaccountsRoleAssignment", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "PrincipalName", "Option": "Key" }, { - "CIMType": "String[]", - "Name": "ActiveSyncAllowedDeviceIDs", - "Option": "Write" + "CIMType": "String", + "Name": "RoleDefinition", + "Option": "Key" }, { - "CIMType": "String[]", - "Name": "ActiveSyncBlockedDeviceIDs", + "CIMType": "String", + "Name": "PrincipalType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveSyncDebugLogging", + "CIMType": "String", + "Name": "BillingAccount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveSyncEnabled", + "CIMType": "String", + "Name": "PrincipalTenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "ActiveSyncMailboxPolicy", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveSyncSuppressReadReceipt", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EwsAllowEntourage", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "EwsAllowList", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EwsAllowMacOutlook", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EwsAllowOutlook", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "EwsApplicationAccessPolicy", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "EwsBlockList", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EwsEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ImapEnabled", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "ImapMessagesRetrievalMimeFormat", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ImapForceICalForCalendarRetrievalOption", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ImapSuppressReadReceipt", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ImapUseProtocolDefaults", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "MacOutlookEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "MAPIEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "OneWinNativeOutlookEnabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "OutlookMobileEnabled", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OWAEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OWAforDevicesEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AzureDiagnosticSettingsCategory", + "Parameters": [ { "CIMType": "String", - "Name": "OwaMailboxPolicy", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PopEnabled", + "Name": "Category", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PopForceICalForCalendarRetrievalOption", + "Name": "enabled", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AzureDiagnosticSettings", + "Parameters": [ { "CIMType": "String", - "Name": "PopMessagesRetrievalMimeFormat", - "Option": "Write" + "Name": "Name", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "PopSuppressReadReceipt", + "CIMType": "MSFT_AzureDiagnosticSettingsCategory[]", + "Name": "Categories", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PopUseProtocolDefaults", + "CIMType": "String", + "Name": "StorageAccountId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PublicFolderClientAccess", + "CIMType": "String", + "Name": "ServiceBusRuleId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ShowGalAsDefaultView", + "CIMType": "String", + "Name": "EventHubAuthorizationRuleId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmtpClientAuthenticationDisabled", + "CIMType": "String", + "Name": "EventHubName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UniversalOutlookEnabled", + "CIMType": "String", + "Name": "WorkspaceId", "Option": "Write" }, { @@ -8887,16 +10163,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -8910,80 +10176,60 @@ ] }, { - "ClassName": "MSFT_EXOClientAccessRule", + "ClassName": "MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory", "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Action", - "Option": "Required" - }, - { - "CIMType": "String[]", - "Name": "AnyOfAuthenticationTypes", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AnyOfClientIPAddressesOrRanges", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AnyOfProtocols", + "Name": "Category", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ExceptAnyOfAuthenticationTypes", + "Name": "enabled", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_AzureDiagnosticSettingsCustomSecurityAttribute", + "Parameters": [ { - "CIMType": "String[]", - "Name": "ExceptAnyOfClientIPAddressesOrRanges", - "Option": "Write" + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { - "CIMType": "String[]", - "Name": "ExceptAnyOfProtocols", + "CIMType": "MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory[]", + "Name": "Categories", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptUsernameMatchesAnyOfPatterns", + "CIMType": "String", + "Name": "StorageAccountId", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "String", + "Name": "ServiceBusRuleId", "Option": "Write" }, { "CIMType": "String", - "Name": "RuleScope", + "Name": "EventHubAuthorizationRuleId", "Option": "Write" }, { "CIMType": "String", - "Name": "UserRecipientFilter", + "Name": "EventHubName", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "UsernameMatchesAnyOfPatterns", + "CIMType": "String", + "Name": "WorkspaceId", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -9007,16 +10253,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -9030,40 +10266,30 @@ ] }, { - "ClassName": "MSFT_EXODataClassification", + "ClassName": "MSFT_AzureSubscription", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "DisplayName", "Option": "Key" }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "Fingerprints", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsDefault", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "Locale", + "Name": "InvoiceSectionId", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "Status", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -9087,16 +10313,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -9110,45 +10326,35 @@ ] }, { - "ClassName": "MSFT_EXODataEncryptionPolicy", + "ClassName": "MSFT_AzureVerifiedIdFaceCheck", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "SubscriptionId", "Option": "Key" }, - { - "CIMType": "String[]", - "Name": "AzureKeyIDs", - "Option": "Write" - }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Write" + "Name": "ResourceGroupName", + "Option": "Key" }, { "CIMType": "String", - "Name": "Name", - "Option": "Write" + "Name": "VerifiedIdAuthorityId", + "Option": "Key" }, { - "CIMType": "String", - "Name": "PermanentDataPurgeContact", + "CIMType": "Boolean", + "Name": "FaceCheckEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "PermanentDataPurgeReason", + "Name": "VerifiedIdAuthorityLocation", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -9172,16 +10378,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -9195,226 +10391,266 @@ ] }, { - "ClassName": "MSFT_EXODistributionGroup", + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Name", - "Option": "Required" + "Name": "DataType", + "Option": "Write" }, { "CIMType": "String", - "Name": "Alias", + "Name": "Type", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BccBlocked", + "CIMType": "String", + "Name": "KeyVaultUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BypassNestedModerationEnabled", + "CIMType": "String", + "Name": "KeyVaultSecretName", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "Domain", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "Username", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HiddenGroupMembershipEnabled", + "Name": "IsGMSAUser", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ManagedBy", + "CIMType": "String", + "Name": "CommunityString", "Option": "Write" }, { "CIMType": "String", - "Name": "MemberDepartRestriction", + "Name": "AuthProtocol", "Option": "Write" }, { "CIMType": "String", - "Name": "MemberJoinRestriction", + "Name": "AuthPassword", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "PrivProtocol", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ModeratedBy", + "CIMType": "String", + "Name": "PrivPassword", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ModerationEnabled", + "CIMType": "String", + "Name": "id", "Option": "Write" }, { "CIMType": "String", - "Name": "Notes", + "Name": "machineId", "Option": "Write" }, { "CIMType": "String", - "Name": "OrganizationalUnit", + "Name": "machineName", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderDeviceAuthenticatedScanDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "PrimarySmtpAddress", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RequireSenderAuthenticationEnabled", + "CIMType": "UInt32", + "Name": "IntervalInHours", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Target", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RoomList", + "Name": "IsActive", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AcceptMessagesOnlyFrom", + "CIMType": "String", + "Name": "ScanType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AcceptMessagesOnlyFromDLMembers", + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent", + "Name": "ScannerAgent", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AcceptMessagesOnlyFromSendersOrMembers", + "CIMType": "MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams", + "Name": "ScanAuthenticationParams", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute1", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute2", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute3", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute4", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute5", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute6", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute7", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DefenderSubscriptionPlan", + "Parameters": [ + { + "CIMType": "String", + "Name": "SubscriptionName", + "Option": "Key" }, { "CIMType": "String", - "Name": "CustomAttribute8", - "Option": "Write" + "Name": "PlanName", + "Option": "Key" }, { "CIMType": "String", - "Name": "CustomAttribute9", + "Name": "SubscriptionId", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute10", + "Name": "PricingTier", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute11", + "Name": "SubPlanName", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute12", + "Name": "Extensions", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute13", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute14", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomAttribute15", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EmailAddresses", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "GrantSendOnBehalfTo", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HiddenFromAddressListsEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SendOofMessageToOriginatorEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOAcceptedDomain", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { "CIMType": "String", - "Name": "SendModerationNotifications", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "String", - "Name": "Type", + "Name": "DomainType", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "MatchSubDomains", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OutboundOnly", "Option": "Write" }, { @@ -9460,7 +10696,7 @@ ] }, { - "ClassName": "MSFT_EXODkimSigningConfig", + "ClassName": "MSFT_EXOActiveSyncDeviceAccessRule", "Parameters": [ { "CIMType": "String", @@ -9469,27 +10705,17 @@ }, { "CIMType": "String", - "Name": "AdminDisplayName", + "Name": "AccessLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "BodyCanonicalization", + "Name": "Characteristic", "Option": "Write" }, { "CIMType": "String", - "Name": "HeaderCanonicalization", - "Option": "Write" - }, - { - "CIMType": "Uint16", - "Name": "KeySize", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", + "Name": "QueryString", "Option": "Write" }, { @@ -9540,310 +10766,285 @@ ] }, { - "ClassName": "MSFT_EXODnssecForVerifiedDomain", + "ClassName": "MSFT_EXOActiveSyncMailboxPolicy", "Parameters": [ { "CIMType": "String", - "Name": "DomainName", - "Option": "Key" - }, - { - "CIMType": "string", - "Name": "DnssecFeatureStatus", + "Name": "Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "AllowApplePushNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "AllowBluetooth", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "AllowBrowser", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "AllowCamera", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "AllowConsumerEmail", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "AllowDesktopSync", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOEmailAddressPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Priority", + "CIMType": "Boolean", + "Name": "AllowExternalDeviceManagement", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnabledEmailAddressTemplates", + "CIMType": "Boolean", + "Name": "AllowHTMLEmail", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnabledPrimarySMTPAddressTemplate", + "CIMType": "Boolean", + "Name": "AllowInternetSharing", "Option": "Write" }, { - "CIMType": "String", - "Name": "ManagedByFilter", + "CIMType": "Boolean", + "Name": "AllowIrDA", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "AllowMobileOTAUpdate", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "AllowNonProvisionableDevices", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "AllowPOPIMAPEmail", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "AllowRemoteDesktop", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "AllowSimpleDevicePassword", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "AllowSMIMEEncryptionAlgorithmNegotiation", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "AllowSMIMESoftCerts", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "AllowStorageCard", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "AllowTextMessaging", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOEmailTenantSettings", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" + "CIMType": "Boolean", + "Name": "AllowUnsignedApplications", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Identity", + "CIMType": "Boolean", + "Name": "AllowUnsignedInstallationPackages", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnablePriorityAccountProtection", + "Name": "AllowWiFi", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsValid", + "Name": "AlphanumericDevicePasswordRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "ObjectState", + "CIMType": "String[]", + "Name": "ApprovedApplicationList", "Option": "Write" }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "Boolean", + "Name": "AttachmentsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "DeviceEncryptionEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "DevicePasswordEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DevicePasswordExpiration", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Sint32", + "Name": "DevicePasswordHistory", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "DevicePolicyRefreshInterval", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "IrmEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "IsDefault", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "IsDefaultPolicy", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOEOPProtectionPolicyRule", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Comments", + "Name": "MaxAttachmentSize", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "String", + "Name": "MaxCalendarAgeFilter", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "String", + "Name": "MaxDevicePasswordFailedAttempts", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "String", + "Name": "MaxEmailAgeFilter", "Option": "Write" }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "MaxEmailBodyTruncationSize", + "Option": "Write" }, { "CIMType": "String", - "Name": "State", + "Name": "MaxEmailHTMLBodyTruncationSize", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "MaxInactivityTimeDeviceLock", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "Sint32", + "Name": "MinDevicePasswordComplexCharacters", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "Sint32", + "Name": "MinDevicePasswordLength", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "Boolean", + "Name": "PasswordRecoveryEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "Boolean", + "Name": "RequireDeviceEncryption", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "RequireEncryptedSMIMEMessages", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "RequireEncryptionSMIMEAlgorithm", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "RequireManualSyncWhenRoaming", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "RequireSignedSMIMEAlgorithm", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "RequireSignedSMIMEMessages", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "RequireStorageCardEncryption", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOExternalInOutlook", - "Parameters": [ + }, { - "CIMType": "string", - "Name": "Identity", - "Option": "Key" + "CIMType": "String[]", + "Name": "UnapprovedInROMApplicationList", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "UNCAccessEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowList", + "CIMType": "Boolean", + "Name": "WSSAccessEnabled", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -9868,28 +11069,43 @@ "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_EXOFocusedInbox", + "ClassName": "MSFT_EXOAddressBookPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Name", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "FocusedInboxOn", + "CIMType": "String[]", + "Name": "AddressLists", "Option": "Write" }, { - "CIMType": "DateTime", - "Name": "FocusedInboxOnLastUpdateTime", + "CIMType": "String", + "Name": "GlobalAddressList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfflineAddressBook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RoomList", "Option": "Write" }, { @@ -9917,6 +11133,16 @@ "Name": "CertificateThumbprint", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -9930,7 +11156,7 @@ ] }, { - "ClassName": "MSFT_EXOGlobalAddressList", + "ClassName": "MSFT_EXOAddressList", "Parameters": [ { "CIMType": "String", @@ -10027,6 +11253,11 @@ "Name": "ConditionalStateOrProvince", "Option": "Write" }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, { "CIMType": "String[]", "Name": "IncludedRecipients", @@ -10085,266 +11316,296 @@ ] }, { - "ClassName": "MSFT_EXOGroupSettings", + "ClassName": "MSFT_EXOAntiPhishPolicy", "Parameters": [ { - "CIMType": "string", - "Name": "DisplayName", + "CIMType": "String", + "Name": "Identity", "Option": "Key" }, { - "CIMType": "string", - "Name": "Id", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "AcceptMessagesOnlyFromSendersOrMembers", + "CIMType": "String", + "Name": "AdminDisplayName", "Option": "Write" }, { - "CIMType": "string", - "Name": "AccessType", + "CIMType": "UInt32", + "Name": "PhishThresholdLevel", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "AlwaysSubscribeMembersToCalendarEvents", + "CIMType": "String", + "Name": "AuthenticationFailAction", "Option": "Write" }, { - "CIMType": "string", - "Name": "AuditLogAgeLimit", + "CIMType": "String", + "Name": "TargetedUserProtectionAction", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "AutoSubscribeNewMembers", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "CalendarMemberReadOnly", + "CIMType": "Boolean", + "Name": "EnableFirstContactSafetyTips", "Option": "Write" }, { - "CIMType": "string", - "Name": "Classification", + "CIMType": "Boolean", + "Name": "EnableMailboxIntelligence", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "ConnectorsEnabled", + "CIMType": "Boolean", + "Name": "EnableMailboxIntelligenceProtection", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute1", + "CIMType": "Boolean", + "Name": "EnableOrganizationDomainsProtection", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute2", + "CIMType": "Boolean", + "Name": "EnableSimilarDomainsSafetyTips", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute3", + "CIMType": "Boolean", + "Name": "EnableSimilarUsersSafetyTips", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute4", + "CIMType": "Boolean", + "Name": "EnableSpoofIntelligence", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute5", + "CIMType": "Boolean", + "Name": "EnableTargetedDomainsProtection", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute6", + "CIMType": "Boolean", + "Name": "EnableTargetedUserProtection", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute7", + "CIMType": "Boolean", + "Name": "EnableUnauthenticatedSender", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute8", + "CIMType": "Boolean", + "Name": "EnableUnusualCharactersSafetyTips", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute9", + "CIMType": "Boolean", + "Name": "EnableViaTag", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute10", + "CIMType": "Boolean", + "Name": "MakeDefault", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute11", + "CIMType": "String[]", + "Name": "ExcludedDomains", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute12", + "CIMType": "String[]", + "Name": "ExcludedSenders", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute13", + "CIMType": "Boolean", + "Name": "HonorDmarcPolicy", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute14", + "CIMType": "String", + "Name": "ImpersonationProtectionState", "Option": "Write" }, { - "CIMType": "string", - "Name": "CustomAttribute15", + "CIMType": "String", + "Name": "MailboxIntelligenceProtectionAction", "Option": "Write" }, { - "CIMType": "string", - "Name": "DataEncryptionPolicy", + "CIMType": "String[]", + "Name": "MailboxIntelligenceProtectionActionRecipients", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "EmailAddresses", + "CIMType": "String", + "Name": "MailboxIntelligenceQuarantineTag", "Option": "Write" }, { - "CIMType": "string", - "Name": "ExtensionCustomAttribute1", + "CIMType": "String", + "Name": "SpoofQuarantineTag", "Option": "Write" }, { - "CIMType": "string", - "Name": "ExtensionCustomAttribute2", + "CIMType": "String[]", + "Name": "TargetedDomainActionRecipients", "Option": "Write" }, { - "CIMType": "string", - "Name": "ExtensionCustomAttribute3", + "CIMType": "String", + "Name": "TargetedDomainProtectionAction", "Option": "Write" }, { - "CIMType": "string", - "Name": "ExtensionCustomAttribute4", + "CIMType": "String[]", + "Name": "TargetedDomainsToProtect", "Option": "Write" }, { - "CIMType": "string", - "Name": "ExtensionCustomAttribute5", + "CIMType": "String", + "Name": "TargetedDomainQuarantineTag", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "GrantSendOnBehalfTo", + "CIMType": "String[]", + "Name": "TargetedUserActionRecipients", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "HiddenFromAddressListsEnabled", + "CIMType": "String[]", + "Name": "TargetedUsersToProtect", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "HiddenFromExchangeClientsEnabled", + "CIMType": "String", + "Name": "TargetedUserQuarantineTag", "Option": "Write" }, { - "CIMType": "string", - "Name": "InformationBarrierMode", + "CIMType": "String", + "Name": "DmarcQuarantineAction", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "IsMemberAllowedToEditContent", + "CIMType": "String", + "Name": "DmarcRejectAction", "Option": "Write" }, { - "CIMType": "string", - "Name": "Language", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "string", - "Name": "MailboxRegion", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "string", - "Name": "MailTip", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "string", - "Name": "MailTipTranslations", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "string", - "Name": "MaxReceiveSize", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "string", - "Name": "MaxSendSize", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "ModeratedBy", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "ModerationEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOAntiPhishRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "string", - "Name": "Notes", + "CIMType": "String", + "Name": "AntiPhishPolicy", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "PrimarySmtpAddress", + "CIMType": "uint32", + "Name": "Priority", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "RejectMessagesFromSendersOrMembers", + "CIMType": "String", + "Name": "Comments", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "RequireSenderAuthenticationEnabled", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "string", - "Name": "SensitivityLabelId", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "SubscriptionEnabled", + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { - "CIMType": "boolean", - "Name": "UnifiedGroupWelcomeMessageEnabled", + "CIMType": "String[]", + "Name": "RecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentToMemberOf", "Option": "Write" }, { @@ -10390,7 +11651,7 @@ ] }, { - "ClassName": "MSFT_EXOHostedConnectionFilterPolicy", + "ClassName": "MSFT_EXOApplicationAccessPolicy", "Parameters": [ { "CIMType": "String", @@ -10399,27 +11660,22 @@ }, { "CIMType": "String", - "Name": "AdminDisplayName", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EnableSafeList", + "Name": "AccessRight", "Option": "Write" }, { "CIMType": "String[]", - "Name": "IPAllowList", + "Name": "AppID", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "IPBlockList", + "CIMType": "String", + "Name": "PolicyScopeGroupId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MakeDefault", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { @@ -10470,275 +11726,265 @@ ] }, { - "ClassName": "MSFT_EXOHostedContentFilterPolicy", + "ClassName": "MSFT_EXOArcConfig", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "IsSingleInstance", "Option": "Key" }, { "CIMType": "String", - "Name": "AddXHeaderValue", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AdminDisplayName", + "Name": "Identity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AllowedSenderDomains", + "Name": "ArcTrustedSealers", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedSenders", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockedSenderDomains", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockedSenders", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "BulkQuarantineTag", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "BulkSpamAction", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "BulkThreshold", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOATPBuiltInProtectionRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "DownloadLink", + "CIMType": "String", + "Name": "Comments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableEndUserSpamNotifications", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableLanguageBlockList", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "EnableRegionBlockList", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", "Option": "Write" }, { - "CIMType": "String", - "Name": "EndUserSpamNotificationCustomSubject", + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EndUserSpamNotificationFrequency", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "EndUserSpamNotificationLanguage", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "HighConfidencePhishAction", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "HighConfidencePhishQuarantineTag", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "HighConfidenceSpamAction", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "HighConfidenceSpamQuarantineTag", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "IncreaseScoreWithBizOrInfoUrls", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOAtpPolicyForO365", + "Parameters": [ { "CIMType": "String", - "Name": "IncreaseScoreWithImageLinks", - "Option": "Write" + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "String", - "Name": "IncreaseScoreWithNumericIps", + "Name": "Identity", "Option": "Write" }, { "CIMType": "String", - "Name": "IncreaseScoreWithRedirectToOtherPort", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "InlineSafetyTipsEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "IntraOrgFilterState", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "LanguageBlockList", + "Name": "AllowSafeDocsOpen", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MakeDefault", + "Name": "EnableATPForSPOTeamsODB", "Option": "Write" }, { - "CIMType": "String", - "Name": "MarkAsSpamBulkMail", + "CIMType": "Boolean", + "Name": "EnableSafeDocs", "Option": "Write" }, { - "CIMType": "String", - "Name": "MarkAsSpamEmbedTagsInHtml", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "MarkAsSpamEmptyMessages", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "MarkAsSpamFormTagsInHtml", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "MarkAsSpamFramesInHtml", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "MarkAsSpamFromAddressAuthFail", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "MarkAsSpamJavaScriptInHtml", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String", - "Name": "MarkAsSpamNdrBackscatter", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "MarkAsSpamObjectTagsInHtml", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOAtpProtectionPolicyRule", + "Parameters": [ { "CIMType": "String", - "Name": "MarkAsSpamSensitiveWordList", - "Option": "Write" + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "String", - "Name": "MarkAsSpamSpfRecordHardFail", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "MarkAsSpamWebBugsInHtml", + "Name": "Comments", "Option": "Write" }, { - "CIMType": "String", - "Name": "ModifySubjectValue", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "String", - "Name": "PhishSpamAction", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", "Option": "Write" }, { - "CIMType": "String", - "Name": "PhishQuarantineTag", + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "SpamQuarantineTag", + "Name": "Name", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "QuarantineRetentionPeriod", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RedirectToRecipients", + "Name": "Priority", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RegionBlockList", + "Name": "RecipientDomainIs", "Option": "Write" }, { "CIMType": "String", - "Name": "SpamAction", + "Name": "SafeAttachmentPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "TestModeAction", + "Name": "SafeLinksPolicy", "Option": "Write" }, { "CIMType": "String[]", - "Name": "TestModeBccToRecipients", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PhishZapEnabled", + "Name": "SentTo", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SpamZapEnabled", + "CIMType": "String[]", + "Name": "SentToMemberOf", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -10762,16 +12008,6 @@ "Name": "CertificateThumbprint", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -10785,7 +12021,7 @@ ] }, { - "ClassName": "MSFT_EXOHostedContentFilterRule", + "ClassName": "MSFT_EXOAuthenticationPolicy", "Parameters": [ { "CIMType": "String", @@ -10793,54 +12029,124 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "HostedContentFilterPolicy", - "Option": "Required" + "CIMType": "Boolean", + "Name": "AllowBasicAuthActiveSync", + "Option": "write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "AllowBasicAuthAutodiscover", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthImap", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthMapi", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthOfflineAddressBook", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthOutlookService", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthPop", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthPowershell", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthReportingWebServices", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthRpc", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthSmtp", + "Option": "write" + }, + { + "CIMType": "Boolean", + "Name": "AllowBasicAuthWebServices", + "Option": "write" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "Comments", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SentToMemberOf", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOAuthenticationPolicyAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "UserName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "AuthenticationPolicyName", + "Option": "write" }, { "CIMType": "String", @@ -10890,7 +12196,7 @@ ] }, { - "ClassName": "MSFT_EXOHostedOutboundSpamFilterPolicy", + "ClassName": "MSFT_EXOAvailabilityAddressSpace", "Parameters": [ { "CIMType": "String", @@ -10899,53 +12205,88 @@ }, { "CIMType": "String", - "Name": "AdminDisplayName", + "Name": "AccessMethod", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BccSuspiciousOutboundAdditionalRecipients", + "CIMType": "String", + "Name": "Credentials", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BccSuspiciousOutboundMail", + "CIMType": "String", + "Name": "ForestName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NotifyOutboundSpam", + "CIMType": "String", + "Name": "TargetAutodiscoverEpr", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "NotifyOutboundSpamRecipients", + "CIMType": "String", + "Name": "TargetServiceEpr", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RecipientLimitInternalPerHour", + "CIMType": "String", + "Name": "TargetTenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RecipientLimitPerDay", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RecipientLimitExternalPerHour", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ActionWhenThresholdReached", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "AutoForwardingMode", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOAvailabilityConfig", + "Parameters": [ + { + "CIMType": "String", + "Name": "OrgWideAccount", + "Option": "Key" }, { "CIMType": "String", @@ -10995,7 +12336,7 @@ ] }, { - "ClassName": "MSFT_EXOHostedOutboundSpamFilterRule", + "ClassName": "MSFT_EXOCalendarProcessing", "Parameters": [ { "CIMType": "String", @@ -11003,193 +12344,193 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "HostedOutboundSpamFilterPolicy", - "Option": "Required" + "CIMType": "Boolean", + "Name": "AddAdditionalResponse", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String", + "Name": "AdditionalResponse", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "Boolean", + "Name": "AddNewRequestsTentatively", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "Boolean", + "Name": "AddOrganizerToSubject", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSenderDomainIs", + "CIMType": "Boolean", + "Name": "AllBookInPolicy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFrom", + "CIMType": "Boolean", + "Name": "AllowConflicts", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFromMemberOf", + "CIMType": "Boolean", + "Name": "AllowRecurringMeetings", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SenderDomainIs", + "CIMType": "Boolean", + "Name": "AllRequestInPolicy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "From", + "CIMType": "Boolean", + "Name": "AllRequestOutOfPolicy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "FromMemberOf", + "CIMType": "String", + "Name": "AutomateProcessing", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "BookingType", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "UInt32", + "Name": "BookingWindowInDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "String[]", + "Name": "BookInPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "UInt32", + "Name": "ConflictPercentageAllowed", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "DeleteAttachments", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "DeleteComments", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "DeleteNonCalendarItems", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "DeleteSubject", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "EnableAutoRelease", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOInboundConnector", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "CIMType": "Boolean", + "Name": "EnableResponseDetails", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AssociatedAcceptedDomains", + "CIMType": "Boolean", + "Name": "EnforceCapacity", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CloudServicesMailEnabled", + "Name": "EnforceSchedulingHorizon", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comment", + "CIMType": "Boolean", + "Name": "ForwardRequestsToDelegates", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConnectorSource", + "CIMType": "UInt32", + "Name": "MaximumConflictInstances", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConnectorType", + "CIMType": "UInt32", + "Name": "MaximumDurationInMinutes", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EFSkipIPs", + "CIMType": "UInt32", + "Name": "MinimumDurationInMinutes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EFSkipLastIP", + "Name": "OrganizerInfo", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EFUsers", + "CIMType": "UInt32", + "Name": "PostReservationMaxClaimTimeInMinutes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "ProcessExternalMeetingMessages", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireTls", + "Name": "RemoveCanceledMeetings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RestrictDomainsToCertificate", + "Name": "RemoveForwardedMeetingNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RestrictDomainsToIPAddresses", + "Name": "RemoveOldMeetingMessages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RemovePrivateProperty", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SenderDomains", + "Name": "RequestInPolicy", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SenderIPAddresses", + "Name": "RequestOutOfPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "TlsSenderCertificateName", + "CIMType": "String[]", + "Name": "ResourceDelegates", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TreatMessagesAsInternal", + "Name": "ScheduleOnlyDuringWorkHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "TentativePendingApproval", "Option": "Write" }, { @@ -11197,6 +12538,11 @@ "Name": "Credential", "Option": "Write" }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, { "CIMType": "String", "Name": "ApplicationId", @@ -11235,7 +12581,7 @@ ] }, { - "ClassName": "MSFT_EXOIntraOrganizationConnector", + "ClassName": "MSFT_EXOCASMailboxPlan", "Parameters": [ { "CIMType": "String", @@ -11244,27 +12590,32 @@ }, { "CIMType": "String", - "Name": "DiscoveryEndpoint", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "ActiveSyncEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TargetAddressDomains", + "CIMType": "Boolean", + "Name": "ImapEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetSharingEpr", + "Name": "OwaMailboxPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "PopEnabled", "Option": "Write" }, { @@ -11310,165 +12661,185 @@ ] }, { - "ClassName": "MSFT_EXOIRMConfiguration", + "ClassName": "MSFT_EXOCASMailboxSettings", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "Identity", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AutomaticServiceUpdateEnabled", + "CIMType": "String[]", + "Name": "ActiveSyncAllowedDeviceIDs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ActiveSyncBlockedDeviceIDs", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AzureRMSLicensingEnabled", + "Name": "ActiveSyncDebugLogging", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DecryptAttachmentForEncryptOnly", + "Name": "ActiveSyncEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ActiveSyncMailboxPolicy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EDiscoverySuperUserEnabled", + "Name": "ActiveSyncSuppressReadReceipt", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnablePdfEncryption", + "Name": "EwsAllowEntourage", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EwsAllowList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "InternalLicensingEnabled", + "Name": "EwsAllowMacOutlook", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "JournalReportDecryptionEnabled", + "Name": "EwsAllowOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EwsApplicationAccessPolicy", "Option": "Write" }, { "CIMType": "String[]", - "Name": "LicensingLocation", + "Name": "EwsBlockList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RejectIfRecipientHasNoRights", + "Name": "EwsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ImapEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "RMSOnlineKeySharingLocation", + "Name": "ImapMessagesRetrievalMimeFormat", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SearchEnabled", + "Name": "ImapForceICalForCalendarRetrievalOption", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SimplifiedClientAccessDoNotForwardDisabled", + "Name": "ImapSuppressReadReceipt", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SimplifiedClientAccessEnabled", + "Name": "ImapUseProtocolDefaults", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SimplifiedClientAccessEncryptOnlyDisabled", + "Name": "MacOutlookEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TransportDecryptionSetting", + "CIMType": "Boolean", + "Name": "MAPIEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "OneWinNativeOutlookEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "OutlookMobileEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "OWAEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "OWAforDevicesEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "OwaMailboxPolicy", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "PopEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PopForceICalForCalendarRetrievalOption", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "PopMessagesRetrievalMimeFormat", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "PopSuppressReadReceipt", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "PopUseProtocolDefaults", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOJournalRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "JournalEmailAddress", - "Option": "Key" + "CIMType": "Boolean", + "Name": "PublicFolderClientAccess", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Recipient", + "CIMType": "Boolean", + "Name": "ShowGalAsDefaultView", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "SmtpClientAuthenticationDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "RuleScope", + "CIMType": "Boolean", + "Name": "UniversalOutlookEnabled", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -11515,7 +12886,7 @@ ] }, { - "ClassName": "MSFT_EXOMailboxAutoReplyConfiguration", + "ClassName": "MSFT_EXOClientAccessRule", "Parameters": [ { "CIMType": "String", @@ -11524,72 +12895,67 @@ }, { "CIMType": "String", - "Name": "Owner", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AutoDeclineFutureRequestsWhenOOF", - "Option": "Write" + "Name": "Action", + "Option": "Required" }, { - "CIMType": "String", - "Name": "AutoReplyState", + "CIMType": "String[]", + "Name": "AnyOfAuthenticationTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CreateOOFEvent", + "CIMType": "String[]", + "Name": "AnyOfClientIPAddressesOrRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeclineAllEventsForScheduledOOF", + "CIMType": "String[]", + "Name": "AnyOfProtocols", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeclineEventsForScheduledOOF", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeclineMeetingMessage", + "CIMType": "String[]", + "Name": "ExceptAnyOfAuthenticationTypes", "Option": "Write" }, { - "CIMType": "String", - "Name": "EndTime", + "CIMType": "String[]", + "Name": "ExceptAnyOfClientIPAddressesOrRanges", "Option": "Write" }, { "CIMType": "String[]", - "Name": "EventsToDeleteIDs", + "Name": "ExceptAnyOfProtocols", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExternalAudience", + "CIMType": "String[]", + "Name": "ExceptUsernameMatchesAnyOfPatterns", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExternalMessage", + "CIMType": "uint32", + "Name": "Priority", "Option": "Write" }, { "CIMType": "String", - "Name": "InternalMessage", + "Name": "RuleScope", "Option": "Write" }, { "CIMType": "String", - "Name": "OOFEventSubject", + "Name": "UserRecipientFilter", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartTime", + "CIMType": "String[]", + "Name": "UsernameMatchesAnyOfPatterns", "Option": "Write" }, { @@ -11640,8 +13006,43 @@ ] }, { - "ClassName": "MSFT_EXOMailboxCalendarConfiguration", + "ClassName": "MSFT_EXODataClassification", "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Fingerprints", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Locale", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, { "CIMType": "MSFT_Credential", "Name": "Credential", @@ -11662,6 +13063,16 @@ "Name": "CertificateThumbprint", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -11671,270 +13082,310 @@ "CIMType": "String[]", "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXODataEncryptionPolicy", + "Parameters": [ { "CIMType": "String", "Name": "Identity", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AgendaMailIntroductionEnabled", + "CIMType": "String[]", + "Name": "AzureKeyIDs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AutoDeclineWhenBusy", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CalendarFeedsPreferredLanguage", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "CalendarFeedsPreferredRegion", + "Name": "PermanentDataPurgeContact", "Option": "Write" }, { "CIMType": "String", - "Name": "CalendarFeedsRootPageId", + "Name": "PermanentDataPurgeReason", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConversationalSchedulingEnabled", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CreateEventsFromEmailAsPrivate", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefaultMinutesToReduceLongEventsBy", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefaultMinutesToReduceShortEventsBy", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultOnlineMeetingProvider", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultReminderTime", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeleteMeetingRequestOnRespond", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DiningEventsFromEmailEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXODistributionGroup", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "Alias", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EntertainmentEventsFromEmailEnabled", + "Name": "BccBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EventsFromEmailEnabled", + "Name": "BypassNestedModerationEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "FirstWeekOfYear", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FlightEventsFromEmailEnabled", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HotelEventsFromEmailEnabled", + "Name": "HiddenGroupMembershipEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InvoiceEventsFromEmailEnabled", + "CIMType": "String[]", + "Name": "ManagedBy", "Option": "Write" }, { "CIMType": "String", - "Name": "LocationDetailsInFreeBusy", + "Name": "MemberDepartRestriction", "Option": "Write" }, { "CIMType": "String", - "Name": "MailboxLocation", + "Name": "MemberJoinRestriction", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OnlineMeetingsByDefaultEnabled", + "CIMType": "String[]", + "Name": "Members", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PackageDeliveryEventsFromEmailEnabled", + "CIMType": "String[]", + "Name": "ModeratedBy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PreserveDeclinedMeetings", + "Name": "ModerationEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RemindersEnabled", + "CIMType": "String", + "Name": "Notes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ReminderSoundEnabled", + "CIMType": "String", + "Name": "OrganizationalUnit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RentalCarEventsFromEmailEnabled", + "CIMType": "String", + "Name": "PrimarySmtpAddress", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ServiceAppointmentEventsFromEmailEnabled", + "Name": "RequireSenderAuthenticationEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ShortenEventScopeDefault", + "CIMType": "Boolean", + "Name": "RoomList", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ShowWeekNumbers", + "CIMType": "String[]", + "Name": "AcceptMessagesOnlyFrom", "Option": "Write" }, { - "CIMType": "String", - "Name": "TimeIncrement", + "CIMType": "String[]", + "Name": "AcceptMessagesOnlyFromDLMembers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UseBrightCalendarColorThemeInOwa", + "CIMType": "String[]", + "Name": "AcceptMessagesOnlyFromSendersOrMembers", "Option": "Write" }, { "CIMType": "String", - "Name": "WeatherEnabled", + "Name": "CustomAttribute1", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WeatherLocationBookmark", + "CIMType": "String", + "Name": "CustomAttribute2", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "WeatherLocations", + "CIMType": "String", + "Name": "CustomAttribute3", "Option": "Write" }, { "CIMType": "String", - "Name": "WeatherUnit", + "Name": "CustomAttribute4", "Option": "Write" }, { "CIMType": "String", - "Name": "WeekStartDay", + "Name": "CustomAttribute5", "Option": "Write" }, { "CIMType": "String", - "Name": "WorkDays", + "Name": "CustomAttribute6", "Option": "Write" }, { "CIMType": "String", - "Name": "WorkingHoursEndTime", + "Name": "CustomAttribute7", "Option": "Write" }, { "CIMType": "String", - "Name": "WorkingHoursStartTime", + "Name": "CustomAttribute8", "Option": "Write" }, { "CIMType": "String", - "Name": "WorkingHoursTimeZone", + "Name": "CustomAttribute9", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkspaceUserEnabled", + "CIMType": "String", + "Name": "CustomAttribute10", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "CustomAttribute11", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMailboxCalendarFolder", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "CustomAttribute12", + "Option": "Write" }, { "CIMType": "String", - "Name": "DetailLevel", + "Name": "CustomAttribute13", "Option": "Write" }, { "CIMType": "String", - "Name": "PublishDateRangeFrom", + "Name": "CustomAttribute14", "Option": "Write" }, { "CIMType": "String", - "Name": "PublishDateRangeTo", + "Name": "CustomAttribute15", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EmailAddresses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "GrantSendOnBehalfTo", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PublishEnabled", + "Name": "HiddenFromAddressListsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SearchableUrlEnabled", + "Name": "SendOofMessageToOriginatorEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "SharedCalendarSyncStartDate", + "Name": "SendModerationNotifications", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "Type", "Option": "Write" }, { @@ -11942,6 +13393,11 @@ "Name": "Ensure", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, { "CIMType": "String", "Name": "ApplicationId", @@ -11980,36 +13436,36 @@ ] }, { - "ClassName": "MSFT_EXOMailboxFolderUserPermission", + "ClassName": "MSFT_EXODkimSigningConfig", "Parameters": [ { - "CIMType": "String[]", - "Name": "AccessRights", - "Option": "Write" + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { "CIMType": "String", - "Name": "User", + "Name": "AdminDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "SharingPermissionFlags", + "Name": "BodyCanonicalization", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMailboxFolderPermission", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "HeaderCanonicalization", + "Option": "Write" }, { - "CIMType": "MSFT_EXOMailboxFolderUserPermission[]", - "Name": "UserPermissions", + "CIMType": "Uint16", + "Name": "KeySize", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { @@ -12060,26 +13516,16 @@ ] }, { - "ClassName": "MSFT_EXOMailboxIRMAccess", + "ClassName": "MSFT_EXODnssecForVerifiedDomain", "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "User", + "Name": "DomainName", "Option": "Key" }, { "CIMType": "string", - "Name": "AccessLevel", - "Option": "Write" - }, - { - "CIMType": "string", - "Name": "Ensure", + "Name": "DnssecFeatureStatus", "Option": "Write" }, { @@ -12115,36 +13561,31 @@ ] }, { - "ClassName": "MSFT_EXOMailboxPermission", + "ClassName": "MSFT_EXOEmailAddressPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Name", "Option": "Key" }, - { - "CIMType": "String[]", - "Name": "AccessRights", - "Option": "Required" - }, { "CIMType": "String", - "Name": "User", - "Option": "Key" + "Name": "Priority", + "Option": "Write" }, { - "CIMType": "String", - "Name": "InheritanceType", - "Option": "Key" + "CIMType": "String[]", + "Name": "EnabledEmailAddressTemplates", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Owner", + "CIMType": "String[]", + "Name": "EnabledPrimarySMTPAddressTemplate", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Deny", + "CIMType": "String", + "Name": "ManagedByFilter", "Option": "Write" }, { @@ -12195,121 +13636,136 @@ ] }, { - "ClassName": "MSFT_EXOMailboxPlan", + "ClassName": "MSFT_EXOEmailTenantSettings", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "IsSingleInstance", "Option": "Key" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "Identity", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "EnablePriorityAccountProtection", "Option": "Write" }, { - "CIMType": "String", - "Name": "IssueWarningQuota", + "CIMType": "Boolean", + "Name": "IsValid", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxReceiveSize", + "Name": "ObjectState", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxSendSize", + "Name": "Name", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProhibitSendQuota", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ProhibitSendReceiveQuota", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "RetainDeletedItemsFor", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "RetentionPolicy", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "String", - "Name": "RoleAssignmentPolicy", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "MSFT_Credential", - "Name": "Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOEOPProtectionPolicyRule", + "Parameters": [ { "CIMType": "String", - "Name": "TenantId", + "Name": "Comments", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "State", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "UInt32", + "Name": "Priority", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMailboxSettings", - "Parameters": [ + }, { - "CIMType": "string", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "String[]", + "Name": "RecipientDomainIs", + "Option": "Write" }, { - "CIMType": "string", - "Name": "TimeZone", + "CIMType": "String[]", + "Name": "SentTo", "Option": "Write" }, { - "CIMType": "string", - "Name": "Locale", + "CIMType": "String[]", + "Name": "SentToMemberOf", "Option": "Write" }, { @@ -12339,202 +13795,222 @@ }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "ApplicationSecret", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOExternalInOutlook", + "Parameters": [ { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" + "CIMType": "string", + "Name": "Identity", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "AllowList", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMailContact", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "ExternalEmailAddress", - "Option": "Required" + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Alias", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "FirstName", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "Initials", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "LastName", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOFocusedInbox", + "Parameters": [ { "CIMType": "String", - "Name": "MacAttachmentFormat", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "FocusedInboxOn", "Option": "Write" }, { - "CIMType": "String", - "Name": "MessageBodyFormat", + "CIMType": "DateTime", + "Name": "FocusedInboxOnLastUpdateTime", "Option": "Write" }, { "CIMType": "String", - "Name": "MessageFormat", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ModeratedBy", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ModerationEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "OrganizationalUnit", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "SendModerationNotifications", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UsePreferMessageFormat", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute1", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOGlobalAddressList", + "Parameters": [ { "CIMType": "String", - "Name": "CustomAttribute2", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "ConditionalCompany", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute3", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute1", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute4", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute10", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute5", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute11", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute6", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute12", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute7", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute13", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute8", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute14", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute9", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute15", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute10", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute2", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute11", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute3", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute12", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute4", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute13", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute5", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute14", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute6", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomAttribute15", + "CIMType": "String[]", + "Name": "ConditionalCustomAttribute7", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExtensionCustomAttribute1", + "Name": "ConditionalCustomAttribute8", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExtensionCustomAttribute2", + "Name": "ConditionalCustomAttribute9", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExtensionCustomAttribute3", + "Name": "ConditionalDepartment", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExtensionCustomAttribute4", + "Name": "ConditionalStateOrProvince", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExtensionCustomAttribute5", + "Name": "IncludedRecipients", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecipientFilter", "Option": "Write" }, { @@ -12585,286 +14061,266 @@ ] }, { - "ClassName": "MSFT_EXOMailTips", + "ClassName": "MSFT_EXOGroupSettings", "Parameters": [ { - "CIMType": "String", - "Name": "IsSingleInstance", + "CIMType": "string", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "MailTipsAllTipsEnabled", + "CIMType": "string", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsGroupMetricsEnabled", + "CIMType": "string[]", + "Name": "AcceptMessagesOnlyFromSendersOrMembers", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MailTipsLargeAudienceThreshold", + "CIMType": "string", + "Name": "AccessType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsMailboxSourcedTipsEnabled", + "CIMType": "boolean", + "Name": "AlwaysSubscribeMembersToCalendarEvents", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsExternalRecipientsTipsEnabled", + "CIMType": "string", + "Name": "AuditLogAgeLimit", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "boolean", + "Name": "AutoSubscribeNewMembers", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "boolean", + "Name": "CalendarMemberReadOnly", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "string", + "Name": "Classification", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "boolean", + "Name": "ConnectorsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "string", + "Name": "CustomAttribute1", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "string", + "Name": "CustomAttribute2", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "string", + "Name": "CustomAttribute3", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "string", + "Name": "CustomAttribute4", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMalwareFilterPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" }, { - "CIMType": "String", - "Name": "AdminDisplayName", + "CIMType": "string", + "Name": "CustomAttribute5", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomExternalBody", + "CIMType": "string", + "Name": "CustomAttribute6", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomExternalSubject", + "CIMType": "string", + "Name": "CustomAttribute7", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomFromAddress", + "CIMType": "string", + "Name": "CustomAttribute8", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomFromName", + "CIMType": "string", + "Name": "CustomAttribute9", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomInternalBody", + "CIMType": "string", + "Name": "CustomAttribute10", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomInternalSubject", + "CIMType": "string", + "Name": "CustomAttribute11", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CustomNotifications", + "CIMType": "string", + "Name": "CustomAttribute12", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableExternalSenderAdminNotifications", + "CIMType": "string", + "Name": "CustomAttribute13", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableFileFilter", + "CIMType": "string", + "Name": "CustomAttribute14", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableInternalSenderAdminNotifications", + "CIMType": "string", + "Name": "CustomAttribute15", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExternalSenderAdminAddress", + "CIMType": "string", + "Name": "DataEncryptionPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "FileTypeAction", + "CIMType": "string[]", + "Name": "EmailAddresses", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "FileTypes", + "CIMType": "string", + "Name": "ExtensionCustomAttribute1", "Option": "Write" }, { - "CIMType": "String", - "Name": "InternalSenderAdminAddress", + "CIMType": "string", + "Name": "ExtensionCustomAttribute2", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MakeDefault", + "CIMType": "string", + "Name": "ExtensionCustomAttribute3", "Option": "Write" }, { - "CIMType": "String", - "Name": "QuarantineTag", + "CIMType": "string", + "Name": "ExtensionCustomAttribute4", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ZapEnabled", + "CIMType": "string", + "Name": "ExtensionCustomAttribute5", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "string[]", + "Name": "GrantSendOnBehalfTo", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "boolean", + "Name": "HiddenFromAddressListsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "boolean", + "Name": "HiddenFromExchangeClientsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "string", + "Name": "InformationBarrierMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "boolean", + "Name": "IsMemberAllowedToEditContent", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "string", + "Name": "Language", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "string", + "Name": "MailboxRegion", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "string", + "Name": "MailTip", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "string", + "Name": "MailTipTranslations", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMalwareFilterRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "string", + "Name": "MaxReceiveSize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "string", + "Name": "MaxSendSize", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "string[]", + "Name": "ModeratedBy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "boolean", + "Name": "ModerationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "string", + "Name": "Notes", "Option": "Write" }, { - "CIMType": "String", - "Name": "MalwareFilterPolicy", + "CIMType": "string", + "Name": "PrimarySmtpAddress", "Option": "Write" }, { - "CIMType": "String", - "Name": "Priority", + "CIMType": "string[]", + "Name": "RejectMessagesFromSendersOrMembers", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "boolean", + "Name": "RequireSenderAuthenticationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "string", + "Name": "SensitivityLabelId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "boolean", + "Name": "SubscriptionEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "boolean", + "Name": "UnifiedGroupWelcomeMessageEnabled", "Option": "Write" }, { @@ -12910,21 +14366,36 @@ ] }, { - "ClassName": "MSFT_EXOManagementRole", + "ClassName": "MSFT_EXOHostedConnectionFilterPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { "CIMType": "String", - "Name": "Parent", - "Option": "Key" + "Name": "AdminDisplayName", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "EnableSafeList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "IPAllowList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "IPBlockList", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MakeDefault", "Option": "Write" }, { @@ -12975,286 +14446,271 @@ ] }, { - "ClassName": "MSFT_EXOManagementRoleAssignment", + "ClassName": "MSFT_EXOHostedContentFilterPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { "CIMType": "String", - "Name": "Role", - "Option": "Key" + "Name": "AddXHeaderValue", + "Option": "Write" }, { "CIMType": "String", - "Name": "App", + "Name": "AdminDisplayName", "Option": "Write" }, { - "CIMType": "String", - "Name": "Policy", + "CIMType": "String[]", + "Name": "AllowedSenderDomains", "Option": "Write" }, { - "CIMType": "String", - "Name": "SecurityGroup", + "CIMType": "String[]", + "Name": "AllowedSenders", "Option": "Write" }, { - "CIMType": "String", - "Name": "User", + "CIMType": "String[]", + "Name": "BlockedSenderDomains", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomRecipientWriteScope", + "CIMType": "String[]", + "Name": "BlockedSenders", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomResourceScope", + "Name": "BulkQuarantineTag", "Option": "Write" }, { "CIMType": "String", - "Name": "ExclusiveRecipientWriteScope", + "Name": "BulkSpamAction", "Option": "Write" }, { - "CIMType": "String", - "Name": "RecipientAdministrativeUnitScope", + "CIMType": "UInt32", + "Name": "BulkThreshold", "Option": "Write" }, { - "CIMType": "String", - "Name": "RecipientOrganizationalUnitScope", + "CIMType": "Boolean", + "Name": "DownloadLink", "Option": "Write" }, { - "CIMType": "String", - "Name": "RecipientRelativeWriteScope", + "CIMType": "Boolean", + "Name": "EnableEndUserSpamNotifications", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "EnableLanguageBlockList", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "EnableRegionBlockList", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "EndUserSpamNotificationCustomSubject", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "UInt32", + "Name": "EndUserSpamNotificationFrequency", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "EndUserSpamNotificationLanguage", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "HighConfidencePhishAction", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "HighConfidencePhishQuarantineTag", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "HighConfidenceSpamAction", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "HighConfidenceSpamQuarantineTag", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOManagementRoleEntry", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "IncreaseScoreWithBizOrInfoUrls", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Parameters", + "CIMType": "String", + "Name": "IncreaseScoreWithImageLinks", "Option": "Write" }, { "CIMType": "String", - "Name": "Type", + "Name": "IncreaseScoreWithNumericIps", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "IncreaseScoreWithRedirectToOtherPort", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "InlineSafetyTipsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "IntraOrgFilterState", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "String[]", + "Name": "LanguageBlockList", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "MakeDefault", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "MarkAsSpamBulkMail", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "MarkAsSpamEmbedTagsInHtml", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "MarkAsSpamEmptyMessages", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOManagementScope", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "MarkAsSpamFormTagsInHtml", + "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "MarkAsSpamFramesInHtml", "Option": "Write" }, { "CIMType": "String", - "Name": "RecipientRestrictionFilter", + "Name": "MarkAsSpamFromAddressAuthFail", "Option": "Write" }, { "CIMType": "String", - "Name": "RecipientRoot", + "Name": "MarkAsSpamJavaScriptInHtml", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Exclusive", + "CIMType": "String", + "Name": "MarkAsSpamNdrBackscatter", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "MarkAsSpamObjectTagsInHtml", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "MarkAsSpamSensitiveWordList", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "MarkAsSpamSpfRecordHardFail", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "MarkAsSpamWebBugsInHtml", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "ModifySubjectValue", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "PhishSpamAction", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "PhishQuarantineTag", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOMessageClassification", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "SpamQuarantineTag", + "Option": "Write" }, { - "CIMType": "String", - "Name": "ClassificationID", + "CIMType": "UInt32", + "Name": "QuarantineRetentionPeriod", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "String[]", + "Name": "RedirectToRecipients", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayPrecedence", + "CIMType": "String[]", + "Name": "RegionBlockList", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "SpamAction", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PermissionMenuVisible", + "CIMType": "String", + "Name": "TestModeAction", "Option": "Write" }, { - "CIMType": "String", - "Name": "RecipientDescription", + "CIMType": "String[]", + "Name": "TestModeBccToRecipients", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RetainClassificationEnabled", + "Name": "PhishZapEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "SenderDescription", + "CIMType": "Boolean", + "Name": "SpamZapEnabled", "Option": "Write" }, { @@ -13305,121 +14761,96 @@ ] }, { - "ClassName": "MSFT_EXOMigrationEndpoint", + "ClassName": "MSFT_EXOHostedContentFilterRule", "Parameters": [ { "CIMType": "String", "Name": "Identity", "Option": "Key" }, - { - "CIMType": "Boolean", - "Name": "AcceptUntrustedCertificates", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AppID", - "Option": "Write" - }, { "CIMType": "String", - "Name": "AppSecretKeyVaultUrl", - "Option": "Write" + "Name": "HostedContentFilterPolicy", + "Option": "Required" }, { - "CIMType": "String", - "Name": "Authentication", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "EndpointType", + "CIMType": "uint32", + "Name": "Priority", "Option": "Write" }, { "CIMType": "String", - "Name": "ExchangeServer", + "Name": "Comments", "Option": "Write" }, { - "CIMType": "String", - "Name": "MailboxPermission", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "String", - "Name": "MaxConcurrentIncrementalSyncs", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", "Option": "Write" }, { - "CIMType": "String", - "Name": "MaxConcurrentMigrations", + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { - "CIMType": "String", - "Name": "NspiServer", + "CIMType": "String[]", + "Name": "RecipientDomainIs", "Option": "Write" }, { - "CIMType": "String", - "Name": "Port", + "CIMType": "String[]", + "Name": "SentTo", "Option": "Write" }, { - "CIMType": "String", - "Name": "RemoteServer", + "CIMType": "String[]", + "Name": "SentToMemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "RemoteTenant", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "RpcProxyServer", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "Security", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "SourceMailboxLegacyDN", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "UseAutoDiscover", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "MSFT_Credential", - "Name": "Credential", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TenantId", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "CertificatePath", "Option": "Write" }, { @@ -13435,281 +14866,301 @@ ] }, { - "ClassName": "MSFT_EXOMobileDeviceMailboxPolicy", + "ClassName": "MSFT_EXOHostedOutboundSpamFilterPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, - { - "CIMType": "Boolean", - "Name": "AllowApplePushNotifications", - "Option": "Write" - }, { "CIMType": "String", - "Name": "AllowBluetooth", + "Name": "AdminDisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowBrowser", + "CIMType": "String[]", + "Name": "BccSuspiciousOutboundAdditionalRecipients", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowCamera", + "Name": "BccSuspiciousOutboundMail", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowConsumerEmail", + "Name": "NotifyOutboundSpam", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowDesktopSync", + "CIMType": "String[]", + "Name": "NotifyOutboundSpamRecipients", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowExternalDeviceManagement", + "CIMType": "UInt32", + "Name": "RecipientLimitInternalPerHour", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowGooglePushNotifications", + "CIMType": "UInt32", + "Name": "RecipientLimitPerDay", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowHTMLEmail", + "CIMType": "UInt32", + "Name": "RecipientLimitExternalPerHour", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowInternetSharing", + "CIMType": "String", + "Name": "ActionWhenThresholdReached", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowIrDA", + "CIMType": "String", + "Name": "AutoForwardingMode", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMobileOTAUpdate", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMicrosoftPushNotifications", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowNonProvisionableDevices", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowPOPIMAPEmail", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowRemoteDesktop", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowSimplePassword", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowSMIMEEncryptionAlgorithmNegotiation", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowSMIMESoftCerts", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowStorageCard", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOHostedOutboundSpamFilterRule", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "AllowTextMessaging", - "Option": "Write" + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AllowUnsignedApplications", - "Option": "Write" + "CIMType": "String", + "Name": "HostedOutboundSpamFilterPolicy", + "Option": "Required" }, { "CIMType": "Boolean", - "Name": "AllowUnsignedInstallationPackages", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWiFi", + "CIMType": "uint32", + "Name": "Priority", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AlphanumericPasswordRequired", + "CIMType": "String", + "Name": "Comments", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ApprovedApplicationList", + "Name": "ExceptIfSenderDomainIs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AttachmentsEnabled", + "CIMType": "String[]", + "Name": "ExceptIfFrom", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceEncryptionEnabled", + "CIMType": "String[]", + "Name": "ExceptIfFromMemberOf", "Option": "Write" }, { - "CIMType": "String", - "Name": "DevicePolicyRefreshInterval", + "CIMType": "String[]", + "Name": "SenderDomainIs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IrmEnabled", + "CIMType": "String[]", + "Name": "From", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefault", + "CIMType": "String[]", + "Name": "FromMemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxAttachmentSize", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "MaxCalendarAgeFilter", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxEmailAgeFilter", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxEmailBodyTruncationSize", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxEmailHTMLBodyTruncationSize", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "MaxInactivityTimeLock", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "MaxPasswordFailedAttempts", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinPasswordComplexCharacters", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOInboundConnector", + "Parameters": [ { "CIMType": "String", - "Name": "MinPasswordLength", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "AssociatedAcceptedDomains", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordEnabled", + "Name": "CloudServicesMailEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordExpiration", + "Name": "Comment", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordHistory", + "Name": "ConnectorSource", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordRecoveryEnabled", + "CIMType": "String", + "Name": "ConnectorType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RequireDeviceEncryption", + "CIMType": "String[]", + "Name": "EFSkipIPs", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireEncryptedSMIMEMessages", + "Name": "EFSkipLastIP", "Option": "Write" }, { - "CIMType": "String", - "Name": "RequireEncryptionSMIMEAlgorithm", + "CIMType": "String[]", + "Name": "EFUsers", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireManualSyncWhenRoaming", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "RequireSignedSMIMEAlgorithm", + "CIMType": "Boolean", + "Name": "RequireTls", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireSignedSMIMEMessages", + "Name": "RestrictDomainsToCertificate", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireStorageCardEncryption", + "Name": "RestrictDomainsToIPAddresses", "Option": "Write" }, { "CIMType": "String[]", - "Name": "UnapprovedInROMApplicationList", + "Name": "SenderDomains", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UNCAccessEnabled", + "CIMType": "String[]", + "Name": "SenderIPAddresses", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TlsSenderCertificateName", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WSSAccessEnabled", + "Name": "TreatMessagesAsInternal", "Option": "Write" }, { @@ -13760,31 +15211,31 @@ ] }, { - "ClassName": "MSFT_EXOOfflineAddressBook", + "ClassName": "MSFT_EXOIntraOrganizationConnector", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { - "CIMType": "String[]", - "Name": "AddressLists", + "CIMType": "String", + "Name": "DiscoveryEndpoint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConfiguredAttributes", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DiffRetentionPeriod", + "CIMType": "String[]", + "Name": "TargetAddressDomains", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefault", + "CIMType": "String", + "Name": "TargetSharingEpr", "Option": "Write" }, { @@ -13835,61 +15286,86 @@ ] }, { - "ClassName": "MSFT_EXOOMEConfiguration", + "ClassName": "MSFT_EXOIRMConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "String", - "Name": "BackgroundColor", + "CIMType": "Boolean", + "Name": "AutomaticServiceUpdateEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisclaimerText", + "CIMType": "Boolean", + "Name": "AzureRMSLicensingEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "EmailText", + "CIMType": "Boolean", + "Name": "DecryptAttachmentForEncryptOnly", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ExternalMailExpiryInDays", + "CIMType": "Boolean", + "Name": "EDiscoverySuperUserEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "IntroductionText", + "CIMType": "Boolean", + "Name": "EnablePdfEncryption", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OTPEnabled", + "Name": "InternalLicensingEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PortalText", + "CIMType": "Boolean", + "Name": "JournalReportDecryptionEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivacyStatementUrl", + "CIMType": "String[]", + "Name": "LicensingLocation", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RejectIfRecipientHasNoRights", "Option": "Write" }, { "CIMType": "String", - "Name": "ReadButtonText", + "Name": "RMSOnlineKeySharingLocation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SocialIdSignIn", + "Name": "SearchEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SimplifiedClientAccessDoNotForwardDisabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SimplifiedClientAccessEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SimplifiedClientAccessEncryptOnlyDisabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TransportDecryptionSetting", "Option": "Write" }, { @@ -13940,46 +15416,31 @@ ] }, { - "ClassName": "MSFT_EXOOnPremisesOrganization", + "ClassName": "MSFT_EXOJournalRule", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Name", "Option": "Key" }, - { - "CIMType": "String[]", - "Name": "HybridDomains", - "Option": "Write" - }, { "CIMType": "String", - "Name": "InboundConnector", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "OutboundConnector", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "OrganizationName", - "Option": "Write" + "Name": "JournalEmailAddress", + "Option": "Key" }, { "CIMType": "String", - "Name": "OrganizationGuid", + "Name": "Recipient", "Option": "Write" }, { - "CIMType": "String", - "Name": "OrganizationRelationship", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "Comment", + "Name": "RuleScope", "Option": "Write" }, { @@ -14030,541 +15491,551 @@ ] }, { - "ClassName": "MSFT_EXOOrganizationConfig", + "ClassName": "MSFT_EXOMailboxAuditBypassAssociation", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "Identity", "Option": "Key" }, { "CIMType": "Boolean", - "Name": "ActivityBasedAuthenticationTimeoutEnabled", + "Name": "AuditBypassEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ActivityBasedAuthenticationTimeoutInterval", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppsForOfficeEnabled", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AsyncSendEnabled", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AuditDisabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutodiscoverPartialDirSync", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxAutoReplyConfiguration", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "AutoExpandingArchive", - "Option": "Write" + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "BlockMoveMessagesForGroupFolders", + "CIMType": "String", + "Name": "Owner", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BookingsAddressEntryRestricted", + "Name": "AutoDeclineFutureRequestsWhenOOF", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsAuthEnabled", + "CIMType": "String", + "Name": "AutoReplyState", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BookingsBlockedWordsEnabled", + "Name": "CreateOOFEvent", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BookingsCreationOfCustomQuestionsRestricted", + "Name": "DeclineAllEventsForScheduledOOF", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BookingsEnabled", + "Name": "DeclineEventsForScheduledOOF", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsExposureOfStaffDetailsRestricted", + "CIMType": "String", + "Name": "DeclineMeetingMessage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsMembershipApprovalRequired", + "CIMType": "String", + "Name": "EndTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsNamingPolicyEnabled", + "CIMType": "String[]", + "Name": "EventsToDeleteIDs", "Option": "Write" }, { "CIMType": "String", - "Name": "BookingsNamingPolicyPrefix", + "Name": "ExternalAudience", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsNamingPolicyPrefixEnabled", + "CIMType": "String", + "Name": "ExternalMessage", "Option": "Write" }, { "CIMType": "String", - "Name": "BookingsNamingPolicySuffix", + "Name": "InternalMessage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsNamingPolicySuffixEnabled", + "CIMType": "String", + "Name": "OOFEventSubject", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsNotesEntryRestricted", + "CIMType": "String", + "Name": "StartTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsPaymentsEnabled", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsPhoneNumberEntryRestricted", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsSearchEngineIndexDisabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsSmsMicrosoftEnabled", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsSocialSharingRestricted", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ByteEncoderTypeFor7BitCharsets", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ComplianceMLBgdCrawlEnabled", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ConnectorsActionableMessagesEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectorsEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxCalendarConfiguration", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ConnectorsEnabledForOutlook", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectorsEnabledForSharepoint", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectorsEnabledForTeams", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectorsEnabledForYammer", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CustomerLockboxEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefaultAuthenticationPolicy", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultGroupAccessType", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "DefaultMinutesToReduceLongEventsBy", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "DefaultMinutesToReduceShortEventsBy", - "Option": "Write" + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "String", - "Name": "DefaultPublicFolderAgeLimit", + "CIMType": "Boolean", + "Name": "AgendaMailIntroductionEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefaultPublicFolderDeletedItemRetention", + "CIMType": "Boolean", + "Name": "AutoDeclineWhenBusy", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultPublicFolderIssueWarningQuota", + "Name": "CalendarFeedsPreferredLanguage", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultPublicFolderMaxItemSize", + "Name": "CalendarFeedsPreferredRegion", "Option": "Write" }, { "CIMType": "String", - "Name": "DefaultPublicFolderMovedItemRetention", + "Name": "CalendarFeedsRootPageId", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefaultPublicFolderProhibitPostQuota", + "CIMType": "Boolean", + "Name": "ConversationalSchedulingEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DirectReportsGroupAutoCreationEnabled", + "Name": "CreateEventsFromEmailAsPrivate", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisablePlusAddressInRecipients", + "CIMType": "UInt32", + "Name": "DefaultMinutesToReduceLongEventsBy", "Option": "Write" }, { - "CIMType": "String", - "Name": "DistributionGroupDefaultOU", + "CIMType": "UInt32", + "Name": "DefaultMinutesToReduceShortEventsBy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DistributionGroupNameBlockedWordsList", + "CIMType": "String", + "Name": "DefaultOnlineMeetingProvider", "Option": "Write" }, { "CIMType": "String", - "Name": "DistributionGroupNamingPolicy", + "Name": "DefaultReminderTime", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ElcProcessingDisabled", + "Name": "DeleteMeetingRequestOnRespond", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableOutlookEvents", + "Name": "DiningEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EndUserDLUpgradeFlowsDisabled", + "Name": "EntertainmentEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EwsAllowEntourage", + "Name": "EventsFromEmailEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EwsAllowList", + "CIMType": "String", + "Name": "FirstWeekOfYear", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EwsAllowMacOutlook", + "Name": "FlightEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EwsAllowOutlook", + "Name": "HotelEventsFromEmailEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "EwsApplicationAccessPolicy", + "CIMType": "Boolean", + "Name": "InvoiceEventsFromEmailEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EwsBlockList", + "CIMType": "String", + "Name": "LocationDetailsInFreeBusy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EwsEnabled", + "CIMType": "String", + "Name": "MailboxLocation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExchangeNotificationEnabled", + "Name": "OnlineMeetingsByDefaultEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExchangeNotificationRecipients", + "CIMType": "Boolean", + "Name": "PackageDeliveryEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindTimeAttendeeAuthenticationEnabled", + "Name": "PreserveDeclinedMeetings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindTimeAutoScheduleDisabled", + "Name": "RemindersEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindTimeLockPollForAttendeesEnabled", + "Name": "ReminderSoundEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindTimeOnlineMeetingOptionDisabled", + "Name": "RentalCarEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FocusedInboxOn", + "Name": "ServiceAppointmentEventsFromEmailEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "HierarchicalAddressBookRoot", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "IPListBlocked", + "Name": "ShortenEventScopeDefault", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsGroupFoldersAndRulesEnabled", + "Name": "ShowWeekNumbers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsGroupMemberAllowedToEditContent", + "CIMType": "String", + "Name": "TimeIncrement", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LeanPopoutEnabled", + "Name": "UseBrightCalendarColorThemeInOwa", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LinkPreviewEnabled", + "CIMType": "String", + "Name": "WeatherEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsAllTipsEnabled", + "CIMType": "UInt32", + "Name": "WeatherLocationBookmark", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsExternalRecipientsTipsEnabled", + "CIMType": "String[]", + "Name": "WeatherLocations", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsGroupMetricsEnabled", + "CIMType": "String", + "Name": "WeatherUnit", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MailTipsLargeAudienceThreshold", + "CIMType": "String", + "Name": "WeekStartDay", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MailTipsMailboxSourcedTipsEnabled", + "CIMType": "String", + "Name": "WorkDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MaskClientIpInReceivedHeadersEnabled", + "CIMType": "String", + "Name": "WorkingHoursEndTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MatchSenderOrganizerProperties", + "CIMType": "String", + "Name": "WorkingHoursStartTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MessageHighlightsEnabled", + "CIMType": "String", + "Name": "WorkingHoursTimeZone", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MessageRecallEnabled", + "Name": "WorkspaceUserEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MessageRemindersEnabled", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxCalendarFolder", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "MobileAppEducationEnabled", - "Option": "Write" + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "OAuth2ClientProfileEnabled", + "CIMType": "String", + "Name": "DetailLevel", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OnlineMeetingsByDefaultEnabled", + "CIMType": "String", + "Name": "PublishDateRangeFrom", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OutlookGifPickerDisabled", + "CIMType": "String", + "Name": "PublishDateRangeTo", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OutlookMobileGCCRestrictionsEnabled", + "Name": "PublishEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OutlookPayEnabled", + "Name": "SearchableUrlEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OutlookTextPredictionDisabled", + "CIMType": "String", + "Name": "SharedCalendarSyncStartDate", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PublicComputersDetectionEnabled", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicFoldersEnabled", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PublicFolderShowClientControl", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ReadTrackingEnabled", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RecallReadMessagesEnabled", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RemotePublicFolderMailboxes", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SendFromAliasEnabled", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SharedDomainEmailAddressFlowEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "ShortenEventScopeDefault", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxFolderUserPermission", + "Parameters": [ { - "CIMType": "String", - "Name": "SiteMailboxCreationURL", + "CIMType": "String[]", + "Name": "AccessRights", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmtpActionableMessagesEnabled", + "CIMType": "String", + "Name": "User", "Option": "Write" }, { "CIMType": "String", - "Name": "VisibleMeetingUpdateProperties", + "Name": "SharingPermissionFlags", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxFolderPermission", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "WebPushNotificationsDisabled", - "Option": "Write" + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "WebSuggestedRepliesDisabled", + "CIMType": "MSFT_EXOMailboxFolderUserPermission[]", + "Name": "UserPermissions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkspaceTenantEnabled", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { @@ -14610,111 +16081,91 @@ ] }, { - "ClassName": "MSFT_EXOOrganizationRelationship", + "ClassName": "MSFT_EXOMailboxIRMAccess", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "ArchiveAccessEnabled", - "Option": "Write" + "CIMType": "String", + "Name": "User", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "DeliveryReportEnabled", + "CIMType": "string", + "Name": "AccessLevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DomainNames", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FreeBusyAccessEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "FreeBusyAccessLevel", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "FreeBusyAccessScope", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MailboxMoveEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MailboxMoveCapability", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "MailboxMovePublishedScopes", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "MailTipsAccessEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MailTipsAccessLevel", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MailTipsAccessScope", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "OauthApplicationId", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOMailboxPermission", + "Parameters": [ { "CIMType": "String", - "Name": "OrganizationContact", - "Option": "Write" + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "PhotosEnabled", - "Option": "Write" + "CIMType": "String[]", + "Name": "AccessRights", + "Option": "Required" }, { "CIMType": "String", - "Name": "TargetApplicationUri", - "Option": "Write" + "Name": "User", + "Option": "Key" }, { "CIMType": "String", - "Name": "TargetAutodiscoverEpr", - "Option": "Write" + "Name": "InheritanceType", + "Option": "Key" }, { "CIMType": "String", - "Name": "TargetOwaURL", + "Name": "Owner", "Option": "Write" }, { - "CIMType": "String", - "Name": "TargetSharingEpr", + "CIMType": "Boolean", + "Name": "Deny", "Option": "Write" }, { @@ -14765,96 +16216,61 @@ ] }, { - "ClassName": "MSFT_EXOOutboundConnector", + "ClassName": "MSFT_EXOMailboxPlan", "Parameters": [ { "CIMType": "String", "Name": "Identity", "Option": "Key" }, - { - "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "UseMXRecord", - "Option": "Write" - }, { "CIMType": "String", - "Name": "Comment", + "Name": "DisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "ConnectorSource", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "String", - "Name": "ConnectorType", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "RecipientDomains", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "SmartHosts", + "Name": "IssueWarningQuota", "Option": "Write" }, { "CIMType": "String", - "Name": "TlsDomain", + "Name": "MaxReceiveSize", "Option": "Write" }, { "CIMType": "String", - "Name": "TlsSettings", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsTransportRuleScoped", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "RouteAllMessagesViaOnPremises", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "CloudServicesMailEnabled", + "Name": "MaxSendSize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllAcceptedDomains", + "CIMType": "String", + "Name": "ProhibitSendQuota", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SenderRewritingEnabled", + "CIMType": "String", + "Name": "ProhibitSendReceiveQuota", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TestMode", + "CIMType": "String", + "Name": "RetainDeletedItemsFor", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ValidationRecipients", + "CIMType": "String", + "Name": "RetentionPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "RoleAssignmentPolicy", "Option": "Write" }, { @@ -14900,441 +16316,486 @@ ] }, { - "ClassName": "MSFT_EXOOwaMailboxPolicy", + "ClassName": "MSFT_EXOMailboxSettings", "Parameters": [ { - "CIMType": "String", - "Name": "Name", + "CIMType": "string", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "AccountTransferEnabled", + "CIMType": "string", + "Name": "RetentionPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "ActionForUnknownFileAndMIMETypes", + "CIMType": "string", + "Name": "AddressBookPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActiveSyncIntegrationEnabled", + "CIMType": "string", + "Name": "RoleAssignmentPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AdditionalAccountsEnabled", + "CIMType": "string", + "Name": "SharingPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AdditionalStorageProvidersAvailable", + "CIMType": "string", + "Name": "TimeZone", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllAddressListsEnabled", + "CIMType": "string", + "Name": "Locale", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowCopyContactsToDeviceAddressBook", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedFileTypes", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedMimeTypes", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockedFileTypes", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockedMimeTypes", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BookingsMailboxCreationEnabled", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ChangeSettingsAccountEnabled", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ClassicAttachmentsEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConditionalAccessPolicy", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOMailContact", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "DefaultTheme", + "Name": "ExternalEmailAddress", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "Alias", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DirectFileAccessOnPrivateComputersEnabled", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DirectFileAccessOnPublicComputersEnabled", + "CIMType": "String", + "Name": "FirstName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableFacebook", + "CIMType": "String", + "Name": "Initials", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisplayPhotosEnabled", + "CIMType": "String", + "Name": "LastName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExplicitLogonEnabled", + "CIMType": "String", + "Name": "MacAttachmentFormat", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExternalImageProxyEnabled", + "CIMType": "String", + "Name": "MessageBodyFormat", "Option": "Write" }, { "CIMType": "String", - "Name": "ExternalSPMySiteHostURL", + "Name": "MessageFormat", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FeedbackEnabled", + "CIMType": "String[]", + "Name": "ModeratedBy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ForceSaveAttachmentFilteringEnabled", + "Name": "ModerationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ForceSaveFileTypes", + "CIMType": "String", + "Name": "OrganizationalUnit", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ForceSaveMimeTypes", + "CIMType": "String", + "Name": "SendModerationNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ForceWacViewingFirstOnPrivateComputers", + "Name": "UsePreferMessageFormat", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ForceWacViewingFirstOnPublicComputers", + "CIMType": "String", + "Name": "CustomAttribute1", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FreCardsEnabled", + "CIMType": "String", + "Name": "CustomAttribute2", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GlobalAddressListEnabled", + "CIMType": "String", + "Name": "CustomAttribute3", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GroupCreationEnabled", + "CIMType": "String", + "Name": "CustomAttribute4", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InstantMessagingEnabled", + "CIMType": "String", + "Name": "CustomAttribute5", "Option": "Write" }, { "CIMType": "String", - "Name": "InstantMessagingType", + "Name": "CustomAttribute6", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InterestingCalendarsEnabled", + "CIMType": "String", + "Name": "CustomAttribute7", "Option": "Write" }, { "CIMType": "String", - "Name": "InternalSPMySiteHostURL", + "Name": "CustomAttribute8", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IRMEnabled", + "CIMType": "String", + "Name": "CustomAttribute9", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ItemsToOtherAccountsEnabled", + "CIMType": "String", + "Name": "CustomAttribute10", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefault", + "CIMType": "String", + "Name": "CustomAttribute11", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "JournalEnabled", + "CIMType": "String", + "Name": "CustomAttribute12", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalEventsEnabled", + "CIMType": "String", + "Name": "CustomAttribute13", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "LogonAndErrorLanguage", + "CIMType": "String", + "Name": "CustomAttribute14", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MessagePreviewsDisabled", + "CIMType": "String", + "Name": "CustomAttribute15", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NotesEnabled", + "CIMType": "String[]", + "Name": "ExtensionCustomAttribute1", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NpsSurveysEnabled", + "CIMType": "String[]", + "Name": "ExtensionCustomAttribute2", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OneWinNativeOutlookEnabled", + "CIMType": "String[]", + "Name": "ExtensionCustomAttribute3", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OrganizationEnabled", + "CIMType": "String[]", + "Name": "ExtensionCustomAttribute4", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OnSendAddinsEnabled", + "CIMType": "String[]", + "Name": "ExtensionCustomAttribute5", "Option": "Write" }, { "CIMType": "String", - "Name": "OutboundCharset", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OutlookBetaToggleEnabled", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OWALightEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PersonalAccountsEnabled", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PersonalAccountCalendarsEnabled", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PhoneticSupportEnabled", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PlacesEnabled", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PremiumClientEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PrintWithoutDownloadEnabled", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOMailTips", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "ProjectMocaEnabled", + "Name": "MailTipsAllTipsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PublicFoldersEnabled", + "Name": "MailTipsGroupMetricsEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RecoverDeletedItemsEnabled", + "CIMType": "UInt32", + "Name": "MailTipsLargeAudienceThreshold", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ReferenceAttachmentsEnabled", + "Name": "MailTipsMailboxSourcedTipsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RemindersAndNotificationsEnabled", + "Name": "MailTipsExternalRecipientsTipsEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ReportJunkEmailEnabled", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RulesEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SatisfactionEnabled", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SaveAttachmentsToCloudEnabled", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchFoldersEnabled", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SetPhotoEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "SetPhotoURL", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOMalwareFilterPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "ShowOnlineArchiveEnabled", + "CIMType": "String", + "Name": "AdminDisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SignaturesEnabled", + "CIMType": "String", + "Name": "CustomExternalBody", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SkipCreateUnifiedGroupCustomSharepointClassification", + "CIMType": "String", + "Name": "CustomExternalSubject", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TeamSnapCalendarsEnabled", + "CIMType": "String", + "Name": "CustomFromAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TextMessagingEnabled", + "CIMType": "String", + "Name": "CustomFromName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ThemeSelectionEnabled", + "CIMType": "String", + "Name": "CustomInternalBody", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UMIntegrationEnabled", + "CIMType": "String", + "Name": "CustomInternalSubject", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseGB18030", + "Name": "CustomNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseISO885915", + "Name": "EnableExternalSenderAdminNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UserVoiceEnabled", + "Name": "EnableFileFilter", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WacEditingEnabled", + "Name": "EnableInternalSenderAdminNotifications", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WacExternalServicesEnabled", + "CIMType": "String", + "Name": "ExternalSenderAdminAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WacOMEXEnabled", + "CIMType": "String", + "Name": "FileTypeAction", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WacViewingOnPrivateComputersEnabled", + "CIMType": "String[]", + "Name": "FileTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WacViewingOnPublicComputersEnabled", + "CIMType": "String", + "Name": "InternalSenderAdminAddress", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WeatherEnabled", + "Name": "MakeDefault", "Option": "Write" }, { "CIMType": "String", - "Name": "WebPartsFrameOptionsType", + "Name": "QuarantineTag", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ZapEnabled", "Option": "Write" }, { @@ -15385,96 +16846,61 @@ ] }, { - "ClassName": "MSFT_EXOPartnerApplication", + "ClassName": "MSFT_EXOMalwareFilterRule", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { "CIMType": "String", - "Name": "ApplicationIdentifier", + "Name": "Comments", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AcceptSecurityIdentifierInformation", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "AccountType", + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String[]", + "Name": "ExceptIfSentTo", "Option": "Write" }, { - "CIMType": "String", - "Name": "LinkedAccount", + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "MalwareFilterPolicy", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "Priority", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificatePath", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String[]", + "Name": "RecipientDomainIs", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "SentTo", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOPerimeterConfiguration", - "Parameters": [ - { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" }, { "CIMType": "String[]", - "Name": "GatewayIPAddresses", + "Name": "SentToMemberOf", "Option": "Write" }, { @@ -15525,191 +16951,196 @@ ] }, { - "ClassName": "MSFT_EXOPhishSimOverrideRule", + "ClassName": "MSFT_EXOManagementRole", "Parameters": [ { - "CIMType": "MSFT_Credential", - "Name": "Credential", - "Option": "Write" + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" + "Name": "Parent", + "Option": "Key" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "TenantId", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Domains", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SenderIpRanges", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "Comment", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String", - "Name": "Policy", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_EXOPlace", + "ClassName": "MSFT_EXOManagementRoleAssignment", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Name", "Option": "Key" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Write" + "Name": "Role", + "Option": "Key" }, { "CIMType": "String", - "Name": "AudioDeviceName", + "Name": "App", "Option": "Write" }, { "CIMType": "String", - "Name": "Building", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "Capacity", + "Name": "Policy", "Option": "Write" }, { "CIMType": "String", - "Name": "City", + "Name": "SecurityGroup", "Option": "Write" }, { "CIMType": "String", - "Name": "CountryOrRegion", + "Name": "User", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Desks", + "CIMType": "String", + "Name": "CustomRecipientWriteScope", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayDeviceName", + "Name": "CustomResourceScope", "Option": "Write" }, { "CIMType": "String", - "Name": "Floor", + "Name": "ExclusiveRecipientWriteScope", "Option": "Write" }, { "CIMType": "String", - "Name": "FloorLabel", + "Name": "RecipientAdministrativeUnitScope", "Option": "Write" }, { "CIMType": "String", - "Name": "GeoCoordinates", + "Name": "RecipientOrganizationalUnitScope", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsWheelChairAccessible", + "CIMType": "String", + "Name": "RecipientRelativeWriteScope", "Option": "Write" }, { "CIMType": "String", - "Name": "Label", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MTREnabled", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ParentId", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ParentType", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "Phone", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "PostalCode", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "State", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String", - "Name": "Street", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "Tags", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOManagementRoleEntry", + "Parameters": [ { "CIMType": "String", - "Name": "VideoDeviceName", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "Parameters", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "Type", "Option": "Write" }, { @@ -15755,51 +17186,56 @@ ] }, { - "ClassName": "MSFT_EXOPolicyTipConfig", + "ClassName": "MSFT_EXOManagementScope", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, { "CIMType": "String", - "Name": "Value", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "RecipientRestrictionFilter", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "RecipientRoot", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "Exclusive", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -15815,7 +17251,7 @@ ] }, { - "ClassName": "MSFT_EXOQuarantinePolicy", + "ClassName": "MSFT_EXOMessageClassification", "Parameters": [ { "CIMType": "String", @@ -15823,33 +17259,43 @@ "Option": "Key" }, { - "CIMType": "UInt32", - "Name": "EndUserQuarantinePermissionsValue", + "CIMType": "String", + "Name": "ClassificationID", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ESNEnabled", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MultiLanguageCustomDisclaimer", + "CIMType": "String", + "Name": "DisplayPrecedence", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MultiLanguageSenderName", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MultiLanguageSetting", + "CIMType": "Boolean", + "Name": "PermissionMenuVisible", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecipientDescription", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OrganizationBrandingEnabled", + "Name": "RetainClassificationEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SenderDescription", "Option": "Write" }, { @@ -15892,94 +17338,129 @@ "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOMigrationEndpoint", + "Parameters": [ { "CIMType": "String", - "Name": "EndUserSpamNotificationFrequency", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AcceptUntrustedCertificates", "Option": "Write" }, { "CIMType": "String", - "Name": "QuarantinePolicyType", + "Name": "AppID", "Option": "Write" }, { "CIMType": "String", - "Name": "EndUserSpamNotificationFrequencyInDays", + "Name": "AppSecretKeyVaultUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomDisclaimer", + "Name": "Authentication", "Option": "Write" }, { "CIMType": "String", - "Name": "EndUserSpamNotificationCustomFromAddress", + "Name": "EndpointType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EsnCustomSubject", + "CIMType": "String", + "Name": "ExchangeServer", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "MailboxPermission", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXORecipientPermission", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "MaxConcurrentIncrementalSyncs", + "Option": "Write" }, { "CIMType": "String", - "Name": "Trustee", - "Option": "Key" + "Name": "MaxConcurrentMigrations", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessRights", + "CIMType": "String", + "Name": "NspiServer", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "Port", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "RemoteServer", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "RemoteTenant", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "RpcProxyServer", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Security", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SourceMailboxLegacyDN", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseAutoDiscover", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { @@ -15995,296 +17476,281 @@ ] }, { - "ClassName": "MSFT_EXORemoteDomain", + "ClassName": "MSFT_EXOMobileDeviceMailboxPolicy", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Name", "Option": "Key" }, { - "CIMType": "String", - "Name": "DomainName", + "CIMType": "Boolean", + "Name": "AllowApplePushNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "AllowBluetooth", "Option": "Write" }, { - "CIMType": "String", - "Name": "AllowedOOFType", + "CIMType": "Boolean", + "Name": "AllowBrowser", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AutoForwardEnabled", + "Name": "AllowCamera", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AutoReplyEnabled", + "Name": "AllowConsumerEmail", "Option": "Write" }, { - "CIMType": "String", - "Name": "ByteEncoderTypeFor7BitCharsets", + "CIMType": "Boolean", + "Name": "AllowDesktopSync", "Option": "Write" }, { - "CIMType": "String", - "Name": "CharacterSet", + "CIMType": "Boolean", + "Name": "AllowExternalDeviceManagement", "Option": "Write" }, { - "CIMType": "String", - "Name": "ContentType", + "CIMType": "Boolean", + "Name": "AllowGooglePushNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeliveryReportEnabled", + "Name": "AllowHTMLEmail", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DisplaySenderName", + "Name": "AllowInternetSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsInternal", + "Name": "AllowIrDA", "Option": "Write" }, { - "CIMType": "string", - "Name": "LineWrapSize", + "CIMType": "Boolean", + "Name": "AllowMobileOTAUpdate", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MeetingForwardNotificationEnabled", + "Name": "AllowMicrosoftPushNotifications", "Option": "Write" }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "Boolean", + "Name": "AllowNonProvisionableDevices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NDREnabled", + "Name": "AllowPOPIMAPEmail", "Option": "Write" }, { - "CIMType": "String", - "Name": "NonMimeCharacterSet", + "CIMType": "Boolean", + "Name": "AllowRemoteDesktop", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreferredInternetCodePageForShiftJis", + "CIMType": "Boolean", + "Name": "AllowSimplePassword", "Option": "Write" }, { - "CIMType": "sint32", - "Name": "RequiredCharsetCoverage", + "CIMType": "String", + "Name": "AllowSMIMEEncryptionAlgorithmNegotiation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TargetDeliveryDomain", + "Name": "AllowSMIMESoftCerts", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TNEFEnabled", + "Name": "AllowStorageCard", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TrustedMailInboundEnabled", + "Name": "AllowTextMessaging", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TrustedMailOutboundEnabled", + "Name": "AllowUnsignedApplications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseSimpleDisplayName", + "Name": "AllowUnsignedInstallationPackages", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "AllowWiFi", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "AlphanumericPasswordRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "String[]", + "Name": "ApprovedApplicationList", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "AttachmentsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "DeviceEncryptionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "DevicePolicyRefreshInterval", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "IrmEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOReportSubmissionPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" }, { "CIMType": "Boolean", - "Name": "DisableQuarantineReportingOption", + "Name": "IsDefault", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableCustomNotificationSender", + "CIMType": "String", + "Name": "MaxAttachmentSize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableOrganizationBranding", + "CIMType": "String", + "Name": "MaxCalendarAgeFilter", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableReportToMicrosoft", + "CIMType": "String", + "Name": "MaxEmailAgeFilter", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableThirdPartyAddress", + "CIMType": "String", + "Name": "MaxEmailBodyTruncationSize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableUserEmailNotification", + "CIMType": "String", + "Name": "MaxEmailHTMLBodyTruncationSize", "Option": "Write" }, { "CIMType": "String", - "Name": "JunkReviewResultMessage", + "Name": "MaxInactivityTimeLock", "Option": "Write" }, { "CIMType": "String", - "Name": "NotJunkReviewResultMessage", + "Name": "MaxPasswordFailedAttempts", "Option": "Write" }, { "CIMType": "String", - "Name": "NotificationFooterMessage", + "Name": "MinPasswordComplexCharacters", "Option": "Write" }, { "CIMType": "String", - "Name": "NotificationSenderAddress", + "Name": "MinPasswordLength", "Option": "Write" }, { - "CIMType": "String", - "Name": "PhishingReviewResultMessage", + "CIMType": "Boolean", + "Name": "PasswordEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "PostSubmitMessage", + "Name": "PasswordExpiration", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PostSubmitMessageEnabled", + "CIMType": "String", + "Name": "PasswordHistory", "Option": "Write" }, { - "CIMType": "String", - "Name": "PostSubmitMessageTitle", + "CIMType": "Boolean", + "Name": "PasswordRecoveryEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreSubmitMessage", + "CIMType": "Boolean", + "Name": "RequireDeviceEncryption", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PreSubmitMessageEnabled", + "Name": "RequireEncryptedSMIMEMessages", "Option": "Write" }, { "CIMType": "String", - "Name": "PreSubmitMessageTitle", + "Name": "RequireEncryptionSMIMEAlgorithm", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ReportJunkAddresses", + "CIMType": "Boolean", + "Name": "RequireManualSyncWhenRoaming", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ReportJunkToCustomizedAddress", + "CIMType": "String", + "Name": "RequireSignedSMIMEAlgorithm", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ReportNotJunkAddresses", + "CIMType": "Boolean", + "Name": "RequireSignedSMIMEMessages", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ReportNotJunkToCustomizedAddress", + "Name": "RequireStorageCardEncryption", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ReportPhishAddresses", + "Name": "UnapprovedInROMApplicationList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ReportPhishToCustomizedAddress", + "Name": "UNCAccessEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ThirdPartyReportAddresses", + "CIMType": "Boolean", + "Name": "WSSAccessEnabled", "Option": "Write" }, { @@ -16335,26 +17801,31 @@ ] }, { - "ClassName": "MSFT_EXOReportSubmissionRule", + "ClassName": "MSFT_EXOOfflineAddressBook", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "Name", "Option": "Key" }, { - "CIMType": "String", - "Name": "Identity", + "CIMType": "String[]", + "Name": "AddressLists", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "String[]", + "Name": "ConfiguredAttributes", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "String", + "Name": "DiffRetentionPeriod", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", "Option": "Write" }, { @@ -16405,96 +17876,61 @@ ] }, { - "ClassName": "MSFT_EXOResourceConfiguration", + "ClassName": "MSFT_EXOOMEConfiguration", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "Identity", "Option": "Key" }, - { - "CIMType": "String[]", - "Name": "ResourcePropertySchema", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Ensure", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", - "Option": "Write" - }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "BackgroundColor", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DisclaimerText", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "EmailText", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "UInt32", + "Name": "ExternalMailExpiryInDays", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "IntroductionText", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "OTPEnabled", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXORetentionPolicy", - "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "IsDefault", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "IsDefaultArbitrationMailbox", + "Name": "PortalText", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "PrivacyStatementUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "RetentionId", + "Name": "ReadButtonText", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RetentionPolicyTagLinks", + "CIMType": "Boolean", + "Name": "SocialIdSignIn", "Option": "Write" }, { @@ -16522,6 +17958,16 @@ "Name": "CertificateThumbprint", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -16535,26 +17981,46 @@ ] }, { - "ClassName": "MSFT_EXORoleAssignmentPolicy", + "ClassName": "MSFT_EXOOnPremisesOrganization", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "Identity", "Option": "Key" }, + { + "CIMType": "String[]", + "Name": "HybridDomains", + "Option": "Write" + }, { "CIMType": "String", - "Name": "Description", + "Name": "InboundConnector", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefault", + "CIMType": "String", + "Name": "OutboundConnector", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Roles", + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OrganizationGuid", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OrganizationRelationship", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comment", "Option": "Write" }, { @@ -16605,586 +18071,541 @@ ] }, { - "ClassName": "MSFT_EXORoleGroup", + "ClassName": "MSFT_EXOOrganizationConfig", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "ActivityBasedAuthenticationTimeoutEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "ActivityBasedAuthenticationTimeoutInterval", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Roles", + "CIMType": "Boolean", + "Name": "ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "AppsForOfficeEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "AsyncSendEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "AuditDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "AutodiscoverPartialDirSync", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "AutoExpandingArchive", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "BlockMoveMessagesForGroupFolders", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "BookingsAddressEntryRestricted", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "BookingsAuthEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "BookingsBlockedWordsEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSafeAttachmentPolicy", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "CIMType": "Boolean", + "Name": "BookingsCreationOfCustomQuestionsRestricted", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Action", + "CIMType": "Boolean", + "Name": "BookingsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ActionOnError", + "Name": "BookingsExposureOfStaffDetailsRestricted", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdminDisplayName", + "CIMType": "Boolean", + "Name": "BookingsMembershipApprovalRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enable", + "Name": "BookingsNamingPolicyEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "QuarantineTag", + "Name": "BookingsNamingPolicyPrefix", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Redirect", + "Name": "BookingsNamingPolicyPrefixEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "RedirectAddress", + "Name": "BookingsNamingPolicySuffix", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "BookingsNamingPolicySuffixEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "BookingsNotesEntryRestricted", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "BookingsPaymentsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "BookingsPhoneNumberEntryRestricted", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "BookingsSearchEngineIndexDisabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "BookingsSmsMicrosoftEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "BookingsSocialSharingRestricted", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "UInt32", + "Name": "ByteEncoderTypeFor7BitCharsets", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "ComplianceMLBgdCrawlEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSafeAttachmentRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" }, { - "CIMType": "String", - "Name": "SafeAttachmentPolicy", - "Option": "Required" + "CIMType": "Boolean", + "Name": "ConnectorsActionableMessagesEnabled", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "ConnectorsEnabled", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "Boolean", + "Name": "ConnectorsEnabledForOutlook", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "Boolean", + "Name": "ConnectorsEnabledForSharepoint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "Boolean", + "Name": "ConnectorsEnabledForTeams", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "Boolean", + "Name": "ConnectorsEnabledForYammer", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "Boolean", + "Name": "CustomerLockboxEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "String", + "Name": "DefaultAuthenticationPolicy", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "String", + "Name": "DefaultGroupAccessType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "UInt32", + "Name": "DefaultMinutesToReduceLongEventsBy", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "DefaultMinutesToReduceShortEventsBy", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "DefaultPublicFolderAgeLimit", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DefaultPublicFolderDeletedItemRetention", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DefaultPublicFolderIssueWarningQuota", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DefaultPublicFolderMaxItemSize", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String", + "Name": "DefaultPublicFolderMovedItemRetention", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "DefaultPublicFolderProhibitPostQuota", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "DirectReportsGroupAutoCreationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "DisablePlusAddressInRecipients", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSafeLinksPolicy", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "DistributionGroupDefaultOU", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "DistributionGroupNameBlockedWordsList", "Option": "Write" }, { "CIMType": "String", - "Name": "AdminDisplayName", + "Name": "DistributionGroupNamingPolicy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowClickThrough", + "Name": "ElcProcessingDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomNotificationText", + "CIMType": "Boolean", + "Name": "EnableOutlookEvents", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeliverMessageAfterScan", + "Name": "EndUserDLUpgradeFlowsDisabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EwsAllowEntourage", "Option": "Write" }, { "CIMType": "String[]", - "Name": "DoNotRewriteUrls", + "Name": "EwsAllowList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableForInternalSenders", + "Name": "EwsAllowMacOutlook", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableOrganizationBranding", + "Name": "EwsAllowOutlook", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSafeLinksForOffice", + "CIMType": "String", + "Name": "EwsApplicationAccessPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSafeLinksForTeams", + "CIMType": "String[]", + "Name": "EwsBlockList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableSafeLinksForEmail", + "Name": "EwsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DisableUrlRewrite", + "Name": "ExchangeNotificationEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScanUrls", + "CIMType": "String[]", + "Name": "ExchangeNotificationRecipients", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "TrackClicks", + "Name": "FindTimeAttendeeAuthenticationEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseTranslatedNotificationText", + "Name": "FindTimeAutoScheduleDisabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "FindTimeLockPollForAttendeesEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "FindTimeOnlineMeetingOptionDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "FocusedInboxOn", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "HierarchicalAddressBookRoot", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "String[]", + "Name": "IPListBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "IsGroupFoldersAndRulesEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "IsGroupMemberAllowedToEditContent", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "LeanPopoutEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSafeLinksRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "LinkPreviewEnabled", "Option": "Write" }, - { - "CIMType": "String", - "Name": "SafeLinksPolicy", - "Option": "Required" - }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "MailTipsAllTipsEnabled", "Option": "Write" }, { - "CIMType": "uint32", - "Name": "Priority", + "CIMType": "Boolean", + "Name": "MailTipsExternalRecipientsTipsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "Boolean", + "Name": "MailTipsGroupMetricsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "UInt32", + "Name": "MailTipsLargeAudienceThreshold", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "Boolean", + "Name": "MailTipsMailboxSourcedTipsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "Boolean", + "Name": "MaskClientIpInReceivedHeadersEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "Boolean", + "Name": "MatchSenderOrganizerProperties", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentTo", + "CIMType": "Boolean", + "Name": "MessageHighlightsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SentToMemberOf", + "CIMType": "Boolean", + "Name": "MessageRecallEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "MessageRemindersEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "MobileAppEducationEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "OAuth2ClientProfileEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "OnlineMeetingsByDefaultEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "OutlookGifPickerDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "OutlookMobileGCCRestrictionsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "OutlookPayEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "OutlookTextPredictionDisabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSecOpsOverrideRule", - "Parameters": [ + }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "PublicComputersDetectionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "PublicFoldersEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "PublicFolderShowClientControl", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "ReadTrackingEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "RecallReadMessagesEnabled", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "RemotePublicFolderMailboxes", "Option": "Write" }, { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "CIMType": "Boolean", + "Name": "SendFromAliasEnabled", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Comment", + "CIMType": "Boolean", + "Name": "SharedDomainEmailAddressFlowEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "Policy", + "Name": "ShortenEventScopeDefault", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "SiteMailboxCreationURL", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSharedMailbox", - "Parameters": [ - { - "CIMType": "string", - "Name": "DisplayName", - "Option": "Key" }, { - "CIMType": "string", - "Name": "Identity", + "CIMType": "Boolean", + "Name": "SmtpActionableMessagesEnabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "PrimarySMTPAddress", + "CIMType": "String", + "Name": "VisibleMeetingUpdateProperties", "Option": "Write" }, { - "CIMType": "string", - "Name": "Alias", + "CIMType": "Boolean", + "Name": "WebPushNotificationsDisabled", "Option": "Write" }, { - "CIMType": "string[]", - "Name": "EmailAddresses", + "CIMType": "Boolean", + "Name": "WebSuggestedRepliesDisabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "WorkspaceTenantEnabled", "Option": "Write" }, { @@ -17230,7 +18651,7 @@ ] }, { - "ClassName": "MSFT_EXOSharingPolicy", + "ClassName": "MSFT_EXOOrganizationRelationship", "Parameters": [ { "CIMType": "String", @@ -17239,117 +18660,102 @@ }, { "CIMType": "Boolean", - "Name": "Default", + "Name": "ArchiveAccessEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "DeliveryReportEnabled", "Option": "Write" }, { "CIMType": "String[]", - "Name": "Domains", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Ensure", + "Name": "DomainNames", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "FreeBusyAccessEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "FreeBusyAccessLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "FreeBusyAccessScope", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "MailboxMoveEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificatePath", + "Name": "MailboxMoveCapability", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String[]", + "Name": "MailboxMovePublishedScopes", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "MailTipsAccessEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOSweepRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { "CIMType": "String", - "Name": "Provider", + "Name": "MailTipsAccessLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "DestinationFolder", + "Name": "MailTipsAccessScope", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String", + "Name": "OauthApplicationId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "KeepForDays", + "CIMType": "String", + "Name": "OrganizationContact", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "KeepLatest", + "CIMType": "Boolean", + "Name": "PhotosEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "Mailbox", + "Name": "TargetApplicationUri", "Option": "Write" }, { "CIMType": "String", - "Name": "SenderName", + "Name": "TargetAutodiscoverEpr", "Option": "Write" }, { "CIMType": "String", - "Name": "SourceFolder", + "Name": "TargetOwaURL", "Option": "Write" }, { "CIMType": "String", - "Name": "SystemCategory", + "Name": "TargetSharingEpr", "Option": "Write" }, { @@ -17377,6 +18783,16 @@ "Name": "CertificateThumbprint", "Option": "Write" }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, { "CIMType": "Boolean", "Name": "ManagedIdentity", @@ -17390,1105 +18806,1190 @@ ] }, { - "ClassName": "MSFT_EXOTenantAllowBlockListItems", + "ClassName": "MSFT_EXOOutboundConnector", "Parameters": [ { "CIMType": "String", - "Name": "Action", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Value", + "Name": "Identity", "Option": "Key" }, { - "CIMType": "DateTime", - "Name": "ExpirationDate", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ListSubType", + "CIMType": "Boolean", + "Name": "UseMXRecord", "Option": "Write" }, { "CIMType": "String", - "Name": "ListType", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Notes", + "Name": "Comment", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RemoveAfter", + "CIMType": "String", + "Name": "ConnectorSource", "Option": "Write" }, { "CIMType": "String", - "Name": "SubmissionID", + "Name": "ConnectorType", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "RecipientDomains", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "SmartHosts", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "TlsDomain", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "TlsSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "IsTransportRuleScoped", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "RouteAllMessagesViaOnPremises", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOTransportConfig", - "Parameters": [ - { - "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" }, { "CIMType": "Boolean", - "Name": "AddressBookPolicyRoutingEnabled", + "Name": "CloudServicesMailEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowLegacyTLSClients", + "Name": "AllAcceptedDomains", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ClearCategories", + "Name": "SenderRewritingEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ConvertDisclaimerWrapperToEml", + "Name": "TestMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "DSNConversionMode", + "CIMType": "String[]", + "Name": "ValidationRecipients", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExternalDelayDsnEnabled", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExternalDsnDefaultLanguage", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExternalDsnLanguageDetectionEnabled", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ExternalDsnReportingAuthority", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExternalDsnSendHtml", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExternalPostmasterAddress", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "HeaderPromotionModeSetting", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "InternalDelayDsnEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "InternalDsnDefaultLanguage", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOOwaMailboxPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "InternalDsnLanguageDetectionEnabled", + "Name": "AccountTransferEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "InternalDsnReportingAuthority", + "Name": "ActionForUnknownFileAndMIMETypes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "InternalDsnSendHtml", + "Name": "ActiveSyncIntegrationEnabled", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "JournalMessageExpirationDays", + "CIMType": "Boolean", + "Name": "AdditionalAccountsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "JournalingReportNdrTo", + "CIMType": "Boolean", + "Name": "AdditionalStorageProvidersAvailable", "Option": "Write" }, { - "CIMType": "String", - "Name": "MaxRecipientEnvelopeLimit", + "CIMType": "Boolean", + "Name": "AllAddressListsEnabled", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "ReplyAllStormBlockDurationHours", + "CIMType": "Boolean", + "Name": "AllowCopyContactsToDeviceAddressBook", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "ReplyAllStormDetectionMinimumRecipients", + "CIMType": "String[]", + "Name": "AllowedFileTypes", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "ReplyAllStormDetectionMinimumReplies", + "CIMType": "String[]", + "Name": "AllowedMimeTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ReplyAllStormProtectionEnabled", + "CIMType": "String[]", + "Name": "BlockedFileTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Rfc2231EncodingEnabled", + "CIMType": "String[]", + "Name": "BlockedMimeTypes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SmtpClientAuthenticationDisabled", + "Name": "BookingsMailboxCreationEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "ChangeSettingsAccountEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "ClassicAttachmentsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "ConditionalAccessPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DefaultTheme", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "CertificatePassword", + "CIMType": "Boolean", + "Name": "DirectFileAccessOnPrivateComputersEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificatePath", + "CIMType": "Boolean", + "Name": "DirectFileAccessOnPublicComputersEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "DisableFacebook", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "DisplayPhotosEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_EXOTransportRule", - "Parameters": [ - { - "CIMType": "String", - "Name": "Name", - "Option": "Key" }, { - "CIMType": "String", - "Name": "ADComparisonAttribute", + "CIMType": "Boolean", + "Name": "ExplicitLogonEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ADComparisonOperator", + "CIMType": "Boolean", + "Name": "ExternalImageProxyEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ActivationDate", + "Name": "ExternalSPMySiteHostURL", "Option": "Write" }, { - "CIMType": "String", - "Name": "AddManagerAsRecipientType", + "CIMType": "Boolean", + "Name": "FeedbackEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AddToRecipients", + "CIMType": "Boolean", + "Name": "ForceSaveAttachmentFilteringEnabled", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AnyOfCcHeader", + "Name": "ForceSaveFileTypes", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AnyOfCcHeaderMemberOf", + "Name": "ForceSaveMimeTypes", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfRecipientAddressContainsWords", + "CIMType": "Boolean", + "Name": "ForceWacViewingFirstOnPrivateComputers", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfRecipientAddressMatchesPatterns", + "CIMType": "Boolean", + "Name": "ForceWacViewingFirstOnPublicComputers", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfToCcHeader", + "CIMType": "Boolean", + "Name": "FreCardsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfToCcHeaderMemberOf", + "CIMType": "Boolean", + "Name": "GlobalAddressListEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfToHeader", + "CIMType": "Boolean", + "Name": "GroupCreationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AnyOfToHeaderMemberOf", + "CIMType": "Boolean", + "Name": "InstantMessagingEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplyClassification", + "Name": "InstantMessagingType", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplyHtmlDisclaimerFallbackAction", + "CIMType": "Boolean", + "Name": "InterestingCalendarsEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplyHtmlDisclaimerLocation", + "Name": "InternalSPMySiteHostURL", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplyHtmlDisclaimerText", + "CIMType": "Boolean", + "Name": "IRMEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ApplyOME", + "Name": "ItemsToOtherAccountsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplyRightsProtectionCustomizationTemplate", + "CIMType": "Boolean", + "Name": "IsDefault", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplyRightsProtectionTemplate", + "CIMType": "Boolean", + "Name": "JournalEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttachmentContainsWords", + "CIMType": "Boolean", + "Name": "LocalEventsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttachmentExtensionMatchesWords", + "CIMType": "SInt32", + "Name": "LogonAndErrorLanguage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AttachmentHasExecutableContent", + "Name": "MessagePreviewsDisabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AttachmentIsPasswordProtected", + "Name": "NotesEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AttachmentIsUnsupported", + "Name": "NpsSurveysEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttachmentMatchesPatterns", + "CIMType": "Boolean", + "Name": "OneWinNativeOutlookEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttachmentNameMatchesPatterns", + "CIMType": "Boolean", + "Name": "OrganizationEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AttachmentProcessingLimitExceeded", + "Name": "OnSendAddinsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttachmentPropertyContainsWords", + "CIMType": "String", + "Name": "OutboundCharset", "Option": "Write" }, { - "CIMType": "String", - "Name": "AttachmentSizeOver", + "CIMType": "Boolean", + "Name": "OutlookBetaToggleEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BetweenMemberOf1", + "CIMType": "Boolean", + "Name": "OWALightEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BetweenMemberOf2", + "CIMType": "Boolean", + "Name": "PersonalAccountsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlindCopyTo", + "CIMType": "Boolean", + "Name": "PersonalAccountCalendarsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Comments", + "CIMType": "Boolean", + "Name": "PhoneticSupportEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ContentCharacterSetContainsWords", + "CIMType": "Boolean", + "Name": "PlacesEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "CopyTo", + "CIMType": "Boolean", + "Name": "PremiumClientEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeleteMessage", + "Name": "PrintWithoutDownloadEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DlpPolicy", + "CIMType": "Boolean", + "Name": "ProjectMocaEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "PublicFoldersEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExceptIfADComparisonAttribute", + "CIMType": "Boolean", + "Name": "RecoverDeletedItemsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExceptIfADComparisonOperator", + "CIMType": "Boolean", + "Name": "ReferenceAttachmentsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfCcHeader", + "CIMType": "Boolean", + "Name": "RemindersAndNotificationsEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfCcHeaderMemberOf", + "CIMType": "Boolean", + "Name": "ReportJunkEmailEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfRecipientAddressContainsWords", + "CIMType": "Boolean", + "Name": "RulesEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfRecipientAddressMatchesPatterns", + "CIMType": "Boolean", + "Name": "SatisfactionEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfToCcHeader", + "CIMType": "Boolean", + "Name": "SaveAttachmentsToCloudEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfToCcHeaderMemberOf", + "CIMType": "Boolean", + "Name": "SearchFoldersEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfToHeader", + "CIMType": "Boolean", + "Name": "SetPhotoEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAnyOfToHeaderMemberOf", + "CIMType": "String", + "Name": "SetPhotoURL", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAttachmentContainsWords", + "CIMType": "Boolean", + "Name": "ShowOnlineArchiveEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAttachmentExtensionMatchesWords", + "CIMType": "Boolean", + "Name": "SignaturesEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExceptIfAttachmentHasExecutableContent", + "Name": "SkipCreateUnifiedGroupCustomSharepointClassification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExceptIfAttachmentIsPasswordProtected", + "Name": "TeamSnapCalendarsEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExceptIfAttachmentIsUnsupported", + "Name": "TextMessagingEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAttachmentMatchesPatterns", + "CIMType": "Boolean", + "Name": "ThemeSelectionEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAttachmentNameMatchesPatterns", + "CIMType": "Boolean", + "Name": "UMIntegrationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfAttachmentPropertyContainsWords", + "CIMType": "Boolean", + "Name": "UseGB18030", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ExceptIfAttachmentProcessingLimitExceeded", + "Name": "UseISO885915", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExceptIfAttachmentSizeOver", + "CIMType": "Boolean", + "Name": "UserVoiceEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfBetweenMemberOf1", + "CIMType": "Boolean", + "Name": "WacEditingEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfBetweenMemberOf2", + "CIMType": "Boolean", + "Name": "WacExternalServicesEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfContentCharacterSetContainsWords", + "CIMType": "Boolean", + "Name": "WacOMEXEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFrom", + "CIMType": "Boolean", + "Name": "WacViewingOnPrivateComputersEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFromAddressContainsWords", + "CIMType": "Boolean", + "Name": "WacViewingOnPublicComputersEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFromAddressMatchesPatterns", + "CIMType": "Boolean", + "Name": "WeatherEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfFromMemberOf", + "CIMType": "String", + "Name": "WebPartsFrameOptionsType", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfFromScope", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExceptIfHasClassification", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExceptIfHasNoClassification", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExceptIfHasSenderOverride", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfHeaderContainsMessageHeader", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfHeaderContainsWords", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfHeaderMatchesMessageHeader", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfHeaderMatchesPatterns", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExceptIfManagerAddresses", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOPartnerApplication", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { "CIMType": "String", - "Name": "ExceptIfManagerForEvaluatedUser", + "Name": "ApplicationIdentifier", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AcceptSecurityIdentifierInformation", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfMessageTypeMatches", + "Name": "AccountType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfMessageContainsDataClassifications", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfMessageSizeOver", + "Name": "LinkedAccount", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientADAttributeContainsWords", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientADAttributeMatchesPatterns", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientAddressContainsWords", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientAddressMatchesPatterns", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientDomainIs", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfRecipientInSenderList", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfSCLOver", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSenderADAttributeContainsWords", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExceptIfSenderADAttributeMatchesPatterns", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOPerimeterConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" }, { "CIMType": "String[]", - "Name": "ExceptIfSenderDomainIs", + "Name": "GatewayIPAddresses", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSenderInRecipientList", + "CIMType": "String", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSenderIpRanges", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfSenderManagementRelationship", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentTo", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSentToMemberOf", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExceptIfSentToScope", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSubjectContainsWords", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSubjectMatchesPatterns", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ExceptIfSubjectOrBodyContainsWords", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOPhishSimOverrideRule", + "Parameters": [ + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExceptIfSubjectOrBodyMatchesPatterns", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ExceptIfWithImportance", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "ExpiryDate", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "From", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "FromAddressContainsWords", + "Name": "AccessTokens", "Option": "Write" }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, { "CIMType": "String[]", - "Name": "FromAddressMatchesPatterns", + "Name": "Domains", "Option": "Write" }, { "CIMType": "String[]", - "Name": "FromMemberOf", + "Name": "SenderIpRanges", "Option": "Write" }, { "CIMType": "String", - "Name": "FromScope", + "Name": "Comment", "Option": "Write" }, { "CIMType": "String", - "Name": "GenerateIncidentReport", + "Name": "Policy", "Option": "Write" }, { "CIMType": "String", - "Name": "GenerateNotification", + "Name": "Ensure", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOPlace", + "Parameters": [ { "CIMType": "String", - "Name": "HasClassification", - "Option": "Write" + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "HasNoClassification", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HasSenderOverride", + "CIMType": "String", + "Name": "AudioDeviceName", "Option": "Write" }, { "CIMType": "String", - "Name": "HeaderContainsMessageHeader", + "Name": "Building", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "HeaderContainsWords", + "CIMType": "UInt32", + "Name": "Capacity", "Option": "Write" }, { "CIMType": "String", - "Name": "HeaderMatchesMessageHeader", + "Name": "City", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "HeaderMatchesPatterns", + "CIMType": "String", + "Name": "CountryOrRegion", "Option": "Write" }, { "CIMType": "String[]", - "Name": "IncidentReportContent", + "Name": "Desks", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ManagerAddresses", + "CIMType": "String", + "Name": "DisplayDeviceName", "Option": "Write" }, { "CIMType": "String", - "Name": "ManagerForEvaluatedUser", + "Name": "Floor", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MessageContainsDataClassifications", + "CIMType": "String", + "Name": "FloorLabel", "Option": "Write" }, { "CIMType": "String", - "Name": "MessageSizeOver", + "Name": "GeoCoordinates", "Option": "Write" }, { - "CIMType": "String", - "Name": "MessageTypeMatches", + "CIMType": "Boolean", + "Name": "IsWheelChairAccessible", "Option": "Write" }, { "CIMType": "String", - "Name": "Mode", + "Name": "Label", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ModerateMessageByManager", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "ModerateMessageByUser", + "Name": "MTREnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "NotifySender", + "Name": "ParentId", "Option": "Write" }, { "CIMType": "String", - "Name": "PrependSubject", + "Name": "ParentType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "String", + "Name": "Phone", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Quarantine", + "CIMType": "String", + "Name": "PostalCode", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientADAttributeContainsWords", + "CIMType": "String", + "Name": "State", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientADAttributeMatchesPatterns", + "CIMType": "String", + "Name": "Street", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RecipientAddressContainsWords", + "Name": "Tags", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientAddressMatchesPatterns", + "CIMType": "String", + "Name": "VideoDeviceName", "Option": "Write" }, { "CIMType": "String", - "Name": "RecipientAddressType", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientDomainIs", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RecipientInSenderList", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RedirectMessageTo", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "RejectMessageEnhancedStatusCode", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "RejectMessageReasonText", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "RemoveHeader", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RemoveOME", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RemoveOMEv2", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOPolicyTipConfig", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "RemoveRMSAttachmentEncryption", + "CIMType": "String", + "Name": "Value", "Option": "Write" }, { "CIMType": "String", - "Name": "RouteMessageOutboundConnector", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RouteMessageOutboundRequireTls", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "RuleErrorAction", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "RuleSubType", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "SCLOver", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SenderADAttributeContainsWords", + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SenderADAttributeMatchesPatterns", + "CIMType": "String", + "Name": "CertificatePath", "Option": "Write" }, { - "CIMType": "String", - "Name": "SenderAddressLocation", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SenderDomainIs", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_EXOQuarantinePolicy", + "Parameters": [ { "CIMType": "String", - "Name": "SenderInRecipientList", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "UInt32", + "Name": "EndUserQuarantinePermissionsValue", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SenderIpRanges", + "CIMType": "Boolean", + "Name": "ESNEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "SenderManagementRelationship", + "CIMType": "String[]", + "Name": "MultiLanguageCustomDisclaimer", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SentTo", + "Name": "MultiLanguageSenderName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SentToMemberOf", + "Name": "MultiLanguageSetting", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OrganizationBrandingEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "SentToScope", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "SetAuditSeverity", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "SetHeaderName", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "SetHeaderValue", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", "Option": "Write" }, { "CIMType": "String", - "Name": "SetSCL", + "Name": "CertificatePath", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StopRuleProcessing", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SubjectContainsWords", + "CIMType": "String", + "Name": "EndUserSpamNotificationFrequency", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SubjectMatchesPatterns", + "CIMType": "String", + "Name": "QuarantinePolicyType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EndUserSpamNotificationFrequencyInDays", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomDisclaimer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EndUserSpamNotificationCustomFromAddress", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SubjectOrBodyContainsWords", + "Name": "EsnCustomSubject", "Option": "Write" }, { "CIMType": "String[]", - "Name": "SubjectOrBodyMatchesPatterns", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXORecipientPermission", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" }, { "CIMType": "String", - "Name": "WithImportance", + "Name": "Trustee", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "AccessRights", "Option": "Write" }, { - "CIMType": "String", + "CIMType": "string", "Name": "Ensure", "Option": "Write" }, @@ -18535,81 +20036,2746 @@ ] }, { - "ClassName": "MSFT_FabricDelegatedFrom", + "ClassName": "MSFT_EXORemoteDomain", "Parameters": [ { "CIMType": "String", - "Name": "Capacity", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DomainName", "Option": "Write" }, { "CIMType": "String", - "Name": "Domain", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "String", - "Name": "Tenant", + "Name": "AllowedOOFType", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_FabricTenantSettingProperty", - "Parameters": [ + }, + { + "CIMType": "Boolean", + "Name": "AutoForwardEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AutoReplyEnabled", + "Option": "Write" + }, { "CIMType": "String", - "Name": "name", + "Name": "ByteEncoderTypeFor7BitCharsets", "Option": "Write" }, { "CIMType": "String", - "Name": "type", + "Name": "CharacterSet", "Option": "Write" }, { "CIMType": "String", - "Name": "value", + "Name": "ContentType", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_FabricTenantSetting", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "canSpecifySecurityGroups", + "Name": "DeliveryReportEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "delegateToWorkspace", + "Name": "DisplaySenderName", "Option": "Write" }, { - "CIMType": "MSFT_FabricDelegatedFrom", - "Name": "delegatedFrom", + "CIMType": "Boolean", + "Name": "IsInternal", "Option": "Write" }, { - "CIMType": "String", - "Name": "settingName", + "CIMType": "string", + "Name": "LineWrapSize", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "enabled", + "Name": "MeetingForwardNotificationEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "tenantSettingGroup", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NDREnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "title", + "Name": "NonMimeCharacterSet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreferredInternetCodePageForShiftJis", + "Option": "Write" + }, + { + "CIMType": "sint32", + "Name": "RequiredCharsetCoverage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TargetDeliveryDomain", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TNEFEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TrustedMailInboundEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TrustedMailOutboundEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseSimpleDisplayName", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOReportSubmissionPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "DisableQuarantineReportingOption", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableCustomNotificationSender", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableOrganizationBranding", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableReportToMicrosoft", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableThirdPartyAddress", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableUserEmailNotification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "JunkReviewResultMessage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NotJunkReviewResultMessage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NotificationFooterMessage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NotificationSenderAddress", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PhishingReviewResultMessage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PostSubmitMessage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PostSubmitMessageEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PostSubmitMessageTitle", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreSubmitMessage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PreSubmitMessageEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreSubmitMessageTitle", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ReportJunkAddresses", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ReportJunkToCustomizedAddress", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ReportNotJunkAddresses", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ReportNotJunkToCustomizedAddress", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ReportPhishAddresses", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ReportPhishToCustomizedAddress", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThirdPartyReportAddresses", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOReportSubmissionRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentTo", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOResourceConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "ResourcePropertySchema", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXORetentionPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefaultArbitrationMailbox", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RetentionId", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RetentionPolicyTagLinks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXORoleAssignmentPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Roles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXORoleGroup", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Roles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSafeAttachmentPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ActionOnError", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AdminDisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enable", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QuarantineTag", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Redirect", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RedirectAddress", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSafeAttachmentRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SafeAttachmentPolicy", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "uint32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSafeLinksPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AdminDisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowClickThrough", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CustomNotificationText", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeliverMessageAfterScan", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DoNotRewriteUrls", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableForInternalSenders", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableOrganizationBranding", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableSafeLinksForOffice", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableSafeLinksForTeams", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableSafeLinksForEmail", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableUrlRewrite", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ScanUrls", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "TrackClicks", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseTranslatedNotificationText", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSafeLinksRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SafeLinksPolicy", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "uint32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSecOpsOverrideRule", + "Parameters": [ + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Comment", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Policy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOServicePrincipal", + "Parameters": [ + { + "CIMType": "string", + "Name": "AppName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "AppId", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSharedMailbox", + "Parameters": [ + { + "CIMType": "string", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "string", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "PrimarySMTPAddress", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Alias", + "Option": "Write" + }, + { + "CIMType": "string[]", + "Name": "EmailAddresses", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSharingPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "Default", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Domains", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOSweepRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Provider", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DestinationFolder", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "KeepForDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "KeepLatest", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Mailbox", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SenderName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SourceFolder", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SystemCategory", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOTenantAllowBlockListItems", + "Parameters": [ + { + "CIMType": "String", + "Name": "Action", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Key" + }, + { + "CIMType": "DateTime", + "Name": "ExpirationDate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ListSubType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ListType", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Notes", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "RemoveAfter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SubmissionID", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOTenantAllowBlockListSpoofItems", + "Parameters": [ + { + "CIMType": "String", + "Name": "SpoofedUser", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SendingInfrastructure", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SpoofType", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOTransportConfig", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AddressBookPolicyRoutingEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowLegacyTLSClients", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ClearCategories", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ConvertDisclaimerWrapperToEml", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DSNConversionMode", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExternalDelayDsnEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExternalDsnDefaultLanguage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExternalDsnLanguageDetectionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExternalDsnReportingAuthority", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExternalDsnSendHtml", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExternalPostmasterAddress", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HeaderPromotionModeSetting", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "InternalDelayDsnEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternalDsnDefaultLanguage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "InternalDsnLanguageDetectionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternalDsnReportingAuthority", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "InternalDsnSendHtml", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "JournalMessageExpirationDays", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "JournalingReportNdrTo", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxRecipientEnvelopeLimit", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ReplyAllStormBlockDurationHours", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ReplyAllStormDetectionMinimumRecipients", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ReplyAllStormDetectionMinimumReplies", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ReplyAllStormProtectionEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Rfc2231EncodingEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SmtpClientAuthenticationDisabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_EXOTransportRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "ADComparisonAttribute", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ADComparisonOperator", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ActivationDate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AddManagerAsRecipientType", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AddToRecipients", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfCcHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfCcHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfRecipientAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfRecipientAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfToCcHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfToCcHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfToHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AnyOfToHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyClassification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyHtmlDisclaimerFallbackAction", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyHtmlDisclaimerLocation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyHtmlDisclaimerText", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ApplyOME", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyRightsProtectionCustomizationTemplate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplyRightsProtectionTemplate", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AttachmentContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AttachmentExtensionMatchesWords", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentHasExecutableContent", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentIsPasswordProtected", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentIsUnsupported", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AttachmentMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AttachmentNameMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AttachmentProcessingLimitExceeded", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AttachmentPropertyContainsWords", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AttachmentSizeOver", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BetweenMemberOf1", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BetweenMemberOf2", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlindCopyTo", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Comments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ContentCharacterSetContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "CopyTo", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeleteMessage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DlpPolicy", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfADComparisonAttribute", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfADComparisonOperator", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfCcHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfCcHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfRecipientAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfRecipientAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfToCcHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfToCcHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfToHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAnyOfToHeaderMemberOf", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAttachmentContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAttachmentExtensionMatchesWords", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfAttachmentHasExecutableContent", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfAttachmentIsPasswordProtected", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfAttachmentIsUnsupported", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAttachmentMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAttachmentNameMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfAttachmentPropertyContainsWords", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfAttachmentProcessingLimitExceeded", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfAttachmentSizeOver", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfBetweenMemberOf1", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfBetweenMemberOf2", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfContentCharacterSetContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfFrom", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfFromAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfFromAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfFromMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfFromScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfHasClassification", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfHasNoClassification", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ExceptIfHasSenderOverride", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfHeaderContainsMessageHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfHeaderContainsWords", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfHeaderMatchesMessageHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfHeaderMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfManagerAddresses", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfManagerForEvaluatedUser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfMessageTypeMatches", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfMessageContainsDataClassifications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfMessageSizeOver", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientADAttributeContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientADAttributeMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientInSenderList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfSCLOver", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSenderADAttributeContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSenderADAttributeMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSenderDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSenderInRecipientList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSenderIpRanges", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfSenderManagementRelationship", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfSentToScope", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSubjectContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSubjectMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSubjectOrBodyContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSubjectOrBodyMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExceptIfWithImportance", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExpiryDate", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "From", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "FromAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "FromAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "FromMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FromScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "GenerateIncidentReport", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "GenerateNotification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HasClassification", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HasNoClassification", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HasSenderOverride", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HeaderContainsMessageHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "HeaderContainsWords", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HeaderMatchesMessageHeader", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "HeaderMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "IncidentReportContent", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ManagerAddresses", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ManagerForEvaluatedUser", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MessageContainsDataClassifications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MessageSizeOver", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MessageTypeMatches", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Mode", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ModerateMessageByManager", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ModerateMessageByUser", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NotifySender", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrependSubject", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Priority", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Quarantine", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientADAttributeContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientADAttributeMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientAddressContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientAddressMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecipientAddressType", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RecipientInSenderList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RedirectMessageTo", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RejectMessageEnhancedStatusCode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RejectMessageReasonText", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RemoveHeader", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RemoveOME", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RemoveOMEv2", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RemoveRMSAttachmentEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RouteMessageOutboundConnector", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RouteMessageOutboundRequireTls", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RuleErrorAction", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RuleSubType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SCLOver", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SenderADAttributeContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SenderADAttributeMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SenderAddressLocation", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SenderDomainIs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SenderInRecipientList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SenderIpRanges", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SenderManagementRelationship", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SentToScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SetAuditSeverity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SetHeaderName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SetHeaderValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SetSCL", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "StopRuleProcessing", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubjectContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubjectMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubjectOrBodyContainsWords", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubjectOrBodyMatchesPatterns", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WithImportance", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "CertificatePassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificatePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricDelegatedFrom", + "Parameters": [ + { + "CIMType": "String", + "Name": "Capacity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Domain", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Tenant", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricTenantSettingProperty", + "Parameters": [ + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricTenantSetting", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "canSpecifySecurityGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "delegateToWorkspace", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricDelegatedFrom", + "Name": "delegatedFrom", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "settingName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "enabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "tenantSettingGroup", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "title", "Option": "Write" }, { @@ -18619,672 +22785,2207 @@ }, { "CIMType": "String[]", - "Name": "excludedSecurityGroups", + "Name": "excludedSecurityGroups", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "enabledSecurityGroups", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricAdminTenantSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AADSSOForGateway", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminApisIncludeDetailedMetadata", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminApisIncludeExpressions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminCustomDisclaimer", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AISkillArtifactTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowAccessOverPrivateLinks", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVAuthenticationTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVLocalStorageV2Tenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVToExportDataToFileTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowEndorsementMasterDataSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowExternalDataSharingReceiverSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowExternalDataSharingSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowFreeTrial", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowGuestLookup", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowGuestUserToAccessSharedContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowPowerBIASDQOnTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowSendAOAIDataToOtherRegions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowSendNLToDaxDataToOtherRegions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowServicePrincipalsCreateAndUseProfiles", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowServicePrincipalsUseReadAdminAPIs", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AppPush", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ArtifactSearchTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASCollectQueryTextTelemetryTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASShareableCloudConnectionBindingSecurityModeTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASWritethruContinuousExportTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASWritethruTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutoInstallPowerBIAppInTeamsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutomatedInsightsEntryPoints", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutomatedInsightsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AzureMap", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BingMap", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockAccessFromPublicNetworks", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockAutoDiscoverAndPackageRefresh", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockProtectedLabelSharingToEntireOrg", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockResourceKeyAuthentication", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CDSAManagement", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CertifiedCustomVisualsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CertifyDatasets", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ConfigureFolderRetentionPeriod", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CreateAppWorkspaces", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CustomVisualsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DatamartTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DatasetExecuteQueries", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DevelopServiceApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsConsumption", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsSettingsCertified", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsSettingsPromoted", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DremioSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionDataSourceInheritanceSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionDownstreamInheritanceSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionEdit", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionLessElevated", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ElevatedGuestsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSecurityGroupsOnOutage", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionsToB2BUsers", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionsToExternalUsers", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Embedding", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableAOAI", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableDatasetInPlaceSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableExcelYellowIntegration", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableFabricAirflow", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableNLToDax", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableReassignDataDomainSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EsriVisual", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExpFlightingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportReport", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToCsv", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToExcelSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToImage", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToMHTML", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToPowerPoint", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToWord", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToXML", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportVisualImageTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExternalDatasetSharingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExternalSharingV2", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricAddPartnerWorkload", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricFeedbackTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricGAWorkloads", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricThirdPartyWorkloads", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitHubTenantSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationCrossGeoTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationSensitivityLabelsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GoogleBigQuerySSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GraphQLTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "HealthcareSolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "InstallNonvalidatedTemplateApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "InstallServiceApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "KustoDashboardTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "LiveConnection", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "LogAnalyticsAttachForWorkspaceAdmins", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "M365DataSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Mirroring", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ODSPRefreshEnforcementTenantAllowAutomaticUpdate", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneDriveSharePointAllowSharingTenantSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneDriveSharePointViewerIntegrationTenantSettingV2", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneLakeFileExplorer", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneLakeForThirdParty", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OnPremAnalyzeInExcel", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PowerBIGoalsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PowerPlatformSolutionsIntegrationTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Printing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PromoteContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PublishContentPack", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PublishToWeb", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QnaFeedbackLoop", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QnaLsdlSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QueryScaleOutTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RedshiftSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RestrictMyFolderCapacity", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RetailSolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RScriptVisual", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ServicePrincipalAccess", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ShareLinkToEntireOrg", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ShareToTeamsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "SnowflakeSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "StorytellingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "SustainabilitySolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TemplatePublish", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TenantSettingPublishGetHelpInfo", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TridentPrivatePreview", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UsageMetrics", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UsageMetricsTrackUserLevelInfo", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UseDatasetsAcrossWorkspaces", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "VisualizeListInPowerBI", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "WebContentTilesTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "WebModelingTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "collectionId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "BackupDirectory", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordAgeDays_AAD", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordAgeDays", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PasswordExpirationProtectionEnabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "AdEncryptedPasswordHistorySize", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AdPasswordEncryptionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AdPasswordEncryptionPrincipal", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AdministratorAccountName", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordComplexity", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordLength", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PostAuthenticationActions", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PostAuthenticationResetDelay", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "collectionId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupCollection", + "Parameters": [ + { + "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "LocalGroups", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UserSelectionType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneAccountProtectionLocalUserGroupCollection[]", + "Name": "LocalUserGroupCollection", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionPolicyAssignments", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "collectionId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneAccountProtectionPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WindowsHelloForBusinessBlocked", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PinMinimumLength", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PinMaximumLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PinLowercaseCharactersUsage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PinUppercaseCharactersUsage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PinSpecialCharactersUsage", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PinExpirationInDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PinPreviousBlockCount", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PinRecoveryEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SecurityDeviceRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UnlockWithBiometricsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnhancedAntiSpoofingForFacialFeaturesEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseCertificatesForOnPremisesAuthEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseSecurityKeyForSignin", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceGuardLocalSystemAuthorityCredentialGuardSettings", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementConfigurationPolicyAssignments", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "collectionId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "LsaCfgFlags", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FacialFeaturesUseEnhancedAntiSpoofing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnablePinRecovery", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "Expiration", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "History", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LowercaseLetters", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MaximumPINLength", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MinimumPINLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SpecialCharacters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UppercaseLetters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSecurityDevice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UseCertificateForOnPremAuth", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UsePassportForWork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "EnablePinRecovery", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "Expiration", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "History", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LowercaseLetters", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MaximumPINLength", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MinimumPINLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SpecialCharacters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UppercaseLetters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSecurityDevice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UsePassportForWork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", + "Name": "DeviceSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "enabledSecurityGroups", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_FabricAdminTenantSettings", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "exclusions_item_type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "exclusions_item_extension", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "exclusions_item_name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "exclusions_item_path", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "exclusions_item_isDirectory", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "threatTypeSettings_item_key", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "threatTypeSettings_item_value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAntivirusPolicyLinux", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AADSSOForGateway", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AdminApisIncludeDetailedMetadata", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AdminApisIncludeExpressions", + "CIMType": "String", + "Name": "enabled", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AdminCustomDisclaimer", + "CIMType": "String", + "Name": "automaticSampleSubmissionConsent", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AISkillArtifactTenantSwitch", + "CIMType": "String", + "Name": "diagnosticLevel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowAccessOverPrivateLinks", + "CIMType": "String", + "Name": "automaticDefinitionUpdateEnabled", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowCVAuthenticationTenant", + "CIMType": "String", + "Name": "enableRealTimeProtection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowCVLocalStorageV2Tenant", + "CIMType": "String", + "Name": "passiveMode", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowCVToExportDataToFileTenant", + "CIMType": "SInt32", + "Name": "scanHistoryMaximumItems", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowEndorsementMasterDataSwitch", + "CIMType": "SInt32", + "Name": "scanResultsRetentionDays", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowExternalDataSharingReceiverSwitch", + "CIMType": "String", + "Name": "exclusionsMergePolicy", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowExternalDataSharingSwitch", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions[]", + "Name": "exclusions", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowFreeTrial", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings[]", + "Name": "threatTypeSettings", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowGuestLookup", + "CIMType": "String", + "Name": "threatTypeSettingsMergePolicy", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowGuestUserToAccessSharedContent", + "CIMType": "String[]", + "Name": "allowedThreats", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowPowerBIASDQOnTenant", + "CIMType": "String[]", + "Name": "disallowedThreatActions", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowSendAOAIDataToOtherRegions", + "CIMType": "String", + "Name": "scanArchives", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowSendNLToDaxDataToOtherRegions", + "CIMType": "String", + "Name": "scanAfterDefinitionUpdate", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowServicePrincipalsCreateAndUseProfiles", + "CIMType": "String", + "Name": "enableFileHashComputation", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AllowServicePrincipalsUseReadAdminAPIs", + "CIMType": "String", + "Name": "behaviorMonitoring", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AppPush", + "CIMType": "String", + "Name": "cloudBlockLevel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ArtifactSearchTenant", + "CIMType": "SInt32", + "Name": "maximumOnDemandScanThreads", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ASCollectQueryTextTelemetryTenantSwitch", + "CIMType": "String", + "Name": "networkprotection_enforcementLevel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ASShareableCloudConnectionBindingSecurityModeTenant", + "CIMType": "String[]", + "Name": "unmonitoredFilesystems", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ASWritethruContinuousExportTenantSwitch", + "CIMType": "String", + "Name": "nonExecMountPolicy", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ASWritethruTenantSwitch", + "CIMType": "String", + "Name": "antivirusengine_enforcementLevel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AutoInstallPowerBIAppInTeamsTenant", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AutomatedInsightsEntryPoints", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AutomatedInsightsTenant", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "AzureMap", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "BingMap", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "BlockAccessFromPublicNetworks", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "BlockAutoDiscoverAndPackageRefresh", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "BlockProtectedLabelSharingToEntireOrg", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "BlockResourceKeyAuthentication", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAntivirusPolicyWindows10SettingCatalog", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "CDSAManagement", + "CIMType": "String", + "Name": "Identity", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "CertifiedCustomVisualsTenant", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "CertifyDatasets", + "CIMType": "String", + "Name": "tamperprotection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ConfigureFolderRetentionPeriod", + "CIMType": "String", + "Name": "disableaccountprotectionui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "CreateAppWorkspaces", + "CIMType": "String", + "Name": "disableappbrowserui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "CustomVisualsTenant", + "CIMType": "String", + "Name": "disablecleartpmbutton", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DatamartTenant", + "CIMType": "String", + "Name": "disabledevicesecurityui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DatasetExecuteQueries", + "CIMType": "String", + "Name": "disablefamilyui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DevelopServiceApps", + "CIMType": "String", + "Name": "disablehealthui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DiscoverDatasetsConsumption", + "CIMType": "String", + "Name": "disablenetworkui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DiscoverDatasetsSettingsCertified", + "CIMType": "String", + "Name": "disableenhancednotifications", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DiscoverDatasetsSettingsPromoted", + "CIMType": "String", + "Name": "disabletpmfirmwareupdatewarning", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "DremioSSO", + "CIMType": "String", + "Name": "disablevirusui", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EimInformationProtectionDataSourceInheritanceSetting", + "CIMType": "String", + "Name": "hideransomwaredatarecovery", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EimInformationProtectionDownstreamInheritanceSetting", + "CIMType": "String", + "Name": "hidewindowssecuritynotificationareacontrol", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EimInformationProtectionEdit", + "CIMType": "String", + "Name": "enablecustomizedtoasts", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EimInformationProtectionLessElevated", + "CIMType": "String", + "Name": "enableinappcustomization", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting", + "CIMType": "String", + "Name": "companyname", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ElevatedGuestsTenant", + "CIMType": "String", + "Name": "email", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EmailSecurityGroupsOnOutage", + "CIMType": "String", + "Name": "phone", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EmailSubscriptionsToB2BUsers", + "CIMType": "String", + "Name": "url", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EmailSubscriptionsToExternalUsers", + "CIMType": "String", + "Name": "allowarchivescanning", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EmailSubscriptionTenant", + "CIMType": "String", + "Name": "allowbehaviormonitoring", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "Embedding", + "CIMType": "String", + "Name": "allowcloudprotection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableAOAI", + "CIMType": "String", + "Name": "allowdatagramprocessingonwinserver", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableDatasetInPlaceSharing", + "CIMType": "String", + "Name": "allowemailscanning", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableExcelYellowIntegration", + "CIMType": "String", + "Name": "allowfullscanonmappednetworkdrives", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableFabricAirflow", + "CIMType": "String", + "Name": "allowfullscanremovabledrivescanning", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableNLToDax", + "CIMType": "String", + "Name": "allowintrusionpreventionsystem", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EnableReassignDataDomainSwitch", + "CIMType": "String", + "Name": "allowioavprotection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "EsriVisual", + "CIMType": "String", + "Name": "allownetworkprotectiondownlevel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExpFlightingTenant", + "CIMType": "String", + "Name": "allowrealtimemonitoring", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportReport", + "CIMType": "String", + "Name": "allowscanningnetworkfiles", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToCsv", + "CIMType": "String", + "Name": "allowscriptscanning", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToExcelSetting", + "CIMType": "String", + "Name": "allowuseruiaccess", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToImage", + "CIMType": "sInt32", + "Name": "avgcpuloadfactor", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToMHTML", + "CIMType": "sInt32", + "Name": "archivemaxdepth", + "Option": "Write" + }, + { + "CIMType": "sInt32", + "Name": "archivemaxsize", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "checkforsignaturesbeforerunningscan", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "cloudblocklevel", + "Option": "Write" + }, + { + "CIMType": "sInt32", + "Name": "cloudextendedtimeout", + "Option": "Write" + }, + { + "CIMType": "sInt32", + "Name": "daystoretaincleanedmalware", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "disablecatchupfullscan", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "disablecatchupquickscan", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "disablednsovertcpparsing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "disablehttpparsing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisableSshParsing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "enablelowcpupriority", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "enablenetworkprotection", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "excludedextensions", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "excludedpaths", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "excludedprocesses", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "puaprotection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToPowerPoint", + "CIMType": "String", + "Name": "engineupdateschannel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToWord", + "CIMType": "String", + "Name": "meteredconnectionupdates", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportToXML", + "CIMType": "String", + "Name": "platformupdateschannel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExportVisualImageTenant", + "CIMType": "String", + "Name": "securityintelligenceupdateschannel", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExternalDatasetSharingTenant", + "CIMType": "String", + "Name": "realtimescandirection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ExternalSharingV2", + "CIMType": "String", + "Name": "scanparameter", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "FabricAddPartnerWorkload", + "CIMType": "sInt32", + "Name": "schedulequickscantime", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "FabricFeedbackTenantSwitch", + "CIMType": "String", + "Name": "schedulescanday", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "FabricGAWorkloads", + "CIMType": "sInt32", + "Name": "schedulescantime", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "FabricThirdPartyWorkloads", + "CIMType": "String", + "Name": "disabletlsparsing", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GitHubTenantSettings", + "CIMType": "String", + "Name": "randomizescheduletasktimes", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GitIntegrationCrossGeoTenantSwitch", + "CIMType": "sInt32", + "Name": "schedulerrandomizationtime", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GitIntegrationSensitivityLabelsTenantSwitch", + "CIMType": "String[]", + "Name": "signatureupdatefallbackorder", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GitIntegrationTenantSwitch", + "CIMType": "String[]", + "Name": "signatureupdatefilesharessources", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GoogleBigQuerySSO", + "CIMType": "sInt32", + "Name": "signatureupdateinterval", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "GraphQLTenant", + "CIMType": "String", + "Name": "submitsamplesconsent", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "HealthcareSolutionsTenantSwitch", + "CIMType": "String", + "Name": "disablelocaladminmerge", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "InstallNonvalidatedTemplateApps", + "CIMType": "String", + "Name": "allowonaccessprotection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "InstallServiceApps", + "CIMType": "String", + "Name": "lowseveritythreats", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "KustoDashboardTenantSwitch", + "CIMType": "String", + "Name": "moderateseveritythreats", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "LiveConnection", + "CIMType": "String", + "Name": "severethreats", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "LogAnalyticsAttachForWorkspaceAdmins", + "CIMType": "String", + "Name": "highseveritythreats", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "M365DataSharing", + "CIMType": "String", + "Name": "templateId", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "Mirroring", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ODSPRefreshEnforcementTenantAllowAutomaticUpdate", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "OneDriveSharePointAllowSharingTenantSetting", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "OneDriveSharePointViewerIntegrationTenantSettingV2", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "OneLakeFileExplorer", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "OneLakeForThirdParty", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "OnPremAnalyzeInExcel", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "PowerBIGoalsTenant", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "PowerPlatformSolutionsIntegrationTenant", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneAppAndBrowserIsolationPolicyWindows10", + "Parameters": [ { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "Printing", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "PromoteContent", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "PublishContentPack", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "PublishToWeb", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "QnaFeedbackLoop", + "CIMType": "String", + "Name": "AllowWindowsDefenderApplicationGuard", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "QnaLsdlSharing", + "CIMType": "String", + "Name": "ClipboardSettings", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "QueryScaleOutTenant", + "CIMType": "String", + "Name": "SaveFilesToHost", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "RedshiftSSO", + "CIMType": "String", + "Name": "InstallWindowsDefenderApplicationGuard", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "RestrictMyFolderCapacity", + "CIMType": "String", + "Name": "ClipboardFileType", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "RetailSolutionsTenantSwitch", + "CIMType": "String", + "Name": "AllowPersistence", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "RScriptVisual", + "CIMType": "String", + "Name": "AllowVirtualGPU", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ServicePrincipalAccess", + "CIMType": "SInt32[]", + "Name": "PrintingSettings", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ShareLinkToEntireOrg", + "CIMType": "String", + "Name": "AllowCameraMicrophoneRedirection", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "ShareToTeamsTenant", + "CIMType": "String", + "Name": "AuditApplicationGuard", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "SnowflakeSSO", + "CIMType": "String[]", + "Name": "CertificateThumbprints", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "StorytellingTenant", + "CIMType": "String[]", + "Name": "EnterpriseIPRange", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "SustainabilitySolutionsTenantSwitch", + "CIMType": "String[]", + "Name": "EnterpriseCloudResources", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "TemplatePublish", + "CIMType": "String[]", + "Name": "EnterpriseNetworkDomainNames", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "TenantSettingPublishGetHelpInfo", + "CIMType": "String[]", + "Name": "EnterpriseProxyServers", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "TridentPrivatePreview", + "CIMType": "String[]", + "Name": "EnterpriseInternalProxyServers", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "UsageMetrics", + "CIMType": "String[]", + "Name": "NeutralResources", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "UsageMetricsTrackUserLevelInfo", + "CIMType": "String", + "Name": "EnterpriseProxyServersAreAuthoritative", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "UseDatasetsAcrossWorkspaces", + "CIMType": "String", + "Name": "EnterpriseIPRangesAreAuthoritative", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "VisualizeListInPowerBI", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "WebContentTilesTenant", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_FabricTenantSetting", - "Name": "WebModelingTenantSwitch", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { @@ -19292,6 +24993,11 @@ "Name": "ApplicationId", "Option": "Write" }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, { "CIMType": "MSFT_Credential", "Name": "ApplicationSecret", @@ -19299,12 +25005,12 @@ }, { "CIMType": "String", - "Name": "TenantId", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { @@ -19315,121 +25021,126 @@ ] }, { - "ClassName": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments", + "ClassName": "MSFT_IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr", "Parameters": [ { "CIMType": "String", - "Name": "dataType", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "groupId", + "Name": "AllowWindowsDefenderApplicationGuard", "Option": "Write" }, { "CIMType": "String", - "Name": "groupDisplayName", + "Name": "ClipboardSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "collectionId", + "Name": "SaveFilesToHost", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", + "Name": "InstallWindowsDefenderApplicationGuard", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "ClipboardFileType", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "AllowPersistence", "Option": "Write" }, { - "CIMType": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "AllowVirtualGPU", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "BackupDirectory", + "CIMType": "SInt32[]", + "Name": "PrintingSettings", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordAgeDays_AAD", + "CIMType": "String", + "Name": "AllowCameraMicrophoneRedirection", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordAgeDays", + "CIMType": "String", + "Name": "AuditApplicationGuard", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordExpirationProtectionEnabled", + "CIMType": "String[]", + "Name": "CertificateThumbprints", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "AdEncryptedPasswordHistorySize", + "CIMType": "String[]", + "Name": "EnterpriseIPRange", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AdPasswordEncryptionEnabled", + "CIMType": "String[]", + "Name": "EnterpriseCloudResources", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdPasswordEncryptionPrincipal", + "CIMType": "String[]", + "Name": "EnterpriseNetworkDomainNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdministratorAccountName", + "CIMType": "String[]", + "Name": "EnterpriseProxyServers", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordComplexity", + "CIMType": "String[]", + "Name": "EnterpriseInternalProxyServers", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordLength", + "CIMType": "String[]", + "Name": "NeutralResources", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PostAuthenticationActions", + "CIMType": "String", + "Name": "EnterpriseProxyServersAreAuthoritative", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PostAuthenticationResetDelay", + "CIMType": "String", + "Name": "EnterpriseIPRangesAreAuthoritative", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -19475,42 +25186,62 @@ ] }, { - "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments", + "ClassName": "MSFT_IntuneAppCategory", "Parameters": [ { "CIMType": "String", - "Name": "dataType", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "groupId", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "groupDisplayName", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "collectionId", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupCollection", + "ClassName": "MSFT_MicrosoftGraphAndroidPermissionAction", "Parameters": [ { "CIMType": "String", @@ -19518,34 +25249,69 @@ "Option": "Write" }, { - "CIMType": "String[]", - "Name": "LocalGroups", + "CIMType": "String", + "Name": "Permission", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAppConfigurationSettingItem", + "Parameters": [ + { + "CIMType": "String", + "Name": "AppConfigKey", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "AppConfigKeyType", "Option": "Write" }, { "CIMType": "String", - "Name": "UserSelectionType", + "Name": "AppConfigKeyValue", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy", + "ClassName": "MSFT_IntuneAppConfigurationDevicePolicy", "Parameters": [ + { + "CIMType": "Boolean", + "Name": "ConnectedAppsEnabled", + "Option": "Write" + }, { "CIMType": "String", - "Name": "Identity", + "Name": "PackageId", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "PayloadJson", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphandroidPermissionAction[]", + "Name": "PermissionActions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ProfileApplicability", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncodedSettingXml", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphappConfigurationSettingItem[]", + "Name": "Settings", + "Option": "Write" }, { "CIMType": "String", @@ -19553,13 +25319,28 @@ "Option": "Write" }, { - "CIMType": "MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "MSFT_IntuneAccountProtectionLocalUserGroupCollection[]", - "Name": "LocalUserGroupCollection", + "CIMType": "String[]", + "Name": "TargetedMobileApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -19601,140 +25382,190 @@ "CIMType": "String[]", "Name": "AccessTokens", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAccountProtectionPolicyAssignments", - "Parameters": [ + } + ] + }, + { + "ClassName": "MSFT_IntuneAppConfigurationPolicyCustomSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAppConfigurationPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneAppConfigurationPolicyCustomSetting[]", + "Name": "CustomSettings", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, { "CIMType": "String", - "Name": "dataType", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "groupId", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "groupDisplayName", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "collectionId", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneAccountProtectionPolicy", + "ClassName": "MSFT_IntuneAppleMDMPushNotificationCertificate", "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "DisplayName", + "Name": "AppleIdentifier", "Option": "Key" }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "MSFT_IntuneAccountProtectionPolicyAssignments[]", - "Name": "Assignments", + "Name": "Certificate", "Option": "Write" }, { "CIMType": "String", - "Name": "WindowsHelloForBusinessBlocked", + "Name": "Id", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinMinimumLength", + "CIMType": "Boolean", + "Name": "DataSharingConsetGranted", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinMaximumLength", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "PinLowercaseCharactersUsage", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "PinUppercaseCharactersUsage", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PinSpecialCharactersUsage", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinExpirationInDays", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinPreviousBlockCount", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PinRecoveryEnabled", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityDeviceRequired", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneApplicationControlPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "UnlockWithBiometricsEnabled", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnhancedAntiSpoofingForFacialFeaturesEnabled", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UseCertificatesForOnPremisesAuthEnabled", + "CIMType": "String", + "Name": "AppLockerApplicationControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseSecurityKeyForSignin", + "Name": "SmartScreenBlockOverrideForFiles", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceGuardLocalSystemAuthorityCredentialGuardSettings", + "CIMType": "Boolean", + "Name": "SmartScreenEnableInshell", "Option": "Write" }, { @@ -19780,236 +25611,261 @@ ] }, { - "ClassName": "MSFT_DeviceManagementConfigurationPolicyAssignments", + "ClassName": "MSFT_IntuneAppProtectionPolicyAndroid", "Parameters": [ { "CIMType": "String", - "Name": "dataType", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "Name": "PeriodOfflineBeforeAccessCheck", "Option": "Write" }, { "CIMType": "String", - "Name": "groupId", + "Name": "PeriodOnlineBeforeAccessCheck", "Option": "Write" }, { "CIMType": "String", - "Name": "groupDisplayName", + "Name": "AllowedInboundDataTransferSources", "Option": "Write" }, { "CIMType": "String", - "Name": "collectionId", + "Name": "AllowedOutboundDataTransferDestinations", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "LsaCfgFlags", + "CIMType": "Boolean", + "Name": "OrganizationalCredentialsRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "FacialFeaturesUseEnhancedAntiSpoofing", + "Name": "AllowedOutboundClipboardSharingLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnablePinRecovery", + "CIMType": "Boolean", + "Name": "DataBackupBlocked", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "Expiration", + "CIMType": "Boolean", + "Name": "DeviceComplianceRequired", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "History", + "CIMType": "Boolean", + "Name": "ManagedBrowserToOpenLinksRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SaveAsBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "LowercaseLetters", + "Name": "PeriodOfflineBeforeWipeIsEnforced", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "MaximumPINLength", + "CIMType": "Boolean", + "Name": "PinRequired", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "MinimumPINLength", + "CIMType": "Boolean", + "Name": "DisableAppPinIfDevicePinIsSet", + "Option": "write" + }, + { + "CIMType": "UInt32", + "Name": "MaximumPinRetries", "Option": "Write" }, { - "CIMType": "String", - "Name": "SpecialCharacters", + "CIMType": "Boolean", + "Name": "SimplePinBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "UppercaseLetters", + "CIMType": "UInt32", + "Name": "MinimumPinLength", "Option": "Write" }, { "CIMType": "String", - "Name": "RequireSecurityDevice", + "Name": "PinCharacterSet", "Option": "Write" }, { - "CIMType": "String", - "Name": "UseCertificateForOnPremAuth", + "CIMType": "String[]", + "Name": "AllowedDataStorageLocations", "Option": "Write" }, { - "CIMType": "String", - "Name": "UsePassportForWork", + "CIMType": "Boolean", + "Name": "ContactSyncBlocked", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "EnablePinRecovery", + "Name": "PeriodBeforePinReset", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "Expiration", + "CIMType": "Boolean", + "Name": "PrintBlocked", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "History", + "CIMType": "Boolean", + "Name": "RequireClass3Biometrics", "Option": "Write" }, { - "CIMType": "String", - "Name": "LowercaseLetters", + "CIMType": "Boolean", + "Name": "RequirePinAfterBiometricChange", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "MaximumPINLength", + "CIMType": "Boolean", + "Name": "FingerprintBlocked", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "MinimumPINLength", + "CIMType": "String[]", + "Name": "Apps", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludedGroups", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "SpecialCharacters", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "UppercaseLetters", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "RequireSecurityDevice", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String", - "Name": "UsePassportForWork", + "Name": "ManagedBrowser", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAccountProtectionPolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "MinimumRequiredAppVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "MinimumRequiredOSVersion", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "MinimumRequiredPatchVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "MinimumWarningAppVersion", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", - "Name": "DeviceSettings", + "CIMType": "String", + "Name": "MinimumWarningOSVersion", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", - "Name": "UserSettings", + "CIMType": "String", + "Name": "MinimumWarningPatchVersion", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "AppGroupType", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "IsAssigned", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "EncryptAppData", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "DisableAppEncryptionIfDeviceEncryptionIsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "CustomBrowserDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "CustomBrowserPackageId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { @@ -20020,7 +25876,7 @@ ] }, { - "ClassName": "MSFT_IntuneAntivirusPolicyWindows10SettingCatalog", + "ClassName": "MSFT_IntuneAppProtectionPolicyiOS", "Parameters": [ { "CIMType": "String", @@ -20039,377 +25895,407 @@ }, { "CIMType": "String", - "Name": "tamperprotection", + "Name": "PeriodOfflineBeforeAccessCheck", "Option": "Write" }, { "CIMType": "String", - "Name": "disableaccountprotectionui", + "Name": "PeriodOnlineBeforeAccessCheck", "Option": "Write" }, { "CIMType": "String", - "Name": "disableappbrowserui", + "Name": "AllowedInboundDataTransferSources", "Option": "Write" }, { "CIMType": "String", - "Name": "disablecleartpmbutton", + "Name": "AllowedOutboundDataTransferDestinations", "Option": "Write" }, { - "CIMType": "String", - "Name": "disabledevicesecurityui", + "CIMType": "Boolean", + "Name": "OrganizationalCredentialsRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "disablefamilyui", + "Name": "AllowedOutboundClipboardSharingLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "disablehealthui", + "CIMType": "Boolean", + "Name": "DataBackupBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "disablenetworkui", + "CIMType": "Boolean", + "Name": "DeviceComplianceRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "disableenhancednotifications", + "CIMType": "Boolean", + "Name": "ManagedBrowserToOpenLinksRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "disabletpmfirmwareupdatewarning", + "CIMType": "Boolean", + "Name": "SaveAsBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "disablevirusui", + "Name": "PeriodOfflineBeforeWipeIsEnforced", "Option": "Write" }, { - "CIMType": "String", - "Name": "hideransomwaredatarecovery", + "CIMType": "Boolean", + "Name": "PinRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "hidewindowssecuritynotificationareacontrol", + "CIMType": "Boolean", + "Name": "DisableAppPinIfDevicePinIsSet", "Option": "Write" }, { - "CIMType": "String", - "Name": "enablecustomizedtoasts", + "CIMType": "UInt32", + "Name": "MaximumPinRetries", "Option": "Write" }, { - "CIMType": "String", - "Name": "enableinappcustomization", + "CIMType": "Boolean", + "Name": "SimplePinBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "companyname", + "CIMType": "UInt32", + "Name": "MinimumPinLength", "Option": "Write" }, { "CIMType": "String", - "Name": "email", + "Name": "PinCharacterSet", "Option": "Write" }, { - "CIMType": "String", - "Name": "phone", + "CIMType": "String[]", + "Name": "AllowedDataStorageLocations", "Option": "Write" }, { - "CIMType": "String", - "Name": "url", + "CIMType": "Boolean", + "Name": "ContactSyncBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "allowarchivescanning", + "Name": "PeriodBeforePinReset", "Option": "Write" }, { - "CIMType": "String", - "Name": "allowbehaviormonitoring", + "CIMType": "Boolean", + "Name": "PrintBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "allowcloudprotection", + "CIMType": "Boolean", + "Name": "FingerprintBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "allowdatagramprocessingonwinserver", + "CIMType": "Boolean", + "Name": "FaceIdBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "allowemailscanning", + "Name": "ManagedBrowser", "Option": "Write" }, { "CIMType": "String", - "Name": "allowfullscanonmappednetworkdrives", + "Name": "MinimumRequiredAppVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowfullscanremovabledrivescanning", + "Name": "MinimumWarningAppVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowintrusionpreventionsystem", + "Name": "MinimumRequiredOSVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowioavprotection", + "Name": "MinimumWarningOSVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allownetworkprotectiondownlevel", + "Name": "MinimumRequiredSdkVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowrealtimemonitoring", + "Name": "MinimumWipeOSVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowscanningnetworkfiles", + "Name": "MinimumWipeAppVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "allowscriptscanning", + "Name": "AppActionIfDeviceComplianceRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "allowuseruiaccess", + "Name": "AppActionIfMaximumPinRetriesExceeded", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "avgcpuloadfactor", + "CIMType": "String", + "Name": "PinRequiredInsteadOfBiometricTimeout", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "archivemaxdepth", + "CIMType": "Uint32", + "Name": "AllowedOutboundClipboardSharingExceptionLength", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "archivemaxsize", + "CIMType": "String", + "Name": "NotificationRestriction", "Option": "Write" }, { - "CIMType": "String", - "Name": "checkforsignaturesbeforerunningscan", + "CIMType": "String[]", + "Name": "TargetedAppManagementLevels", "Option": "Write" }, { "CIMType": "String", - "Name": "cloudblocklevel", + "Name": "AppDataEncryptionType", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "cloudextendedtimeout", + "CIMType": "String[]", + "Name": "ExemptedAppProtocols", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "daystoretaincleanedmalware", + "CIMType": "String", + "Name": "MinimumWipeSdkVersion", "Option": "Write" }, { - "CIMType": "String", - "Name": "disablecatchupfullscan", + "CIMType": "String[]", + "Name": "AllowedIosDeviceModels", "Option": "Write" }, { "CIMType": "String", - "Name": "disablecatchupquickscan", + "Name": "AppActionIfIosDeviceModelNotAllowed", "Option": "Write" }, { - "CIMType": "String", - "Name": "disablednsovertcpparsing", + "CIMType": "Boolean", + "Name": "FilterOpenInToOnlyManagedApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "disablehttpparsing", + "CIMType": "Boolean", + "Name": "DisableProtectionOfManagedOutboundOpenInData", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisableSshParsing", + "CIMType": "Boolean", + "Name": "ProtectInboundDataFromUnknownSources", "Option": "Write" }, { "CIMType": "String", - "Name": "enablelowcpupriority", + "Name": "CustomBrowserProtocol", "Option": "Write" }, { - "CIMType": "String", - "Name": "enablenetworkprotection", + "CIMType": "String[]", + "Name": "Apps", "Option": "Write" }, { "CIMType": "String[]", - "Name": "excludedextensions", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "String[]", - "Name": "excludedpaths", + "Name": "ExcludedGroups", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "excludedprocesses", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "puaprotection", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "engineupdateschannel", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "meteredconnectionupdates", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "platformupdateschannel", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneASRRulesPolicyWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "securityintelligenceupdateschannel", + "Name": "Identity", "Option": "Write" }, { "CIMType": "String", - "Name": "realtimescandirection", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "String", - "Name": "scanparameter", + "Name": "ProcessCreationType", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "schedulequickscantime", + "CIMType": "String", + "Name": "AdvancedRansomewareProtectionType", "Option": "Write" }, { "CIMType": "String", - "Name": "schedulescanday", + "Name": "BlockPersistenceThroughWmiType", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "schedulescantime", + "CIMType": "String", + "Name": "ScriptObfuscatedMacroCodeType", "Option": "Write" }, { "CIMType": "String", - "Name": "disabletlsparsing", + "Name": "OfficeMacroCodeAllowWin32ImportsType", "Option": "Write" }, { "CIMType": "String", - "Name": "randomizescheduletasktimes", + "Name": "OfficeAppsLaunchChildProcessType", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "schedulerrandomizationtime", + "CIMType": "String", + "Name": "GuardMyFoldersType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "signatureupdatefallbackorder", + "CIMType": "String", + "Name": "UntrustedUSBProcessType", "Option": "Write" }, { "CIMType": "String[]", - "Name": "signatureupdatefilesharessources", + "Name": "AttackSurfaceReductionExcludedPaths", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "signatureupdateinterval", + "CIMType": "String", + "Name": "UntrustedExecutableType", "Option": "Write" }, { "CIMType": "String", - "Name": "submitsamplesconsent", + "Name": "OfficeCommunicationAppsLaunchChildProcess", "Option": "Write" }, { "CIMType": "String", - "Name": "disablelocaladminmerge", + "Name": "EmailContentExecutionType", "Option": "Write" }, { "CIMType": "String", - "Name": "allowonaccessprotection", + "Name": "ScriptDownloadedPayloadExecutionType", "Option": "Write" }, { - "CIMType": "String", - "Name": "lowseveritythreats", + "CIMType": "String[]", + "Name": "AdditionalGuardedFolders", "Option": "Write" }, { "CIMType": "String", - "Name": "moderateseveritythreats", + "Name": "AdobeReaderLaunchChildProcess", "Option": "Write" }, { "CIMType": "String", - "Name": "severethreats", + "Name": "OfficeAppsExecutableContentCreationOrLaunchType", "Option": "Write" }, { "CIMType": "String", - "Name": "highseveritythreats", + "Name": "PreventCredentialStealingType", "Option": "Write" }, { "CIMType": "String", - "Name": "templateId", + "Name": "OfficeAppsOtherProcessInjectionType", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String[]", + "Name": "GuardedFoldersAllowedAppPaths", "Option": "Write" }, { @@ -20455,11 +26341,11 @@ ] }, { - "ClassName": "MSFT_IntuneAppAndBrowserIsolationPolicyWindows10", + "ClassName": "MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager", "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "Identity", "Option": "Write" }, { @@ -20468,113 +26354,113 @@ "Option": "Key" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "AllowWindowsDefenderApplicationGuard", + "CIMType": "String[]", + "Name": "AttackSurfaceReductionOnlyExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "ClipboardSettings", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", "Option": "Write" }, { "CIMType": "String", - "Name": "SaveFilesToHost", + "Name": "BlockAdobeReaderFromCreatingChildProcesses", "Option": "Write" }, { "CIMType": "String", - "Name": "InstallWindowsDefenderApplicationGuard", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", "Option": "Write" }, { "CIMType": "String", - "Name": "ClipboardFileType", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowPersistence", + "Name": "BlockExecutableContentFromEmailClientAndWebmail", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowVirtualGPU", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", "Option": "Write" }, { - "CIMType": "SInt32[]", - "Name": "PrintingSettings", + "CIMType": "String", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowCameraMicrophoneRedirection", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Option": "Write" }, { "CIMType": "String", - "Name": "AuditApplicationGuard", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "CertificateThumbprints", + "CIMType": "String", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseIPRange", + "CIMType": "String", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseCloudResources", + "CIMType": "String", + "Name": "BlockPersistenceThroughWMIEventSubscription", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseNetworkDomainNames", + "CIMType": "String", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseProxyServers", + "CIMType": "String", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseInternalProxyServers", + "CIMType": "String", + "Name": "BlockWin32APICallsFromOfficeMacros", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "NeutralResources", + "CIMType": "String", + "Name": "UseAdvancedProtectionAgainstRansomware", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnterpriseProxyServersAreAuthoritative", + "CIMType": "String[]", + "Name": "ControlledFolderAccessProtectedFolders", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnterpriseIPRangesAreAuthoritative", + "CIMType": "String[]", + "Name": "ControlledFolderAccessAllowedApplications", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "EnableControlledFolderAccess", "Option": "Write" }, { @@ -20620,7 +26506,7 @@ ] }, { - "ClassName": "MSFT_IntuneAppCategory", + "ClassName": "MSFT_IntuneDerivedCredential", "Parameters": [ { "CIMType": "String", @@ -20633,148 +26519,143 @@ "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "HelpUrl", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Uint32", + "Name": "RenewalThresholdPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Issuer", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "NotificationType", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Ensure", "Option": "Write" }, { "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphAndroidPermissionAction", - "Parameters": [ { "CIMType": "String", - "Name": "Action", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "Permission", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphAppConfigurationSettingItem", - "Parameters": [ + }, { "CIMType": "String", - "Name": "AppConfigKey", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppConfigKeyType", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppConfigKeyValue", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneAppConfigurationDevicePolicy", + "ClassName": "MSFT_IntuneDeviceAndAppManagementAssignmentFilter", "Parameters": [ { - "CIMType": "Boolean", - "Name": "ConnectedAppsEnabled", + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Identity", "Option": "Write" }, { "CIMType": "String", - "Name": "PackageId", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "PayloadJson", + "Name": "Rule", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphandroidPermissionAction[]", - "Name": "PermissionActions", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProfileApplicability", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "EncodedSettingXml", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphappConfigurationSettingItem[]", - "Name": "Settings", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Required" + "Name": "CertificateThumbprint", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "TargetedMobileApps", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceCategory", + "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { @@ -20820,46 +26701,21 @@ ] }, { - "ClassName": "MSFT_IntuneAppConfigurationPolicyCustomSetting", - "Parameters": [ - { - "CIMType": "String", - "Name": "name", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "value", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAppConfigurationPolicy", + "ClassName": "MSFT_IntuneDeviceCleanupRule", "Parameters": [ { "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "DisplayName", + "Name": "IsSingleInstance", "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", - "Option": "Write" + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Key" }, { - "CIMType": "MSFT_IntuneAppConfigurationPolicyCustomSetting[]", - "Name": "CustomSettings", + "CIMType": "UInt32", + "Name": "DeviceInactivityBeforeRetirementInDays", "Option": "Write" }, { @@ -20905,7 +26761,7 @@ ] }, { - "ClassName": "MSFT_IntuneApplicationControlPolicyWindows10", + "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroid", "Parameters": [ { "CIMType": "String", @@ -20923,588 +26779,648 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "AppLockerApplicationControl", + "CIMType": "Boolean", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmartScreenBlockOverrideForFiles", + "CIMType": "Uint32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmartScreenEnableInshell", + "CIMType": "String", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "RequiredPasswordComplexity", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Uint32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "SecurityPreventInstallAppsFromUnknownSources", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "SecurityDisableUsbDebugging", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "SecurityRequireVerifyApps", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAppProtectionPolicyAndroid", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "DeviceThreatProtectionEnabled", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "PeriodOfflineBeforeAccessCheck", + "Name": "AdvancedThreatProtectionRequiredSecurityLevel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SecurityBlockJailbrokenDevices", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SecurityBlockDeviceAdministratorManagedDevices", "Option": "Write" }, { "CIMType": "String", - "Name": "PeriodOnlineBeforeAccessCheck", + "Name": "OsMinimumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedInboundDataTransferSources", + "Name": "OsMaximumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedOutboundDataTransferDestinations", + "Name": "MinAndroidSecurityPatchLevel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OrganizationalCredentialsRequired", + "Name": "StorageRequireEncryption", "Option": "Write" }, { - "CIMType": "String", - "Name": "AllowedOutboundClipboardSharingLevel", + "CIMType": "Boolean", + "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DataBackupBlocked", + "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceComplianceRequired", + "Name": "SecurityRequireGooglePlayServices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedBrowserToOpenLinksRequired", + "Name": "SecurityRequireUpToDateSecurityProviders", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SaveAsBlocked", + "Name": "SecurityRequireCompanyPortalAppIntegrity", "Option": "Write" }, { "CIMType": "String", - "Name": "PeriodOfflineBeforeWipeIsEnforced", + "Name": "ConditionStatementId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PinRequired", + "CIMType": "String", + "Name": "RestrictedApps", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableAppPinIfDevicePinIsSet", - "Option": "write" + "CIMType": "String", + "Name": "RoleScopeTagIds", + "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumPinRetries", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SimplePinBlocked", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumPinLength", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PinCharacterSet", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedDataStorageLocations", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ContactSyncBlocked", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "PeriodBeforePinReset", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PrintBlocked", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireClass3Biometrics", + "Name": "DeviceThreatProtectionEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RequirePinAfterBiometricChange", + "CIMType": "String", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AdvancedThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FingerprintBlocked", + "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Apps", + "CIMType": "Boolean", + "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "osMinimumVersion", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExcludedGroups", + "CIMType": "String", + "Name": "osMaximumVersion", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "passwordRequired", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Uint32", + "Name": "passwordMinimumLength", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordCountToBlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "StorageRequireEncryption", "Option": "Write" }, { - "CIMType": "String", - "Name": "ManagedBrowser", + "CIMType": "Boolean", + "Name": "SecurityRequireIntuneAppIntegrity", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinimumRequiredAppVersion", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumRequiredOSVersion", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinimumRequiredPatchVersion", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumWarningAppVersion", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumWarningOSVersion", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinimumWarningPatchVersion", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "AppGroupType", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsAssigned", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EncryptAppData", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableAppEncryptionIfDeviceEncryptionIsEnabled", + "CIMType": "Uint32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomBrowserDisplayName", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomBrowserPackageId", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAppProtectionPolicyiOS", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Uint32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Identity", + "CIMType": "Boolean", + "Name": "SecurityPreventInstallAppsFromUnknownSources", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "SecurityDisableUsbDebugging", "Option": "Write" }, { - "CIMType": "String", - "Name": "PeriodOfflineBeforeAccessCheck", + "CIMType": "Boolean", + "Name": "SecurityRequireVerifyApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "PeriodOnlineBeforeAccessCheck", + "CIMType": "Boolean", + "Name": "DeviceThreatProtectionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedInboundDataTransferSources", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedOutboundDataTransferDestinations", + "Name": "AdvancedThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OrganizationalCredentialsRequired", + "Name": "SecurityBlockJailbrokenDevices", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedOutboundClipboardSharingLevel", + "Name": "OsMinimumVersion", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DataBackupBlocked", + "CIMType": "String", + "Name": "OsMaximumVersion", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceComplianceRequired", + "CIMType": "String", + "Name": "MinAndroidSecurityPatchLevel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedBrowserToOpenLinksRequired", + "Name": "StorageRequireEncryption", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SaveAsBlocked", + "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", "Option": "Write" }, { - "CIMType": "String", - "Name": "PeriodOfflineBeforeWipeIsEnforced", + "CIMType": "Boolean", + "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PinRequired", + "Name": "SecurityRequireGooglePlayServices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DisableAppPinIfDevicePinIsSet", + "Name": "SecurityRequireUpToDateSecurityProviders", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumPinRetries", + "CIMType": "Boolean", + "Name": "SecurityRequireCompanyPortalAppIntegrity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SimplePinBlocked", + "CIMType": "String", + "Name": "SecurityRequiredAndroidSafetyNetEvaluationType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumPinLength", + "CIMType": "String", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String", - "Name": "PinCharacterSet", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedDataStorageLocations", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ContactSyncBlocked", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PeriodBeforePinReset", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PrintBlocked", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FingerprintBlocked", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FaceIdBlocked", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "ManagedBrowser", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_appListItem", + "Parameters": [ { "CIMType": "String", - "Name": "MinimumRequiredAppVersion", + "Name": "name", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumWarningAppVersion", + "Name": "publisher", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumRequiredOSVersion", + "Name": "appStoreUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumWarningOSVersion", + "Name": "appId", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceCompliancePolicyiOs", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "MinimumRequiredSdkVersion", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinimumWipeOSVersion", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinimumWipeAppVersion", + "CIMType": "Boolean", + "Name": "PasscodeBlockSimple", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppActionIfDeviceComplianceRequired", + "CIMType": "Uint32", + "Name": "PasscodeExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppActionIfMaximumPinRetriesExceeded", + "CIMType": "Uint32", + "Name": "PasscodeMinimumLength", "Option": "Write" }, { - "CIMType": "String", - "Name": "PinRequiredInsteadOfBiometricTimeout", + "CIMType": "Uint32", + "Name": "PasscodeMinutesOfInactivityBeforeLock", "Option": "Write" }, { "CIMType": "Uint32", - "Name": "AllowedOutboundClipboardSharingExceptionLength", + "Name": "PasscodeMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "String", - "Name": "NotificationRestriction", + "CIMType": "Uint32", + "Name": "PasscodePreviousPasscodeBlockCount", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TargetedAppManagementLevels", + "CIMType": "Uint32", + "Name": "PasscodeMinimumCharacterSetCount", "Option": "Write" }, { "CIMType": "String", - "Name": "AppDataEncryptionType", + "Name": "PasscodeRequiredType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExemptedAppProtocols", + "CIMType": "Boolean", + "Name": "PasscodeRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumWipeSdkVersion", + "Name": "OsMinimumVersion", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedIosDeviceModels", + "CIMType": "String", + "Name": "OsMaximumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "AppActionIfIosDeviceModelNotAllowed", + "Name": "OsMinimumBuildVersion", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FilterOpenInToOnlyManagedApps", + "CIMType": "String", + "Name": "OsMaximumBuildVersion", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DisableProtectionOfManagedOutboundOpenInData", + "Name": "SecurityBlockJailbrokenDevices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ProtectInboundDataFromUnknownSources", + "Name": "DeviceThreatProtectionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CustomBrowserProtocol", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Apps", + "CIMType": "String", + "Name": "AdvancedThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "ManagedEmailProfileRequired", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExcludedGroups", + "CIMType": "MSFT_appListItem[]", + "Name": "RestrictedApps", "Option": "Write" }, { @@ -21550,13 +27466,8 @@ ] }, { - "ClassName": "MSFT_IntuneASRRulesPolicyWindows10", + "ClassName": "MSFT_IntuneDeviceCompliancePolicyMacOS", "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Write" - }, { "CIMType": "String", "Name": "DisplayName", @@ -21573,98 +27484,108 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "ProcessCreationType", + "CIMType": "Boolean", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedRansomewareProtectionType", + "CIMType": "Boolean", + "Name": "PasswordBlockSimple", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockPersistenceThroughWmiType", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "ScriptObfuscatedMacroCodeType", + "CIMType": "Uint32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { - "CIMType": "String", - "Name": "OfficeMacroCodeAllowWin32ImportsType", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "String", - "Name": "OfficeAppsLaunchChildProcessType", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "String", - "Name": "GuardMyFoldersType", + "CIMType": "Uint32", + "Name": "PasswordMinimumCharacterSetCount", "Option": "Write" }, { "CIMType": "String", - "Name": "UntrustedUSBProcessType", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttackSurfaceReductionExcludedPaths", + "CIMType": "String", + "Name": "OsMinimumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "UntrustedExecutableType", + "Name": "OsMaximumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficeCommunicationAppsLaunchChildProcess", + "Name": "OsMinimumBuildVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "EmailContentExecutionType", + "Name": "OsMaximumBuildVersion", "Option": "Write" }, { - "CIMType": "String", - "Name": "ScriptDownloadedPayloadExecutionType", + "CIMType": "Boolean", + "Name": "SystemIntegrityProtectionEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AdditionalGuardedFolders", + "CIMType": "Boolean", + "Name": "DeviceThreatProtectionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "AdobeReaderLaunchChildProcess", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficeAppsExecutableContentCreationOrLaunchType", + "Name": "AdvancedThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreventCredentialStealingType", + "CIMType": "Boolean", + "Name": "StorageRequireEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficeAppsOtherProcessInjectionType", + "Name": "GatekeeperAllowedAppSource", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "GuardedFoldersAllowedAppPaths", + "CIMType": "Boolean", + "Name": "FirewallEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "FirewallBlockAllIncoming", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "FirewallEnableStealthMode", "Option": "Write" }, { @@ -21710,13 +27631,28 @@ ] }, { - "ClassName": "MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager", + "ClassName": "MSFT_MicrosoftGraphOperatingSystemVersionRange", "Parameters": [ { "CIMType": "String", - "Name": "Identity", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LowestVersion", "Option": "Write" }, + { + "CIMType": "String", + "Name": "HighestVersion", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceCompliancePolicyWindows10", + "Parameters": [ { "CIMType": "String", "Name": "DisplayName", @@ -21733,103 +27669,163 @@ "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AttackSurfaceReductionOnlyExclusions", + "CIMType": "Boolean", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", + "CIMType": "Boolean", + "Name": "PasswordBlockSimple", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockAdobeReaderFromCreatingChildProcesses", + "CIMType": "Boolean", + "Name": "PasswordRequiredToUnlockFromIdle", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockExecutableContentFromEmailClientAndWebmail", + "CIMType": "Uint32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", + "CIMType": "Uint32", + "Name": "PasswordMinimumCharacterSetCount", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", + "CIMType": "Boolean", + "Name": "RequireHealthyDeviceReport", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", + "Name": "OsMinimumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", + "Name": "OsMaximumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockPersistenceThroughWMIEventSubscription", + "Name": "MobileOsMinimumVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockProcessCreationsFromPSExecAndWMICommands", + "Name": "MobileOsMaximumVersion", "Option": "Write" }, { - "CIMType": "String", - "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", + "CIMType": "Boolean", + "Name": "EarlyLaunchAntiMalwareDriverEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BitLockerEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SecureBootEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "CodeIntegrityEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "StorageRequireEncryption", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ActiveFirewallRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DefenderEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockWin32APICallsFromOfficeMacros", + "Name": "DefenderVersion", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SignatureOutOfDate", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RTPEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AntivirusRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AntiSpywareRequired", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DeviceThreatProtectionEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "UseAdvancedProtectionAgainstRansomware", + "Name": "DeviceThreatProtectionRequiredSecurityLevel", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ControlledFolderAccessProtectedFolders", + "CIMType": "Boolean", + "Name": "ConfigurationManagerComplianceRequired", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ControlledFolderAccessAllowedApplications", + "CIMType": "Boolean", + "Name": "TpmRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "EnableControlledFolderAccess", + "Name": "DeviceCompliancePolicyScript", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphOperatingSystemVersionRange[]", + "Name": "ValidOperatingSystemBuildRanges", "Option": "Write" }, { @@ -21875,148 +27871,168 @@ ] }, { - "ClassName": "MSFT_IntuneDerivedCredential", + "ClassName": "MSFT_IntuneGroupPolicyDefinitionValueDefinition", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "CategoryPath", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "ClassType", "Option": "Write" }, { "CIMType": "String", - "Name": "HelpUrl", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "RenewalThresholdPercentage", + "CIMType": "String", + "Name": "ExplainText", "Option": "Write" }, { "CIMType": "String", - "Name": "Issuer", + "Name": "GroupPolicyCategoryId", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "HasRelatedDefinitions", "Option": "Write" }, { "CIMType": "String", - "Name": "NotificationType", + "Name": "MinDeviceCspVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "MinUserCspVersion", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "PolicyType", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "SupportedOn", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "Id", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneGroupPolicyDefinitionValue", + "Parameters": [ + { + "CIMType": "String", + "Name": "ConfigurationType", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_IntuneGroupPolicyDefinitionValueDefinition", + "Name": "Definition", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValue[]", + "Name": "PresentationValues", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceAndAppManagementAssignmentFilter", + "ClassName": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValue", "Parameters": [ { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Identity", + "CIMType": "Boolean", + "Name": "BooleanValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Uint64", + "Name": "DecimalValue", "Option": "Write" }, { "CIMType": "String", - "Name": "Rule", + "Name": "StringValue", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValueKeyValuePair[]", + "Name": "KeyValuePairValues", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "StringValues", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "PresentationDefinitionId", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "PresentationDefinitionLabel", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValueKeyValuePair", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "Value", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "Name", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceCategory", + "ClassName": "MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10", "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, { "CIMType": "String", "Name": "DisplayName", @@ -22024,7 +28040,22 @@ }, { "CIMType": "String", - "Name": "Description", + "Name": "PolicyConfigurationIngestionType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneGroupPolicyDefinitionValue[]", + "Name": "DefinitionValues", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -22070,67 +28101,57 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceCleanupRule", + "ClassName": "MSFT_MicrosoftGraphOmaSetting", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Key" - }, - { - "CIMType": "UInt32", - "Name": "DeviceInactivityBeforeRetirementInDays", + "Name": "Description", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "IsEncrypted", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "OmaUri", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "SecretReferenceValueId", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "FileName", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "Value", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "IsReadOnly", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "odataType", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroid", + "ClassName": "MSFT_IntuneDeviceConfigurationCustomPolicyWindows10", "Parameters": [ { "CIMType": "String", @@ -22138,153 +28159,128 @@ "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_MicrosoftGraphomaSetting[]", + "Name": "OmaSettings", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordRequired", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordMinimumLength", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "SupportsScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "RequiredPasswordComplexity", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeLock", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityPreventInstallAppsFromUnknownSources", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityDisableUsbDebugging", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireVerifyApps", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedThreatProtectionRequiredSecurityLevel", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityBlockJailbrokenDevices", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "SecurityBlockDeviceAdministratorManagedDevices", + "Name": "AdvancedThreatProtectionAutoPopulateOnboardingBlob", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMinimumVersion", + "Name": "AdvancedThreatProtectionOffboardingBlob", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumVersion", + "Name": "AdvancedThreatProtectionOffboardingFilename", "Option": "Write" }, { "CIMType": "String", - "Name": "MinAndroidSecurityPatchLevel", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "StorageRequireEncryption", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", + "Name": "AdvancedThreatProtectionOnboardingBlob", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", + "CIMType": "String", + "Name": "AdvancedThreatProtectionOnboardingFilename", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityRequireGooglePlayServices", + "Name": "AllowSampleSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityRequireUpToDateSecurityProviders", + "Name": "EnableExpeditedTelemetryReporting", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireCompanyPortalAppIntegrity", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "ConditionStatementId", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "RestrictedApps", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "RoleScopeTagIds", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -22330,286 +28326,311 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner", + "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidth", "Parameters": [ { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt64", + "Name": "MaximumDownloadBandwidthInKilobytesPerSecond", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "UInt64", + "Name": "MaximumUploadBandwidthInKilobytesPerSecond", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", + "Name": "BandwidthBackgroundPercentageHours", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "CIMType": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", + "Name": "BandwidthForegroundPercentageHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "CIMType": "UInt32", + "Name": "MaximumBackgroundBandwidthPercentage", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedThreatProtectionRequiredSecurityLevel", + "CIMType": "UInt32", + "Name": "MaximumForegroundBandwidthPercentage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", + "CIMType": "UInt32", + "Name": "BandwidthBeginBusinessHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "osMinimumVersion", + "CIMType": "UInt32", + "Name": "BandwidthEndBusinessHours", "Option": "Write" }, { - "CIMType": "String", - "Name": "osMaximumVersion", + "CIMType": "UInt32", + "Name": "BandwidthPercentageDuringBusinessHours", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "passwordRequired", + "CIMType": "UInt32", + "Name": "BandwidthPercentageOutsideBusinessHours", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationGroupIdSource", + "Parameters": [ { - "CIMType": "Uint32", - "Name": "passwordMinimumLength", + "CIMType": "String", + "Name": "GroupIdCustom", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "GroupIdSourceOption", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeLock", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationMaxCacheSize", + "Parameters": [ { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", + "CIMType": "UInt64", + "Name": "MaximumCacheSizeInGigabytes", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordCountToBlock", + "CIMType": "UInt32", + "Name": "MaximumCacheSizePercentage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRequireEncryption", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SecurityRequireIntuneAppIntegrity", + "CIMType": "UInt64", + "Name": "BackgroundDownloadFromHttpDelayInSeconds", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationBandwidth", + "Name": "BandwidthMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "CacheServerBackgroundDownloadFallbackToHttpDelayInSeconds", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "UInt32", + "Name": "CacheServerForegroundDownloadFallbackToHttpDelayInSeconds", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "String[]", + "Name": "CacheServerHostNames", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DeliveryOptimizationMode", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "UInt64", + "Name": "ForegroundDownloadFromHttpDelayInSeconds", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationGroupIdSource", + "Name": "GroupIdSource", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "UInt32", + "Name": "MaximumCacheAgeInDays", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationMaxCacheSize", + "Name": "MaximumCacheSize", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile", - "Parameters": [ - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "UInt32", + "Name": "MinimumBatteryPercentageAllowedToUpload", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "UInt32", + "Name": "MinimumDiskSizeAllowedToPeerInGigabytes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordRequired", + "CIMType": "UInt32", + "Name": "MinimumFileSizeToCacheInMegabytes", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinimumLength", + "CIMType": "UInt32", + "Name": "MinimumRamAllowedToPeerInGigabytes", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "ModifyCacheLocation", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeLock", + "CIMType": "String", + "Name": "RestrictPeerSelectionBy", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", + "CIMType": "String", + "Name": "VpnPeerCaching", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "SecurityPreventInstallAppsFromUnknownSources", + "Name": "SupportsScopeTags", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityDisableUsbDebugging", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireVerifyApps", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "AdvancedThreatProtectionRequiredSecurityLevel", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityBlockJailbrokenDevices", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMinimumVersion", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "OsMaximumVersion", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "MinAndroidSecurityPatchLevel", + "Name": "ActiveDirectoryDomainName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRequireEncryption", + "CIMType": "String", + "Name": "ComputerNameStaticPrefix", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationBasicIntegrity", + "CIMType": "UInt32", + "Name": "ComputerNameSuffixRandomCharCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireSafetyNetAttestationCertifiedDevice", + "CIMType": "String", + "Name": "OrganizationalUnit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireGooglePlayServices", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireUpToDateSecurityProviders", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "SecurityRequireCompanyPortalAppIntegrity", + "Name": "SupportsScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "SecurityRequiredAndroidSafetyNetEvaluationType", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "RoleScopeTagIds", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -22655,141 +28676,91 @@ ] }, { - "ClassName": "MSFT_appListItem", - "Parameters": [ - { - "CIMType": "String", - "Name": "name", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "publisher", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "appStoreUrl", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "appId", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyiOs", + "ClassName": "MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10", "Parameters": [ { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PasscodeBlockSimple", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasscodeExpirationDays", + "CIMType": "String", + "Name": "AccountName", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasscodeMinimumLength", + "CIMType": "String", + "Name": "DurationOfEmailToSync", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasscodeMinutesOfInactivityBeforeLock", + "CIMType": "String", + "Name": "EmailAddressSource", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasscodeMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "String", + "Name": "EmailSyncSchedule", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasscodePreviousPasscodeBlockCount", + "CIMType": "String", + "Name": "HostName", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasscodeMinimumCharacterSetCount", + "CIMType": "Boolean", + "Name": "RequireSsl", "Option": "Write" }, { - "CIMType": "String", - "Name": "PasscodeRequiredType", + "CIMType": "Boolean", + "Name": "SyncCalendar", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasscodeRequired", + "Name": "SyncContacts", "Option": "Write" }, { - "CIMType": "String", - "Name": "OsMinimumVersion", + "CIMType": "Boolean", + "Name": "SyncTasks", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumVersion", + "Name": "CustomDomainName", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMinimumBuildVersion", + "Name": "UserDomainNameSource", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumBuildVersion", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SecurityBlockJailbrokenDevices", + "Name": "UsernameAADSource", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "CIMType": "String", + "Name": "UsernameSource", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "AdvancedThreatProtectionRequiredSecurityLevel", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "ManagedEmailProfileRequired", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_appListItem[]", - "Name": "RestrictedApps", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -22835,2886 +28806,2886 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyMacOS", + "ClassName": "MSFT_MicrosoftGraphBitLockerFixedDrivePolicy", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Description", + "Name": "EncryptionMethod", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", + "Name": "RecoveryOptions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordRequired", + "Name": "RequireEncryptionForWriteAccess", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", + "Parameters": [ { "CIMType": "Boolean", - "Name": "PasswordBlockSimple", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordMinimumLength", + "Name": "BlockDataRecoveryAgent", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeLock", + "CIMType": "Boolean", + "Name": "EnableBitLockerAfterRecoveryInformationToStore", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "Boolean", + "Name": "EnableRecoveryInformationSaveToStore", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinimumCharacterSetCount", + "CIMType": "Boolean", + "Name": "HideRecoveryOptions", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "RecoveryInformationToStore", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMinimumVersion", + "Name": "RecoveryKeyUsage", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumVersion", + "Name": "RecoveryPasswordUsage", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphBitLockerRemovableDrivePolicy", + "Parameters": [ { - "CIMType": "String", - "Name": "OsMinimumBuildVersion", + "CIMType": "Boolean", + "Name": "BlockCrossOrganizationWriteAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumBuildVersion", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "SystemIntegrityProtectionEnabled", + "Name": "EncryptionMethod", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "Name": "RequireEncryptionForWriteAccess", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphBitLockerSystemDrivePolicy", + "Parameters": [ { "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "Name": "EncryptionMethod", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedThreatProtectionRequiredSecurityLevel", + "CIMType": "UInt32", + "Name": "MinimumPinLength", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageRequireEncryption", + "Name": "PrebootRecoveryEnableMessageAndUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "GatekeeperAllowedAppSource", + "Name": "PrebootRecoveryMessage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallEnabled", + "CIMType": "String", + "Name": "PrebootRecoveryUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallBlockAllIncoming", + "CIMType": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", + "Name": "RecoveryOptions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FirewallEnableStealthMode", - "Option": "Write" - }, - { - "CIMType": "string", - "Name": "Ensure", + "Name": "StartupAuthenticationBlockWithoutTpmChip", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "StartupAuthenticationRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "StartupAuthenticationTpmKeyUsage", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "StartupAuthenticationTpmPinAndKeyUsage", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "StartupAuthenticationTpmPinUsage", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "StartupAuthenticationTpmUsage", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphOperatingSystemVersionRange", + "ClassName": "MSFT_MicrosoftGraphDefenderDetectedMalwareActions", "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "HighSeverity", "Option": "Write" }, { "CIMType": "String", - "Name": "LowestVersion", + "Name": "LowSeverity", "Option": "Write" }, { "CIMType": "String", - "Name": "HighestVersion", + "Name": "ModerateSeverity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SevereSeverity", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceCompliancePolicyWindows10", + "ClassName": "MSFT_MicrosoftGraphWindowsFirewallNetworkProfile", "Parameters": [ { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "AuthorizedApplicationRulesFromGroupPolicyMerged", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "AuthorizedApplicationRulesFromGroupPolicyNotMerged", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordRequired", + "Name": "ConnectionSecurityRulesFromGroupPolicyMerged", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockSimple", + "Name": "ConnectionSecurityRulesFromGroupPolicyNotMerged", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordRequiredToUnlockFromIdle", + "CIMType": "String", + "Name": "FirewallEnabled", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeLock", + "CIMType": "Boolean", + "Name": "GlobalPortRulesFromGroupPolicyMerged", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", + "CIMType": "Boolean", + "Name": "GlobalPortRulesFromGroupPolicyNotMerged", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinimumLength", + "CIMType": "Boolean", + "Name": "InboundConnectionsBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinimumCharacterSetCount", + "CIMType": "Boolean", + "Name": "InboundConnectionsRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "PasswordRequiredType", + "CIMType": "Boolean", + "Name": "InboundNotificationsBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "Boolean", + "Name": "InboundNotificationsRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireHealthyDeviceReport", + "Name": "IncomingTrafficBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "OsMinimumVersion", + "CIMType": "Boolean", + "Name": "IncomingTrafficRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "OsMaximumVersion", + "CIMType": "Boolean", + "Name": "OutboundConnectionsBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "MobileOsMinimumVersion", + "CIMType": "Boolean", + "Name": "OutboundConnectionsRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "MobileOsMaximumVersion", + "CIMType": "Boolean", + "Name": "PolicyRulesFromGroupPolicyMerged", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EarlyLaunchAntiMalwareDriverEnabled", + "Name": "PolicyRulesFromGroupPolicyNotMerged", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BitLockerEnabled", + "Name": "SecuredPacketExemptionAllowed", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecureBootEnabled", + "Name": "SecuredPacketExemptionBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CodeIntegrityEnabled", + "Name": "StealthModeBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageRequireEncryption", + "Name": "StealthModeRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ActiveFirewallRequired", + "Name": "UnicastResponsesToMulticastBroadcastsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderEnabled", + "Name": "UnicastResponsesToMulticastBroadcastsRequired", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsFirewallRule", + "Parameters": [ { "CIMType": "String", - "Name": "DefenderVersion", + "Name": "Action", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SignatureOutOfDate", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RTPEnabled", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AntivirusRequired", + "CIMType": "String", + "Name": "EdgeTraversal", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AntiSpywareRequired", + "CIMType": "String", + "Name": "FilePath", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceThreatProtectionEnabled", + "CIMType": "String[]", + "Name": "InterfaceTypes", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceThreatProtectionRequiredSecurityLevel", + "CIMType": "String[]", + "Name": "LocalAddressRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConfigurationManagerComplianceRequired", + "CIMType": "String[]", + "Name": "LocalPortRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TpmRequired", + "CIMType": "String", + "Name": "LocalUserAuthorizations", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceCompliancePolicyScript", + "Name": "PackageFamilyName", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphOperatingSystemVersionRange[]", - "Name": "ValidOperatingSystemBuildRanges", + "CIMType": "String", + "Name": "ProfileTypes", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "Protocol", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "RemoteAddressRanges", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "String[]", + "Name": "RemotePortRanges", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "ServiceName", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "TrafficDirection", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceManagementUserRightsSetting", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_MicrosoftGraphDeviceManagementUserRightsLocalUserOrGroup[]", + "Name": "LocalUsersOrGroups", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "State", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneGroupPolicyDefinitionValueDefinition", + "ClassName": "MSFT_MicrosoftGraphDeviceManagementUserRightsLocalUserOrGroup", "Parameters": [ { "CIMType": "String", - "Name": "CategoryPath", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "ClassType", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "SecurityIdentifier", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowCameraMicrophoneRedirection", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExplainText", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowFileSaveOnHost", "Option": "Write" }, { - "CIMType": "String", - "Name": "GroupPolicyCategoryId", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowPersistence", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HasRelatedDefinitions", + "Name": "ApplicationGuardAllowPrintToLocalPrinters", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinDeviceCspVersion", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowPrintToNetworkPrinters", "Option": "Write" }, { - "CIMType": "String", - "Name": "MinUserCspVersion", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowPrintToPDF", "Option": "Write" }, { - "CIMType": "String", - "Name": "PolicyType", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowPrintToXPS", "Option": "Write" }, { - "CIMType": "String", - "Name": "SupportedOn", + "CIMType": "Boolean", + "Name": "ApplicationGuardAllowVirtualGPU", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "ApplicationGuardBlockClipboardSharing", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneGroupPolicyDefinitionValue", - "Parameters": [ + }, { "CIMType": "String", - "Name": "ConfigurationType", + "Name": "ApplicationGuardBlockFileTransfer", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Enabled", + "Name": "ApplicationGuardBlockNonEnterpriseContent", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "String[]", + "Name": "ApplicationGuardCertificateThumbprints", "Option": "Write" }, { - "CIMType": "MSFT_IntuneGroupPolicyDefinitionValueDefinition", - "Name": "Definition", + "CIMType": "Boolean", + "Name": "ApplicationGuardEnabled", "Option": "Write" }, { - "CIMType": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValue[]", - "Name": "PresentationValues", + "CIMType": "String", + "Name": "ApplicationGuardEnabledOptions", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValue", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "BooleanValue", + "Name": "ApplicationGuardForceAuditing", "Option": "Write" }, { - "CIMType": "Uint64", - "Name": "DecimalValue", + "CIMType": "String", + "Name": "AppLockerApplicationControl", "Option": "Write" }, { - "CIMType": "String", - "Name": "StringValue", + "CIMType": "Boolean", + "Name": "BitLockerAllowStandardUserEncryption", "Option": "Write" }, { - "CIMType": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValueKeyValuePair[]", - "Name": "KeyValuePairValues", + "CIMType": "Boolean", + "Name": "BitLockerDisableWarningForOtherDiskEncryption", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "StringValues", + "CIMType": "Boolean", + "Name": "BitLockerEnableStorageCardEncryptionOnMobile", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "BitLockerEncryptDevice", "Option": "Write" }, { - "CIMType": "String", - "Name": "PresentationDefinitionId", + "CIMType": "MSFT_MicrosoftGraphbitLockerFixedDrivePolicy", + "Name": "BitLockerFixedDrivePolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "PresentationDefinitionLabel", + "Name": "BitLockerRecoveryPasswordRotation", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "MSFT_MicrosoftGraphbitLockerRemovableDrivePolicy", + "Name": "BitLockerRemovableDrivePolicy", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneGroupPolicyDefinitionValuePresentationValueKeyValuePair", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Value", + "CIMType": "MSFT_MicrosoftGraphbitLockerSystemDrivePolicy", + "Name": "BitLockerSystemDrivePolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "String[]", + "Name": "DefenderAdditionalGuardedFolders", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "DefenderAdobeReaderLaunchChildProcess", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "DefenderAdvancedRansomewareProtectionType", + "Option": "Write" }, { - "CIMType": "String", - "Name": "PolicyConfigurationIngestionType", + "CIMType": "Boolean", + "Name": "DefenderAllowBehaviorMonitoring", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "DefenderAllowCloudProtection", "Option": "Write" }, { - "CIMType": "MSFT_IntuneGroupPolicyDefinitionValue[]", - "Name": "DefinitionValues", + "CIMType": "Boolean", + "Name": "DefenderAllowEndUserAccess", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "DefenderAllowIntrusionPreventionSystem", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "DefenderAllowOnAccessProtection", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "DefenderAllowRealTimeMonitoring", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "DefenderAllowScanArchiveFiles", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "DefenderAllowScanDownloads", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "DefenderAllowScanNetworkFiles", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "DefenderAllowScanRemovableDrivesDuringFullScan", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "DefenderAllowScanScriptsLoadedInInternetExplorer", "Option": "Write" }, { "CIMType": "String[]", - "Name": "AccessTokens", + "Name": "DefenderAttackSurfaceReductionExcludedPaths", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphOmaSetting", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "DefenderBlockEndUserAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "DefenderBlockPersistenceThroughWmiType", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsEncrypted", + "Name": "DefenderCheckForSignaturesBeforeRunningScan", "Option": "Write" }, { "CIMType": "String", - "Name": "OmaUri", + "Name": "DefenderCloudBlockLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "SecretReferenceValueId", + "CIMType": "UInt32", + "Name": "DefenderCloudExtendedTimeoutInSeconds", "Option": "Write" }, { - "CIMType": "String", - "Name": "FileName", + "CIMType": "UInt32", + "Name": "DefenderDaysBeforeDeletingQuarantinedMalware", "Option": "Write" }, { - "CIMType": "String", - "Name": "Value", + "CIMType": "MSFT_MicrosoftGraphdefenderDetectedMalwareActions", + "Name": "DefenderDetectedMalwareActions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "IsReadOnly", + "Name": "DefenderDisableBehaviorMonitoring", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "DefenderDisableCatchupFullScan", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationCustomPolicyWindows10", - "Parameters": [ - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" }, { - "CIMType": "MSFT_MicrosoftGraphomaSetting[]", - "Name": "OmaSettings", + "CIMType": "Boolean", + "Name": "DefenderDisableCatchupQuickScan", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "DefenderDisableCloudProtection", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "Name": "DefenderDisableIntrusionPreventionSystem", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "DefenderDisableOnAccessProtection", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "DefenderDisableRealTimeMonitoring", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "DefenderDisableScanArchiveFiles", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "DefenderDisableScanDownloads", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "DefenderDisableScanNetworkFiles", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "DefenderDisableScanRemovableDrivesDuringFullScan", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "DefenderDisableScanScriptsLoadedInInternetExplorer", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DefenderEmailContentExecution", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "DefenderEmailContentExecutionType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "DefenderEnableLowCpuPriority", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "AdvancedThreatProtectionAutoPopulateOnboardingBlob", + "Name": "DefenderEnableScanIncomingMail", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedThreatProtectionOffboardingBlob", + "CIMType": "Boolean", + "Name": "DefenderEnableScanMappedNetworkDrivesDuringFullScan", "Option": "Write" }, { "CIMType": "String", - "Name": "AdvancedThreatProtectionOffboardingFilename", + "Name": "DefenderExploitProtectionXml", "Option": "Write" }, { "CIMType": "String", - "Name": "AdvancedThreatProtectionOnboardingBlob", + "Name": "DefenderExploitProtectionXmlFileName", "Option": "Write" }, { - "CIMType": "String", - "Name": "AdvancedThreatProtectionOnboardingFilename", + "CIMType": "String[]", + "Name": "DefenderFileExtensionsToExclude", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowSampleSharing", + "CIMType": "String[]", + "Name": "DefenderFilesAndFoldersToExclude", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableExpeditedTelemetryReporting", + "CIMType": "String[]", + "Name": "DefenderGuardedFoldersAllowedAppPaths", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "DefenderGuardMyFoldersType", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "DefenderNetworkProtectionType", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "DefenderOfficeAppsExecutableContentCreationOrLaunch", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "DefenderOfficeAppsExecutableContentCreationOrLaunchType", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "DefenderOfficeAppsLaunchChildProcess", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "DefenderOfficeAppsLaunchChildProcessType", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DefenderOfficeAppsOtherProcessInjection", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DefenderOfficeAppsOtherProcessInjectionType", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "DefenderOfficeCommunicationAppsLaunchChildProcess", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DefenderOfficeMacroCodeAllowWin32Imports", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "DefenderOfficeMacroCodeAllowWin32ImportsType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "DefenderPotentiallyUnwantedAppAction", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidth", - "Parameters": [ + }, { - "CIMType": "UInt64", - "Name": "MaximumDownloadBandwidthInKilobytesPerSecond", + "CIMType": "String", + "Name": "DefenderPreventCredentialStealingType", "Option": "Write" }, { - "CIMType": "UInt64", - "Name": "MaximumUploadBandwidthInKilobytesPerSecond", + "CIMType": "String", + "Name": "DefenderProcessCreation", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", - "Name": "BandwidthBackgroundPercentageHours", + "CIMType": "String", + "Name": "DefenderProcessCreationType", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", - "Name": "BandwidthForegroundPercentageHours", + "CIMType": "String[]", + "Name": "DefenderProcessesToExclude", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumBackgroundBandwidthPercentage", + "CIMType": "String", + "Name": "DefenderScanDirection", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "MaximumForegroundBandwidthPercentage", + "Name": "DefenderScanMaxCpuPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationBandwidthBusinessHoursLimit", - "Parameters": [ - { - "CIMType": "UInt32", - "Name": "BandwidthBeginBusinessHours", + "Name": "DefenderScanType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "BandwidthEndBusinessHours", + "CIMType": "String", + "Name": "DefenderScheduledQuickScanTime", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "BandwidthPercentageDuringBusinessHours", + "CIMType": "String", + "Name": "DefenderScheduledScanDay", "Option": "Write" }, - { - "CIMType": "UInt32", - "Name": "BandwidthPercentageOutsideBusinessHours", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationGroupIdSource", - "Parameters": [ { "CIMType": "String", - "Name": "GroupIdCustom", + "Name": "DefenderScheduledScanTime", "Option": "Write" }, { "CIMType": "String", - "Name": "GroupIdSourceOption", + "Name": "DefenderScriptDownloadedPayloadExecution", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeliveryOptimizationMaxCacheSize", - "Parameters": [ - { - "CIMType": "UInt64", - "Name": "MaximumCacheSizeInGigabytes", + "Name": "DefenderScriptDownloadedPayloadExecutionType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumCacheSizePercentage", + "CIMType": "String", + "Name": "DefenderScriptObfuscatedMacroCode", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "DefenderScriptObfuscatedMacroCodeType", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10", - "Parameters": [ + }, { - "CIMType": "UInt64", - "Name": "BackgroundDownloadFromHttpDelayInSeconds", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterBlockExploitProtectionOverride", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationBandwidth", - "Name": "BandwidthMode", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableAccountUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "CacheServerBackgroundDownloadFallbackToHttpDelayInSeconds", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableAppBrowserUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "CacheServerForegroundDownloadFallbackToHttpDelayInSeconds", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableClearTpmUI", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "CacheServerHostNames", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableFamilyUI", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeliveryOptimizationMode", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableHardwareUI", "Option": "Write" }, { - "CIMType": "UInt64", - "Name": "ForegroundDownloadFromHttpDelayInSeconds", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableHealthUI", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationGroupIdSource", - "Name": "GroupIdSource", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableNetworkUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumCacheAgeInDays", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableNotificationAreaUI", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeliveryOptimizationMaxCacheSize", - "Name": "MaximumCacheSize", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableRansomwareUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumBatteryPercentageAllowedToUpload", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableSecureBootUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumDiskSizeAllowedToPeerInGigabytes", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableTroubleshootingUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumFileSizeToCacheInMegabytes", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableVirusUI", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumRamAllowedToPeerInGigabytes", + "CIMType": "Boolean", + "Name": "DefenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI", "Option": "Write" }, { "CIMType": "String", - "Name": "ModifyCacheLocation", + "Name": "DefenderSecurityCenterHelpEmail", "Option": "Write" }, { "CIMType": "String", - "Name": "RestrictPeerSelectionBy", + "Name": "DefenderSecurityCenterHelpPhone", "Option": "Write" }, { "CIMType": "String", - "Name": "VpnPeerCaching", + "Name": "DefenderSecurityCenterHelpURL", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "DefenderSecurityCenterITContactDisplay", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "Name": "DefenderSecurityCenterNotificationsFromApp", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "DefenderSecurityCenterOrganizationDisplayName", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "UInt32", + "Name": "DefenderSignatureUpdateIntervalInHours", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "DefenderSubmitSamplesConsentType", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "DefenderUntrustedExecutable", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DefenderUntrustedExecutableType", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DefenderUntrustedUSBProcess", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "DefenderUntrustedUSBProcessType", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "DeviceGuardEnableSecureBootWithDMA", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "DeviceGuardEnableVirtualizationBasedSecurity", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "DeviceGuardLaunchSystemGuard", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "ActiveDirectoryDomainName", + "Name": "DeviceGuardLocalSystemAuthorityCredentialGuardSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "ComputerNameStaticPrefix", + "Name": "DeviceGuardSecureBootWithDMA", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "ComputerNameSuffixRandomCharCount", + "CIMType": "String", + "Name": "DmaGuardDeviceEnumerationPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "OrganizationalUnit", + "CIMType": "Boolean", + "Name": "FirewallBlockStatefulFTP", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "FirewallCertificateRevocationListCheckMethod", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "FirewallIdleTimeoutForSecurityAssociationInSeconds", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "Name": "FirewallIPSecExemptionsAllowDHCP", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "FirewallIPSecExemptionsAllowICMP", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "FirewallIPSecExemptionsAllowNeighborDiscovery", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "FirewallIPSecExemptionsAllowRouterDiscovery", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "FirewallIPSecExemptionsNone", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "FirewallMergeKeyingModuleSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "FirewallPacketQueueingMethod", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "FirewallPreSharedKeyEncodingMethod", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", + "Name": "FirewallProfileDomain", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", + "Name": "FirewallProfilePrivate", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", + "Name": "FirewallProfilePublic", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "AccountName", + "CIMType": "MSFT_MicrosoftGraphwindowsFirewallRule[]", + "Name": "FirewallRules", "Option": "Write" }, { "CIMType": "String", - "Name": "DurationOfEmailToSync", + "Name": "LanManagerAuthenticationLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "EmailAddressSource", + "CIMType": "Boolean", + "Name": "LanManagerWorkstationDisableInsecureGuestLogons", "Option": "Write" }, { "CIMType": "String", - "Name": "EmailSyncSchedule", + "Name": "LocalSecurityOptionsAdministratorAccountName", "Option": "Write" }, { "CIMType": "String", - "Name": "HostName", + "Name": "LocalSecurityOptionsAdministratorElevationPromptBehavior", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireSsl", + "Name": "LocalSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SyncCalendar", + "Name": "LocalSecurityOptionsAllowPKU2UAuthenticationRequests", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LocalSecurityOptionsAllowRemoteCallsToSecurityAccountsManager", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SyncContacts", + "Name": "LocalSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SyncTasks", + "Name": "LocalSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomDomainName", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsAllowUIAccessApplicationElevation", "Option": "Write" }, { - "CIMType": "String", - "Name": "UserDomainNameSource", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsAllowUIAccessApplicationsForSecureLocations", "Option": "Write" }, { - "CIMType": "String", - "Name": "UsernameAADSource", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsAllowUndockWithoutHavingToLogon", "Option": "Write" }, { - "CIMType": "String", - "Name": "UsernameSource", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsBlockMicrosoftAccounts", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsBlockRemoteLogonWithBlankPassword", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsBlockRemoteOpticalDriveAccess", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsBlockUsersInstallingPrinterDrivers", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsClearVirtualMemoryPageFile", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsClientDigitallySignCommunicationsAlways", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDetectApplicationInstallationsAndPromptForElevation", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDisableAdministratorAccount", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDisableGuestAccount", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "LocalSecurityOptionsDisableServerDigitallySignCommunicationsAlways", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphBitLockerFixedDrivePolicy", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "EncryptionMethod", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", - "Name": "RecoveryOptions", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsDoNotRequireCtrlAltDel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireEncryptionForWriteAccess", + "Name": "LocalSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "BlockDataRecoveryAgent", + "CIMType": "String", + "Name": "LocalSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableBitLockerAfterRecoveryInformationToStore", + "CIMType": "String", + "Name": "LocalSecurityOptionsGuestAccountName", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableRecoveryInformationSaveToStore", + "Name": "LocalSecurityOptionsHideLastSignedInUser", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "HideRecoveryOptions", + "Name": "LocalSecurityOptionsHideUsernameAtSignIn", "Option": "Write" }, { "CIMType": "String", - "Name": "RecoveryInformationToStore", + "Name": "LocalSecurityOptionsInformationDisplayedOnLockScreen", "Option": "Write" }, { "CIMType": "String", - "Name": "RecoveryKeyUsage", + "Name": "LocalSecurityOptionsInformationShownOnLockScreen", "Option": "Write" }, { "CIMType": "String", - "Name": "RecoveryPasswordUsage", + "Name": "LocalSecurityOptionsLogOnMessageText", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphBitLockerRemovableDrivePolicy", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "BlockCrossOrganizationWriteAccess", + "CIMType": "String", + "Name": "LocalSecurityOptionsLogOnMessageTitle", "Option": "Write" }, { - "CIMType": "String", - "Name": "EncryptionMethod", + "CIMType": "UInt32", + "Name": "LocalSecurityOptionsMachineInactivityLimit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RequireEncryptionForWriteAccess", + "CIMType": "UInt32", + "Name": "LocalSecurityOptionsMachineInactivityLimitInMinutes", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphBitLockerSystemDrivePolicy", - "Parameters": [ + }, { "CIMType": "String", - "Name": "EncryptionMethod", + "Name": "LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MinimumPinLength", + "CIMType": "String", + "Name": "LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PrebootRecoveryEnableMessageAndUrl", + "Name": "LocalSecurityOptionsOnlyElevateSignedExecutables", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrebootRecoveryMessage", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares", "Option": "Write" }, { "CIMType": "String", - "Name": "PrebootRecoveryUrl", + "Name": "LocalSecurityOptionsSmartCardRemovalBehavior", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphBitLockerRecoveryOptions", - "Name": "RecoveryOptions", + "CIMType": "String", + "Name": "LocalSecurityOptionsStandardUserElevationPromptBehavior", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartupAuthenticationBlockWithoutTpmChip", + "Name": "LocalSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartupAuthenticationRequired", + "Name": "LocalSecurityOptionsUseAdminApprovalMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartupAuthenticationTpmKeyUsage", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsUseAdminApprovalModeForAdministrators", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartupAuthenticationTpmPinAndKeyUsage", + "CIMType": "Boolean", + "Name": "LocalSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartupAuthenticationTpmPinUsage", + "CIMType": "Boolean", + "Name": "SmartScreenBlockOverrideForFiles", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartupAuthenticationTpmUsage", + "CIMType": "Boolean", + "Name": "SmartScreenEnableInShell", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDefenderDetectedMalwareActions", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "HighSeverity", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsAccessCredentialManagerAsTrustedCaller", "Option": "Write" }, { - "CIMType": "String", - "Name": "LowSeverity", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsActAsPartOfTheOperatingSystem", "Option": "Write" }, { - "CIMType": "String", - "Name": "ModerateSeverity", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsAllowAccessFromNetwork", "Option": "Write" }, { - "CIMType": "String", - "Name": "SevereSeverity", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsBackupData", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsFirewallNetworkProfile", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "AuthorizedApplicationRulesFromGroupPolicyMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsBlockAccessFromNetwork", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AuthorizedApplicationRulesFromGroupPolicyNotMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsChangeSystemTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectionSecurityRulesFromGroupPolicyMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsCreateGlobalObjects", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectionSecurityRulesFromGroupPolicyNotMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsCreatePageFile", "Option": "Write" }, { - "CIMType": "String", - "Name": "FirewallEnabled", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsCreatePermanentSharedObjects", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GlobalPortRulesFromGroupPolicyMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsCreateSymbolicLinks", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GlobalPortRulesFromGroupPolicyNotMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsCreateToken", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InboundConnectionsBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsDebugPrograms", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InboundConnectionsRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsDelegation", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InboundNotificationsBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsDenyLocalLogOn", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InboundNotificationsRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsGenerateSecurityAudits", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IncomingTrafficBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsImpersonateClient", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IncomingTrafficRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsIncreaseSchedulingPriority", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OutboundConnectionsBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsLoadUnloadDrivers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OutboundConnectionsRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsLocalLogOn", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PolicyRulesFromGroupPolicyMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsLockMemory", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PolicyRulesFromGroupPolicyNotMerged", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsManageAuditingAndSecurityLogs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecuredPacketExemptionAllowed", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsManageVolumes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecuredPacketExemptionBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsModifyFirmwareEnvironment", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StealthModeBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsModifyObjectLabels", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StealthModeRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsProfileSingleProcess", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UnicastResponsesToMulticastBroadcastsBlocked", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsRemoteDesktopServicesLogOn", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UnicastResponsesToMulticastBroadcastsRequired", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsRemoteShutdown", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsFirewallRule", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Action", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsRestoreData", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", + "Name": "UserRightsTakeOwnership", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", + "Name": "WindowsDefenderTamperProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeTraversal", + "Name": "XboxServicesAccessoryManagementServiceStartupMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "FilePath", + "CIMType": "Boolean", + "Name": "XboxServicesEnableXboxGameSaveTask", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "InterfaceTypes", + "CIMType": "String", + "Name": "XboxServicesLiveAuthManagerServiceStartupMode", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "LocalAddressRanges", + "CIMType": "String", + "Name": "XboxServicesLiveGameSaveServiceStartupMode", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "LocalPortRanges", + "CIMType": "String", + "Name": "XboxServicesLiveNetworkingServiceStartupMode", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalUserAuthorizations", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "PackageFamilyName", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "SupportsScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "ProfileTypes", + "Name": "Id", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Protocol", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RemoteAddressRanges", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RemotePortRanges", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "ServiceName", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "TrafficDirection", + "Name": "TenantId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementUserRightsSetting", - "Parameters": [ + }, { - "CIMType": "MSFT_MicrosoftGraphDeviceManagementUserRightsLocalUserOrGroup[]", - "Name": "LocalUsersOrGroups", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "State", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphDeviceManagementUserRightsLocalUserOrGroup", + "ClassName": "MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10", "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "Bluetooth", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "BootFromBuiltInNetworkAdapters", "Option": "Write" }, { "CIMType": "String", - "Name": "SecurityIdentifier", + "Name": "BootFromExternalMedia", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowCameraMicrophoneRedirection", + "CIMType": "String", + "Name": "Cameras", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowFileSaveOnHost", + "CIMType": "String", + "Name": "ChangeUefiSettingsPermission", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowPersistence", + "CIMType": "String", + "Name": "FrontCamera", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowPrintToLocalPrinters", + "CIMType": "String", + "Name": "InfraredCamera", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowPrintToNetworkPrinters", + "CIMType": "String", + "Name": "Microphone", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowPrintToPDF", + "CIMType": "String", + "Name": "MicrophonesAndSpeakers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowPrintToXPS", + "CIMType": "String", + "Name": "NearFieldCommunication", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardAllowVirtualGPU", + "CIMType": "String", + "Name": "Radios", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationGuardBlockClipboardSharing", + "Name": "RearCamera", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationGuardBlockFileTransfer", + "Name": "SdCard", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardBlockNonEnterpriseContent", + "CIMType": "String", + "Name": "SimultaneousMultiThreading", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ApplicationGuardCertificateThumbprints", + "CIMType": "String", + "Name": "UsbTypeAPort", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardEnabled", + "CIMType": "String", + "Name": "VirtualizationOfCpuAndIO", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationGuardEnabledOptions", + "Name": "WakeOnLAN", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplicationGuardForceAuditing", + "CIMType": "String", + "Name": "WakeOnPower", "Option": "Write" }, { "CIMType": "String", - "Name": "AppLockerApplicationControl", + "Name": "WiFi", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BitLockerAllowStandardUserEncryption", + "CIMType": "String", + "Name": "WindowsPlatformBinaryTable", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BitLockerDisableWarningForOtherDiskEncryption", + "CIMType": "String", + "Name": "WirelessWideAreaNetwork", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BitLockerEnableStorageCardEncryptionOnMobile", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BitLockerEncryptDevice", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_MicrosoftGraphbitLockerFixedDrivePolicy", - "Name": "BitLockerFixedDrivePolicy", + "CIMType": "Boolean", + "Name": "SupportsScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "BitLockerRecoveryPasswordRotation", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphbitLockerRemovableDrivePolicy", - "Name": "BitLockerRemovableDrivePolicy", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphbitLockerSystemDrivePolicy", - "Name": "BitLockerSystemDrivePolicy", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderAdditionalGuardedFolders", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderAdobeReaderLaunchChildProcess", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderAdvancedRansomewareProtectionType", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DefenderAllowBehaviorMonitoring", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowCloudProtection", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowEndUserAccess", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderAllowIntrusionPreventionSystem", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowOnAccessProtection", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "DefenderAllowRealTimeMonitoring", + "CIMType": "String", + "Name": "AllowDeviceHealthMonitoring", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowScanArchiveFiles", + "CIMType": "String", + "Name": "ConfigDeviceHealthMonitoringCustomScope", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowScanDownloads", + "CIMType": "String[]", + "Name": "ConfigDeviceHealthMonitoringScope", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowScanNetworkFiles", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderAllowScanRemovableDrivesDuringFullScan", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "Boolean", - "Name": "DefenderAllowScanScriptsLoadedInInternetExplorer", + "Name": "SupportsScopeTags", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderAttackSurfaceReductionExcludedPaths", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderBlockEndUserAccess", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderBlockPersistenceThroughWmiType", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderCheckForSignaturesBeforeRunningScan", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderCloudBlockLevel", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderCloudExtendedTimeoutInSeconds", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderDaysBeforeDeletingQuarantinedMalware", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdefenderDetectedMalwareActions", - "Name": "DefenderDetectedMalwareActions", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderDisableBehaviorMonitoring", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableCatchupFullScan", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "DefenderDisableCatchupQuickScan", + "Name": "EnhancedAntiSpoofingForFacialFeaturesEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableCloudProtection", + "CIMType": "UInt32", + "Name": "PinExpirationInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableIntrusionPreventionSystem", + "CIMType": "String", + "Name": "PinLowercaseCharactersUsage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableOnAccessProtection", + "CIMType": "UInt32", + "Name": "PinMaximumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableRealTimeMonitoring", + "CIMType": "UInt32", + "Name": "PinMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableScanArchiveFiles", + "CIMType": "UInt32", + "Name": "PinPreviousBlockCount", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderDisableScanDownloads", + "Name": "PinRecoveryEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableScanNetworkFiles", + "CIMType": "String", + "Name": "PinSpecialCharactersUsage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableScanRemovableDrivesDuringFullScan", + "CIMType": "String", + "Name": "PinUppercaseCharactersUsage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderDisableScanScriptsLoadedInInternetExplorer", + "Name": "SecurityDeviceRequired", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderEmailContentExecution", + "CIMType": "Boolean", + "Name": "UnlockWithBiometricsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderEmailContentExecutionType", + "CIMType": "Boolean", + "Name": "UseCertificatesForOnPremisesAuthEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderEnableLowCpuPriority", + "Name": "UseSecurityKeyForSignin", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderEnableScanIncomingMail", + "Name": "WindowsHelloForBusinessBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderEnableScanMappedNetworkDrivesDuringFullScan", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderExploitProtectionXml", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "SupportsScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderExploitProtectionXmlFileName", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderFileExtensionsToExclude", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderFilesAndFoldersToExclude", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderGuardedFoldersAllowedAppPaths", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderGuardMyFoldersType", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderNetworkProtectionType", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderOfficeAppsExecutableContentCreationOrLaunch", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderOfficeAppsExecutableContentCreationOrLaunchType", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderOfficeAppsLaunchChildProcess", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "DefenderOfficeAppsLaunchChildProcessType", + "Name": "IntendedPurpose", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderOfficeAppsOtherProcessInjection", + "Name": "CertificateValidityPeriodScale", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderOfficeAppsOtherProcessInjectionType", + "CIMType": "UInt32", + "Name": "CertificateValidityPeriodValue", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderOfficeCommunicationAppsLaunchChildProcess", + "Name": "KeyStorageProvider", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderOfficeMacroCodeAllowWin32Imports", + "CIMType": "UInt32", + "Name": "RenewalThresholdPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderOfficeMacroCodeAllowWin32ImportsType", + "Name": "SubjectAlternativeNameType", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderPotentiallyUnwantedAppAction", + "Name": "SubjectNameFormat", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderPreventCredentialStealingType", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderProcessCreation", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "DefenderProcessCreationType", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderProcessesToExclude", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScanDirection", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderScanMaxCpuPercentage", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderScanType", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderScheduledQuickScanTime", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScheduledScanDay", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderScheduledScanTime", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScriptDownloadedPayloadExecution", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScriptDownloadedPayloadExecutionType", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskProfile", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphWindowsKioskAppConfiguration", + "Name": "AppConfiguration", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderScriptObfuscatedMacroCode", + "Name": "ProfileId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderScriptObfuscatedMacroCodeType", + "Name": "ProfileName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterBlockExploitProtectionOverride", + "CIMType": "MSFT_MicrosoftGraphWindowsKioskUser[]", + "Name": "UserAccountsConfiguration", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskAppConfiguration", + "Parameters": [ { "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableAccountUI", + "Name": "AllowAccessToDownloadsFolder", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableAppBrowserUI", + "CIMType": "MSFT_MicrosoftGraphWindowsKioskAppBase[]", + "Name": "Apps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableClearTpmUI", + "Name": "DisallowDesktopApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableFamilyUI", + "Name": "ShowTaskBar", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableHardwareUI", + "CIMType": "String", + "Name": "StartMenuLayoutXml", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableHealthUI", + "CIMType": "MSFT_MicrosoftGraphWindowsKioskUWPApp", + "Name": "UwpApp", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableNetworkUI", + "CIMType": "MSFT_MicrosoftGraphWindowsKioskWin32App", + "Name": "Win32App", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableNotificationAreaUI", + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskAppBase", + "Parameters": [ + { + "CIMType": "String", + "Name": "AppType", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableRansomwareUI", + "Name": "AutoLaunch", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableSecureBootUI", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableTroubleshootingUI", + "CIMType": "String", + "Name": "StartLayoutTileSize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableVirusUI", + "CIMType": "String", + "Name": "DesktopApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI", + "CIMType": "String", + "Name": "DesktopApplicationLinkPath", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterHelpEmail", + "Name": "Path", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterHelpPhone", + "Name": "AppId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterHelpURL", + "Name": "AppUserModelId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterITContactDisplay", + "Name": "ContainedAppId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterNotificationsFromApp", + "Name": "ClassicAppPath", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSecurityCenterOrganizationDisplayName", + "Name": "EdgeKiosk", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "DefenderSignatureUpdateIntervalInHours", + "Name": "EdgeKioskIdleTimeoutMinutes", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderSubmitSamplesConsentType", + "Name": "EdgeKioskType", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderUntrustedExecutable", + "CIMType": "Boolean", + "Name": "EdgeNoFirstRun", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderUntrustedExecutableType", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskUWPApp", + "Parameters": [ { "CIMType": "String", - "Name": "DefenderUntrustedUSBProcess", + "Name": "AppId", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderUntrustedUSBProcessType", + "Name": "AppUserModelId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceGuardEnableSecureBootWithDMA", + "CIMType": "String", + "Name": "ContainedAppId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceGuardEnableVirtualizationBasedSecurity", + "CIMType": "String", + "Name": "AppType", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceGuardLaunchSystemGuard", + "CIMType": "Boolean", + "Name": "AutoLaunch", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceGuardLocalSystemAuthorityCredentialGuardSettings", + "Name": "Name", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceGuardSecureBootWithDMA", + "Name": "StartLayoutTileSize", "Option": "Write" }, { "CIMType": "String", - "Name": "DmaGuardDeviceEnumerationPolicy", + "Name": "DesktopApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallBlockStatefulFTP", + "CIMType": "String", + "Name": "DesktopApplicationLinkPath", "Option": "Write" }, { "CIMType": "String", - "Name": "FirewallCertificateRevocationListCheckMethod", + "Name": "Path", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "FirewallIdleTimeoutForSecurityAssociationInSeconds", + "CIMType": "String", + "Name": "ClassicAppPath", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallIPSecExemptionsAllowDHCP", + "CIMType": "String", + "Name": "EdgeKiosk", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallIPSecExemptionsAllowICMP", + "CIMType": "UInt32", + "Name": "EdgeKioskIdleTimeoutMinutes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallIPSecExemptionsAllowNeighborDiscovery", + "CIMType": "String", + "Name": "EdgeKioskType", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FirewallIPSecExemptionsAllowRouterDiscovery", + "Name": "EdgeNoFirstRun", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "FirewallIPSecExemptionsNone", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskWin32App", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "FirewallMergeKeyingModuleSettings", + "CIMType": "String", + "Name": "ClassicAppPath", "Option": "Write" }, { "CIMType": "String", - "Name": "FirewallPacketQueueingMethod", + "Name": "EdgeKiosk", "Option": "Write" }, { - "CIMType": "String", - "Name": "FirewallPreSharedKeyEncodingMethod", + "CIMType": "UInt32", + "Name": "EdgeKioskIdleTimeoutMinutes", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", - "Name": "FirewallProfileDomain", + "CIMType": "String", + "Name": "EdgeKioskType", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", - "Name": "FirewallProfilePrivate", + "CIMType": "Boolean", + "Name": "EdgeNoFirstRun", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsFirewallNetworkProfile", - "Name": "FirewallProfilePublic", + "CIMType": "String", + "Name": "AppType", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsFirewallRule[]", - "Name": "FirewallRules", + "CIMType": "Boolean", + "Name": "AutoLaunch", "Option": "Write" }, { "CIMType": "String", - "Name": "LanManagerAuthenticationLevel", + "Name": "Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LanManagerWorkstationDisableInsecureGuestLogons", + "CIMType": "String", + "Name": "StartLayoutTileSize", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsAdministratorAccountName", + "Name": "DesktopApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsAdministratorElevationPromptBehavior", + "Name": "DesktopApplicationLinkPath", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares", + "CIMType": "String", + "Name": "Path", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowPKU2UAuthenticationRequests", + "CIMType": "String", + "Name": "AppId", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsAllowRemoteCallsToSecurityAccountsManager", + "Name": "AppUserModelId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool", + "CIMType": "String", + "Name": "ContainedAppId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskUser", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowUIAccessApplicationElevation", + "CIMType": "String", + "Name": "GroupName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowUIAccessApplicationsForSecureLocations", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsAllowUndockWithoutHavingToLogon", + "CIMType": "String", + "Name": "GroupId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsBlockMicrosoftAccounts", + "CIMType": "String", + "Name": "UserId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsBlockRemoteLogonWithBlankPassword", + "CIMType": "String", + "Name": "UserPrincipalName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsBlockRemoteOpticalDriveAccess", + "CIMType": "String", + "Name": "UserName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsBlockUsersInstallingPrinterDrivers", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsKioskForceUpdateSchedule", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsClearVirtualMemoryPageFile", + "CIMType": "UInt32", + "Name": "DayofMonth", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsClientDigitallySignCommunicationsAlways", + "CIMType": "String", + "Name": "DayofWeek", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers", + "CIMType": "String", + "Name": "Recurrence", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDetectApplicationInstallationsAndPromptForElevation", + "Name": "RunImmediatelyIfAfterStartDateTime", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDisableAdministratorAccount", + "CIMType": "String", + "Name": "StartDateTime", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationKioskPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees", + "Name": "EdgeKioskEnablePublicBrowsing", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDisableGuestAccount", + "CIMType": "String[]", + "Name": "KioskBrowserBlockedUrlExceptions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDisableServerDigitallySignCommunicationsAlways", + "CIMType": "String[]", + "Name": "KioskBrowserBlockedURLs", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees", + "CIMType": "String", + "Name": "KioskBrowserDefaultUrl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts", + "Name": "KioskBrowserEnableEndSessionButton", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDoNotRequireCtrlAltDel", + "Name": "KioskBrowserEnableHomeButton", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange", + "Name": "KioskBrowserEnableNavigationButtons", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser", + "CIMType": "UInt32", + "Name": "KioskBrowserRestartOnIdleTimeInMinutes", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsGuestAccountName", + "CIMType": "MSFT_MicrosoftGraphwindowsKioskProfile[]", + "Name": "KioskProfiles", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsHideLastSignedInUser", + "CIMType": "MSFT_MicrosoftGraphwindowsKioskForceUpdateSchedule", + "Name": "WindowsKioskForceUpdateSchedule", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsHideUsernameAtSignIn", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsInformationDisplayedOnLockScreen", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsInformationShownOnLockScreen", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsLogOnMessageText", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsLogOnMessageTitle", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "LocalSecurityOptionsMachineInactivityLimit", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "LocalSecurityOptionsMachineInactivityLimitInMinutes", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsOnlyElevateSignedExecutables", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "LocalSecurityOptionsSmartCardRemovalBehavior", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindowsNetworkIsolationPolicy", + "Parameters": [ { - "CIMType": "String", - "Name": "LocalSecurityOptionsStandardUserElevationPromptBehavior", + "CIMType": "MSFT_MicrosoftGraphProxiedDomain1[]", + "Name": "EnterpriseCloudResources", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation", + "CIMType": "String[]", + "Name": "EnterpriseInternalProxyServers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsUseAdminApprovalMode", + "CIMType": "MSFT_MicrosoftGraphIpRange1[]", + "Name": "EnterpriseIPRanges", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocalSecurityOptionsUseAdminApprovalModeForAdministrators", + "Name": "EnterpriseIPRangesAreAuthoritative", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocalSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations", + "CIMType": "String[]", + "Name": "EnterpriseNetworkDomainNames", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmartScreenBlockOverrideForFiles", + "CIMType": "String[]", + "Name": "EnterpriseProxyServers", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SmartScreenEnableInShell", + "Name": "EnterpriseProxyServersAreAuthoritative", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsAccessCredentialManagerAsTrustedCaller", + "CIMType": "String[]", + "Name": "NeutralDomainResources", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphProxiedDomain1", + "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsActAsPartOfTheOperatingSystem", + "CIMType": "String", + "Name": "IpAddressOrFQDN", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsAllowAccessFromNetwork", + "CIMType": "String", + "Name": "Proxy", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIpRange1", + "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsBackupData", + "CIMType": "String", + "Name": "CidrAddress", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsBlockAccessFromNetwork", + "CIMType": "String", + "Name": "LowerAddress", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsChangeSystemTime", + "CIMType": "String", + "Name": "UpperAddress", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsCreateGlobalObjects", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10", + "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsCreatePageFile", + "CIMType": "MSFT_MicrosoftGraphwindowsNetworkIsolationPolicy", + "Name": "WindowsNetworkIsolationPolicy", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsCreatePermanentSharedObjects", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsCreateSymbolicLinks", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsCreateToken", + "CIMType": "Boolean", + "Name": "SupportsScopeTags", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsDebugPrograms", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsDelegation", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsDenyLocalLogOn", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsGenerateSecurityAudits", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsImpersonateClient", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsIncreaseSchedulingPriority", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsLoadUnloadDrivers", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsLocalLogOn", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsLockMemory", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsManageAuditingAndSecurityLogs", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphCustomSubjectAlternativeName", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsManageVolumes", + "CIMType": "String", + "Name": "SanType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphExtendedKeyUsage", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsModifyFirmwareEnvironment", + "CIMType": "String", + "Name": "ObjectIdentifier", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "CertificateStore", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsModifyObjectLabels", + "CIMType": "String", + "Name": "CertificateTemplateName", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsProfileSingleProcess", + "CIMType": "String", + "Name": "CertificationAuthority", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsRemoteDesktopServicesLogOn", + "CIMType": "String", + "Name": "CertificationAuthorityName", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsRemoteShutdown", + "CIMType": "MSFT_MicrosoftGraphcustomSubjectAlternativeName[]", + "Name": "CustomSubjectAlternativeNames", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsRestoreData", + "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage[]", + "Name": "ExtendedKeyUsages", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceManagementUserRightsSetting", - "Name": "UserRightsTakeOwnership", + "CIMType": "String", + "Name": "SubjectAlternativeNameFormatString", "Option": "Write" }, { "CIMType": "String", - "Name": "WindowsDefenderTamperProtection", + "Name": "SubjectNameFormatString", "Option": "Write" }, { "CIMType": "String", - "Name": "XboxServicesAccessoryManagementServiceStartupMode", + "Name": "CertificateValidityPeriodScale", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "XboxServicesEnableXboxGameSaveTask", + "CIMType": "UInt32", + "Name": "CertificateValidityPeriodValue", "Option": "Write" }, { "CIMType": "String", - "Name": "XboxServicesLiveAuthManagerServiceStartupMode", + "Name": "KeyStorageProvider", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "RenewalThresholdPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "XboxServicesLiveGameSaveServiceStartupMode", + "Name": "SubjectAlternativeNameType", "Option": "Write" }, { "CIMType": "String", - "Name": "XboxServicesLiveNetworkingServiceStartupMode", + "Name": "SubjectNameFormat", "Option": "Write" }, { @@ -25727,11 +31698,6 @@ "Name": "DisplayName", "Option": "Key" }, - { - "CIMType": "Boolean", - "Name": "SupportsScopeTags", - "Option": "Write" - }, { "CIMType": "String", "Name": "Id", @@ -25785,132 +31751,152 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10", + "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptMacOS", "Parameters": [ { - "CIMType": "String", - "Name": "Bluetooth", + "CIMType": "Boolean", + "Name": "BlockExecutionNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "BootFromBuiltInNetworkAdapters", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "BootFromExternalMedia", - "Option": "Write" + "Name": "DisplayName", + "Option": "Required" }, { "CIMType": "String", - "Name": "Cameras", + "Name": "FileName", "Option": "Write" }, { "CIMType": "String", - "Name": "ChangeUefiSettingsPermission", + "Name": "ExecutionFrequency", "Option": "Write" }, { - "CIMType": "String", - "Name": "FrontCamera", + "CIMType": "UInt32", + "Name": "RetryCount", "Option": "Write" }, { - "CIMType": "String", - "Name": "InfraredCamera", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "Microphone", + "Name": "RunAsAccount", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrophonesAndSpeakers", + "Name": "ScriptContent", "Option": "Write" }, { "CIMType": "String", - "Name": "NearFieldCommunication", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "Radios", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "RearCamera", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "SdCard", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "SimultaneousMultiThreading", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "UsbTypeAPort", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "VirtualizationOfCpuAndIO", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "WakeOnLAN", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptWindows", + "Parameters": [ { "CIMType": "String", - "Name": "WakeOnPower", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "WiFi", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "EnforceSignatureCheck", "Option": "Write" }, { "CIMType": "String", - "Name": "WindowsPlatformBinaryTable", + "Name": "FileName", "Option": "Write" }, { - "CIMType": "String", - "Name": "WirelessWideAreaNetwork", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "RunAs32Bit", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "RunAsAccount", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "CIMType": "String", + "Name": "ScriptContent", "Option": "Write" }, { "CIMType": "String", "Name": "Id", - "Option": "Write" + "Option": "Key" }, { "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", @@ -25960,26 +31946,41 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10", + "ClassName": "MSFT_MicrosoftGraphapplistitem", "Parameters": [ { "CIMType": "String", - "Name": "AllowDeviceHealthMonitoring", + "Name": "odataType", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigDeviceHealthMonitoringCustomScope", + "Name": "appId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ConfigDeviceHealthMonitoringScope", + "CIMType": "String", + "Name": "appStoreUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "publisher", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { @@ -25988,253 +31989,258 @@ "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "AppsBlockClipboardSharing", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "AppsBlockCopyPaste", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "AppsBlockYouTube", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "AppsHideList", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "AppsInstallAllowList", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "AppsLaunchBlockList", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "BluetoothBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "CameraBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "CellularBlockDataRoaming", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "CellularBlockMessaging", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "EnhancedAntiSpoofingForFacialFeaturesEnabled", + "Name": "CellularBlockVoiceRoaming", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinExpirationInDays", + "CIMType": "Boolean", + "Name": "CellularBlockWiFiTethering", "Option": "Write" }, { "CIMType": "String", - "Name": "PinLowercaseCharactersUsage", + "Name": "CompliantAppListType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinMaximumLength", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "CompliantAppsList", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinMinimumLength", + "CIMType": "Boolean", + "Name": "DateAndTimeBlockChanges", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PinPreviousBlockCount", + "CIMType": "Boolean", + "Name": "DeviceSharingAllowed", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PinRecoveryEnabled", + "Name": "DiagnosticDataBlockSubmission", "Option": "Write" }, { - "CIMType": "String", - "Name": "PinSpecialCharactersUsage", + "CIMType": "Boolean", + "Name": "FactoryResetBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "PinUppercaseCharactersUsage", + "CIMType": "Boolean", + "Name": "GoogleAccountBlockAutoSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityDeviceRequired", + "Name": "GooglePlayStoreBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UnlockWithBiometricsEnabled", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "KioskModeApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseCertificatesForOnPremisesAuthEnabled", + "Name": "KioskModeBlockSleepButton", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseSecurityKeyForSignin", + "Name": "KioskModeBlockVolumeButtons", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsHelloForBusinessBlocked", + "Name": "LocationServicesBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "NfcBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "PasswordBlockFingerprintUnlock", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "Name": "PasswordBlockTrustAgents", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordExpirationDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordMinimumLength", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "PowerOffBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "RequiredPasswordComplexity", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "SecurityRequireVerifyApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "StorageBlockGoogleBackup", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "StorageBlockRemovableStorage", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10", - "Parameters": [ - { - "CIMType": "String", - "Name": "IntendedPurpose", + "CIMType": "Boolean", + "Name": "StorageRequireDeviceEncryption", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateValidityPeriodScale", + "CIMType": "Boolean", + "Name": "StorageRequireRemovableStorageEncryption", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "CertificateValidityPeriodValue", + "CIMType": "Boolean", + "Name": "VoiceAssistantBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "KeyStorageProvider", + "CIMType": "Boolean", + "Name": "VoiceDialingBlocked", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RenewalThresholdPercentage", + "CIMType": "Boolean", + "Name": "WebBrowserBlockAutofill", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectAlternativeNameType", + "CIMType": "Boolean", + "Name": "WebBrowserBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectNameFormat", + "CIMType": "Boolean", + "Name": "WebBrowserBlockJavaScript", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "WebBrowserBlockPopups", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "WebBrowserCookieSettings", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "WiFiBlocked", "Option": "Write" }, { @@ -26285,892 +32291,887 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskProfile", + "ClassName": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphWindowsKioskAppConfiguration", - "Name": "AppConfiguration", + "CIMType": "String", + "Name": "defaultMessage", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProfileId", + "CIMType": "MSFT_MicrosoftGraphkeyvaluepair[]", + "Name": "localizedMessages", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphkeyvaluepair", + "Parameters": [ { "CIMType": "String", - "Name": "ProfileName", + "Name": "Name", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphWindowsKioskUser[]", - "Name": "UserAccountsConfiguration", + "CIMType": "String", + "Name": "Value", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskAppConfiguration", + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerglobalproxy", "Parameters": [ { - "CIMType": "Boolean", - "Name": "AllowAccessToDownloadsFolder", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphWindowsKioskAppBase[]", - "Name": "Apps", + "CIMType": "String", + "Name": "odataType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowDesktopApps", + "CIMType": "String", + "Name": "proxyAutoConfigURL", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ShowTaskBar", + "CIMType": "String[]", + "Name": "excludedHosts", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuLayoutXml", + "Name": "host", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphWindowsKioskUWPApp", - "Name": "UwpApp", + "CIMType": "UInt32", + "Name": "port", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodeapppositionitem", + "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphWindowsKioskWin32App", - "Name": "Win32App", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodehomescreenitem", + "Name": "item", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "UInt32", + "Name": "position", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskAppBase", + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodehomescreenitem", "Parameters": [ { "CIMType": "String", - "Name": "AppType", + "Name": "odataType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutoLaunch", + "CIMType": "String", + "Name": "folderIdentifier", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "folderName", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem[]", + "Name": "items", "Option": "Write" }, { "CIMType": "String", - "Name": "StartLayoutTileSize", + "Name": "className", "Option": "Write" }, { "CIMType": "String", - "Name": "DesktopApplicationId", + "Name": "package", "Option": "Write" }, { "CIMType": "String", - "Name": "DesktopApplicationLinkPath", + "Name": "label", "Option": "Write" }, { "CIMType": "String", - "Name": "Path", + "Name": "link", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodemanagedfolder", + "Parameters": [ + { + "CIMType": "String", + "Name": "folderIdentifier", "Option": "Write" }, { "CIMType": "String", - "Name": "AppId", + "Name": "folderName", "Option": "Write" }, + { + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem[]", + "Name": "items", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem", + "Parameters": [ { "CIMType": "String", - "Name": "AppUserModelId", + "Name": "odataType", "Option": "Write" }, { "CIMType": "String", - "Name": "ContainedAppId", + "Name": "className", "Option": "Write" }, { "CIMType": "String", - "Name": "ClassicAppPath", + "Name": "package", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeKiosk", + "Name": "label", "Option": "Write" }, + { + "CIMType": "String", + "Name": "link", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphandroiddeviceownersystemupdatefreezeperiod", + "Parameters": [ { "CIMType": "UInt32", - "Name": "EdgeKioskIdleTimeoutMinutes", + "Name": "endDay", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKioskType", + "CIMType": "UInt32", + "Name": "endMonth", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeNoFirstRun", + "CIMType": "UInt32", + "Name": "startDay", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "UInt32", + "Name": "startMonth", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskUWPApp", + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner", "Parameters": [ { "CIMType": "String", - "Name": "AppId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "AppUserModelId", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "ContainedAppId", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppType", + "CIMType": "Boolean", + "Name": "AccountsBlockModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AutoLaunch", + "Name": "AppsAllowInstallFromUnknownSources", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "AppsAutoUpdatePolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "StartLayoutTileSize", + "Name": "AppsDefaultPermissionPolicy", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesktopApplicationId", + "CIMType": "Boolean", + "Name": "AppsRecommendSkippingFirstUseHints", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesktopApplicationLinkPath", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "AzureAdSharedDeviceDataClearApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "Path", + "CIMType": "Boolean", + "Name": "BluetoothBlockConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "ClassicAppPath", + "CIMType": "Boolean", + "Name": "BluetoothBlockContactSharing", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKiosk", + "CIMType": "Boolean", + "Name": "CameraBlocked", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EdgeKioskIdleTimeoutMinutes", + "CIMType": "Boolean", + "Name": "CellularBlockWiFiTethering", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKioskType", + "CIMType": "Boolean", + "Name": "CertificateCredentialConfigurationDisabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeNoFirstRun", + "Name": "CrossProfilePoliciesAllowCopyPaste", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "CrossProfilePoliciesAllowDataSharing", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskWin32App", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "ClassicAppPath", + "CIMType": "Boolean", + "Name": "CrossProfilePoliciesShowWorkContactsInPersonalProfile", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKiosk", + "CIMType": "Boolean", + "Name": "DataRoamingBlocked", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EdgeKioskIdleTimeoutMinutes", + "CIMType": "Boolean", + "Name": "DateTimeConfigurationBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKioskType", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", + "Name": "DetailedHelpText", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeNoFirstRun", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", + "Name": "DeviceOwnerLockScreenMessage", "Option": "Write" }, { "CIMType": "String", - "Name": "AppType", + "Name": "EnrollmentProfile", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AutoLaunch", + "Name": "FactoryResetBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "String[]", + "Name": "FactoryResetDeviceAdministratorEmails", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartLayoutTileSize", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerglobalproxy", + "Name": "GlobalProxy", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesktopApplicationId", + "CIMType": "Boolean", + "Name": "GoogleAccountsBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesktopApplicationLinkPath", + "CIMType": "Boolean", + "Name": "KioskCustomizationDeviceSettingsBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "Path", + "CIMType": "Boolean", + "Name": "KioskCustomizationPowerButtonActionsBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "AppId", + "Name": "KioskCustomizationStatusBar", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppUserModelId", + "CIMType": "Boolean", + "Name": "KioskCustomizationSystemErrorWarnings", "Option": "Write" }, { "CIMType": "String", - "Name": "ContainedAppId", + "Name": "KioskCustomizationSystemNavigation", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "KioskModeAppOrderEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskUser", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "GroupName", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodeapppositionitem[]", + "Name": "KioskModeAppPositions", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "KioskModeApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "GroupId", + "CIMType": "Boolean", + "Name": "KioskModeAppsInFolderOrderedByName", "Option": "Write" }, { - "CIMType": "String", - "Name": "UserId", + "CIMType": "Boolean", + "Name": "KioskModeBluetoothConfigurationEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "UserPrincipalName", + "CIMType": "Boolean", + "Name": "KioskModeDebugMenuEasyAccessEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "UserName", + "Name": "KioskModeExitCode", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "KioskModeFlashlightConfigurationEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "KioskModeFolderIcon", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsKioskForceUpdateSchedule", - "Parameters": [ + }, { "CIMType": "UInt32", - "Name": "DayofMonth", + "Name": "KioskModeGridHeight", "Option": "Write" }, { - "CIMType": "String", - "Name": "DayofWeek", + "CIMType": "UInt32", + "Name": "KioskModeGridWidth", "Option": "Write" }, { "CIMType": "String", - "Name": "Recurrence", + "Name": "KioskModeIconSize", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RunImmediatelyIfAfterStartDateTime", + "Name": "KioskModeLockHomeScreen", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartDateTime", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodemanagedfolder[]", + "Name": "KioskModeManagedFolders", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationKioskPolicyWindows10", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "EdgeKioskEnablePublicBrowsing", + "Name": "KioskModeManagedHomeScreenAutoSignout", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "KioskBrowserBlockedUrlExceptions", + "CIMType": "UInt32", + "Name": "KioskModeManagedHomeScreenInactiveSignOutDelayInSeconds", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "KioskBrowserBlockedURLs", + "CIMType": "UInt32", + "Name": "KioskModeManagedHomeScreenInactiveSignOutNoticeInSeconds", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskBrowserDefaultUrl", + "Name": "KioskModeManagedHomeScreenPinComplexity", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskBrowserEnableEndSessionButton", + "Name": "KioskModeManagedHomeScreenPinRequired", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskBrowserEnableHomeButton", + "Name": "KioskModeManagedHomeScreenPinRequiredToResume", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskBrowserEnableNavigationButtons", + "CIMType": "String", + "Name": "KioskModeManagedHomeScreenSignInBackground", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "KioskBrowserRestartOnIdleTimeInMinutes", + "CIMType": "String", + "Name": "KioskModeManagedHomeScreenSignInBrandingLogo", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsKioskProfile[]", - "Name": "KioskProfiles", + "CIMType": "Boolean", + "Name": "KioskModeManagedHomeScreenSignInEnabled", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindowsKioskForceUpdateSchedule", - "Name": "WindowsKioskForceUpdateSchedule", + "CIMType": "Boolean", + "Name": "KioskModeManagedSettingsEntryDisabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "KioskModeMediaVolumeConfigurationEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "KioskModeScreenOrientation", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "KioskModeScreenSaverConfigurationEnabled", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "KioskModeScreenSaverDetectMediaDisabled", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "KioskModeScreenSaverDisplayTimeInSeconds", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "KioskModeScreenSaverImageUrl", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "UInt32", + "Name": "KioskModeScreenSaverStartDelayInSeconds", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "KioskModeShowAppNotificationBadge", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "KioskModeShowDeviceInfo", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "KioskModeUseManagedHomeScreenApp", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "KioskModeVirtualHomeButtonEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "KioskModeVirtualHomeButtonType", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindowsNetworkIsolationPolicy", - "Parameters": [ + }, { - "CIMType": "MSFT_MicrosoftGraphProxiedDomain1[]", - "Name": "EnterpriseCloudResources", + "CIMType": "String", + "Name": "KioskModeWallpaperUrl", "Option": "Write" }, { "CIMType": "String[]", - "Name": "EnterpriseInternalProxyServers", + "Name": "KioskModeWifiAllowedSsids", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIpRange1[]", - "Name": "EnterpriseIPRanges", + "CIMType": "Boolean", + "Name": "KioskModeWiFiConfigurationEnabled", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseIPRangesAreAuthoritative", + "Name": "MicrophoneForceMute", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseNetworkDomainNames", + "CIMType": "Boolean", + "Name": "MicrosoftLauncherConfigurationEnabled", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EnterpriseProxyServers", + "CIMType": "Boolean", + "Name": "MicrosoftLauncherCustomWallpaperAllowUserModification", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MicrosoftLauncherCustomWallpaperEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftLauncherCustomWallpaperImageUrl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseProxyServersAreAuthoritative", + "Name": "MicrosoftLauncherDockPresenceAllowUserModification", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "NeutralDomainResources", + "CIMType": "String", + "Name": "MicrosoftLauncherDockPresenceConfiguration", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphProxiedDomain1", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "IpAddressOrFQDN", + "CIMType": "Boolean", + "Name": "MicrosoftLauncherFeedAllowUserModification", "Option": "Write" }, { - "CIMType": "String", - "Name": "Proxy", + "CIMType": "Boolean", + "Name": "MicrosoftLauncherFeedEnabled", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIpRange1", - "Parameters": [ + }, { "CIMType": "String", - "Name": "CidrAddress", + "Name": "MicrosoftLauncherSearchBarPlacementConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "LowerAddress", + "CIMType": "Boolean", + "Name": "NetworkEscapeHatchAllowed", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpperAddress", + "CIMType": "Boolean", + "Name": "NfcBlockOutgoingBeam", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "PasswordBlockKeyguard", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10", - "Parameters": [ + }, { - "CIMType": "MSFT_MicrosoftGraphwindowsNetworkIsolationPolicy", - "Name": "WindowsNetworkIsolationPolicy", + "CIMType": "String[]", + "Name": "PasswordBlockKeyguardFeatures", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "UInt32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "PasswordMinimumLength", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "CIMType": "UInt32", + "Name": "PasswordMinimumLetterCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "UInt32", + "Name": "PasswordMinimumLowerCaseCharacters", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "UInt32", + "Name": "PasswordMinimumNonLetterCharacters", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "PasswordMinimumNumericCharacters", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "UInt32", + "Name": "PasswordMinimumSymbolCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "UInt32", + "Name": "PasswordMinimumUpperCaseCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "UInt32", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "UInt32", + "Name": "PasswordPreviousPasswordCountToBlock", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "PasswordRequireUnlock", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "UInt32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphCustomSubjectAlternativeName", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "Boolean", + "Name": "PersonalProfileAppsAllowInstallFromUnknownSources", "Option": "Write" }, { - "CIMType": "String", - "Name": "SanType", + "CIMType": "Boolean", + "Name": "PersonalProfileCameraBlocked", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphExtendedKeyUsage", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "PersonalProfilePersonalApplications", "Option": "Write" }, { "CIMType": "String", - "Name": "ObjectIdentifier", + "Name": "PersonalProfilePlayStoreMode", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "CertificateStore", + "CIMType": "Boolean", + "Name": "PersonalProfileScreenCaptureBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateTemplateName", + "Name": "PlayStoreMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificationAuthority", + "CIMType": "Boolean", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificationAuthorityName", + "CIMType": "Boolean", + "Name": "SecurityCommonCriteriaModeEnabled", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphcustomSubjectAlternativeName[]", - "Name": "CustomSubjectAlternativeNames", + "CIMType": "Boolean", + "Name": "SecurityDeveloperSettingsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage[]", - "Name": "ExtendedKeyUsages", + "CIMType": "Boolean", + "Name": "SecurityRequireVerifyApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectAlternativeNameFormatString", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", + "Name": "ShortHelpText", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectNameFormatString", + "CIMType": "Boolean", + "Name": "StatusBarBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateValidityPeriodScale", + "CIMType": "String[]", + "Name": "StayOnModes", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "CertificateValidityPeriodValue", + "CIMType": "Boolean", + "Name": "StorageAllowUsb", "Option": "Write" }, { - "CIMType": "String", - "Name": "KeyStorageProvider", + "CIMType": "Boolean", + "Name": "StorageBlockExternalMedia", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RenewalThresholdPercentage", + "CIMType": "Boolean", + "Name": "StorageBlockUsbFileTransfer", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectAlternativeNameType", + "CIMType": "MSFT_MicrosoftGraphandroiddeviceownersystemupdatefreezeperiod[]", + "Name": "SystemUpdateFreezePeriods", "Option": "Write" }, { "CIMType": "String", - "Name": "SubjectNameFormat", + "Name": "SystemUpdateInstallType", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "UInt32", + "Name": "SystemUpdateWindowEndMinutesAfterMidnight", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "SystemUpdateWindowStartMinutesAfterMidnight", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "SystemWindowsBlocked", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "UsersBlockAdd", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "UsersBlockRemove", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "VolumeBlockAdjustment", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "VpnAlwaysOnLockdownMode", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "VpnAlwaysOnPackageIdentifier", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "WifiBlockEditConfigurations", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "WifiBlockEditPolicyDefinedConfigurations", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordExpirationDays", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumLength", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptMacOS", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "BlockExecutionNotifications", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumLetterCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumLowerCaseCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Required" + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumNonLetterCharacters", + "Option": "Write" }, { - "CIMType": "String", - "Name": "FileName", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumNumericCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExecutionFrequency", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordMinimumSymbolCharacters", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "RetryCount", + "Name": "WorkProfilePasswordMinimumUpperCaseCharacters", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "UInt32", + "Name": "WorkProfilePasswordPreviousPasswordCountToBlock", "Option": "Write" }, { "CIMType": "String", - "Name": "RunAsAccount", + "Name": "WorkProfilePasswordRequiredType", "Option": "Write" }, { "CIMType": "String", - "Name": "ScriptContent", + "Name": "WorkProfilePasswordRequireUnlock", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", - "Option": "Key" + "CIMType": "UInt32", + "Name": "WorkProfilePasswordSignInFailureCountBeforeFactoryReset", + "Option": "Write" }, { "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", @@ -27220,52 +33221,92 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptWindows", + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject", "Parameters": [ { "CIMType": "String", - "Name": "Description", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", "Name": "DisplayName", - "Option": "Required" + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnforceSignatureCheck", + "Name": "AppsBlockInstallFromUnknownSources", "Option": "Write" }, { - "CIMType": "String", - "Name": "FileName", + "CIMType": "Boolean", + "Name": "BluetoothBlockConfiguration", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "Boolean", + "Name": "BluetoothBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RunAs32Bit", + "Name": "CameraBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "RunAsAccount", + "CIMType": "Boolean", + "Name": "FactoryResetBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "ScriptContent", + "CIMType": "UInt32", + "Name": "PasswordMinimumLength", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", - "Option": "Key" + "Name": "PasswordRequiredType", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ScreenCaptureBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SecurityAllowDebuggingFeatures", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "StorageBlockExternalMedia", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "StorageBlockUsbFileTransfer", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WifiBlockEditConfigurations", + "Option": "Write" }, { "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", @@ -27315,43 +33356,8 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphapplistitem", - "Parameters": [ - { - "CIMType": "String", - "Name": "odataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "appId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "appStoreUrl", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "name", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "publisher", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator", + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile", "Parameters": [ - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, { "CIMType": "String", "Name": "DisplayName", @@ -27363,258 +33369,233 @@ "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppsBlockClipboardSharing", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsBlockCopyPaste", + "Name": "PasswordBlockFaceUnlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsBlockYouTube", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AppsHideList", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AppsInstallAllowList", + "Name": "PasswordBlockFingerprintUnlock", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AppsLaunchBlockList", + "CIMType": "Boolean", + "Name": "PasswordBlockIrisUnlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlocked", + "Name": "passwordBlockTrustAgents", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CameraBlocked", + "CIMType": "Uint32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockDataRoaming", + "CIMType": "Uint32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockMessaging", + "CIMType": "Uint32", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockVoiceRoaming", + "CIMType": "Uint32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockWiFiTethering", + "CIMType": "Uint32", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" }, { "CIMType": "String", - "Name": "CompliantAppListType", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "CompliantAppsList", + "CIMType": "String", + "Name": "RequiredPasswordComplexity", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DateAndTimeBlockChanges", + "Name": "WorkProfileAllowAppInstallsFromUnknownSources", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DeviceSharingAllowed", + "CIMType": "String", + "Name": "WorkProfileDataSharingType", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DiagnosticDataBlockSubmission", + "Name": "WorkProfileBlockNotificationsWhileDeviceLocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FactoryResetBlocked", + "Name": "WorkProfileBlockAddingAccounts", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GoogleAccountBlockAutoSync", + "Name": "WorkProfileBluetoothEnableContactSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GooglePlayStoreBlocked", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "KioskModeApps", + "Name": "WorkProfileBlockScreenCapture", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBlockSleepButton", + "Name": "WorkProfileBlockCrossProfileCallerId", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBlockVolumeButtons", + "Name": "WorkProfileBlockCamera", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LocationServicesBlocked", + "Name": "WorkProfileBlockCrossProfileContactsSearch", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NfcBlocked", + "Name": "WorkProfileBlockCrossProfileCopyPaste", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockFingerprintUnlock", + "CIMType": "String", + "Name": "WorkProfileDefaultAppPermissionPolicy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockTrustAgents", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordExpirationDays", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumLength", + "Name": "WorkProfilePasswordBlockFaceUnlock", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "Boolean", + "Name": "WorkProfilePasswordBlockFingerprintUnlock", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "Boolean", + "Name": "WorkProfilePasswordBlockIrisUnlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordRequired", + "Name": "WorkProfilePasswordBlockTrustAgents", "Option": "Write" }, { - "CIMType": "String", - "Name": "PasswordRequiredType", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordExpirationDays", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PowerOffBlocked", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinNumericCharacters", "Option": "Write" }, { - "CIMType": "String", - "Name": "RequiredPasswordComplexity", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinNonLetterCharacters", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinLetterCharacters", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityRequireVerifyApps", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinLowerCaseCharacters", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageBlockGoogleBackup", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinUpperCaseCharacters", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageBlockRemovableStorage", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinSymbolCharacters", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRequireDeviceEncryption", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRequireRemovableStorageEncryption", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "VoiceAssistantBlocked", + "CIMType": "Uint32", + "Name": "WorkProfilePasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "VoiceDialingBlocked", + "CIMType": "String", + "Name": "WorkProfilePasswordRequiredType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WebBrowserBlockAutofill", + "CIMType": "String", + "Name": "WorkProfileRequiredPasswordComplexity", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WebBrowserBlocked", + "Name": "WorkProfileRequirePassword", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WebBrowserBlockJavaScript", + "Name": "SecurityRequireVerifyApps", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WebBrowserBlockPopups", + "CIMType": "String", + "Name": "VpnAlwaysOnPackageIdentifier", "Option": "Write" }, { - "CIMType": "String", - "Name": "WebBrowserCookieSettings", + "CIMType": "Boolean", + "Name": "VpnEnableAlwaysOnLockdownMode", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WiFiBlocked", + "Name": "WorkProfileAllowWidgets", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "WorkProfileBlockPersonalAppInstallsFromUnknownSources", "Option": "Write" }, { @@ -27660,202 +33641,162 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingaustralia", "Parameters": [ { "CIMType": "String", - "Name": "defaultMessage", + "Name": "movieRating", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphkeyvaluepair[]", - "Name": "localizedMessages", + "CIMType": "String", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphkeyvaluepair", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingcanada", "Parameters": [ { "CIMType": "String", - "Name": "Name", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "Value", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerglobalproxy", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingfrance", "Parameters": [ { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "proxyAutoConfigURL", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "excludedHosts", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "host", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "port", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodeapppositionitem", + "ClassName": "MSFT_MicrosoftGraphmediacontentratinggermany", "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodehomescreenitem", - "Name": "item", + "CIMType": "String", + "Name": "movieRating", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "position", + "CIMType": "String", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodehomescreenitem", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingireland", "Parameters": [ { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "folderIdentifier", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "folderName", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem[]", - "Name": "items", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "className", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "package", + "Name": "tvRating", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphmediacontentratingjapan", + "Parameters": [ { "CIMType": "String", - "Name": "label", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "link", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodemanagedfolder", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingnewzealand", "Parameters": [ { "CIMType": "String", - "Name": "folderIdentifier", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "folderName", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem[]", - "Name": "items", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodefolderitem", + "ClassName": "MSFT_MicrosoftGraphmediacontentratingunitedkingdom", "Parameters": [ { "CIMType": "String", - "Name": "odataType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "className", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "package", + "Name": "tvRating", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphmediacontentratingunitedstates", + "Parameters": [ { "CIMType": "String", - "Name": "label", + "Name": "movieRating", "Option": "Write" }, { "CIMType": "String", - "Name": "link", + "Name": "tvRating", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphandroiddeviceownersystemupdatefreezeperiod", + "ClassName": "MSFT_MicrosoftGraphiosnetworkusagerule", "Parameters": [ { - "CIMType": "UInt32", - "Name": "endDay", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "endMonth", + "CIMType": "Boolean", + "Name": "cellularDataBlocked", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "startDay", + "CIMType": "Boolean", + "Name": "cellularDataBlockWhenRoaming", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "startMonth", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "managedApps", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner", + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyIOS", "Parameters": [ { "CIMType": "String", @@ -27874,1492 +33815,1212 @@ }, { "CIMType": "Boolean", - "Name": "AccountsBlockModification", + "Name": "AccountBlockModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsAllowInstallFromUnknownSources", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AppsAutoUpdatePolicy", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "AppsDefaultPermissionPolicy", + "Name": "ActivationLockAllowWhenSupervised", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsRecommendSkippingFirstUseHints", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AzureAdSharedDeviceDataClearApps", + "Name": "AirDropBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockConfiguration", + "Name": "AirDropForceUnmanagedDropTarget", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockContactSharing", + "Name": "AirPlayForcePairingPasswordForOutgoingRequests", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CameraBlocked", + "Name": "AirPrintBlockCredentialsStorage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockWiFiTethering", + "Name": "AirPrintBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CertificateCredentialConfigurationDisabled", + "Name": "AirPrintBlockiBeaconDiscovery", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CrossProfilePoliciesAllowCopyPaste", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CrossProfilePoliciesAllowDataSharing", + "Name": "AirPrintForceTrustedTLS", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CrossProfilePoliciesShowWorkContactsInPersonalProfile", + "Name": "AppClipsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DataRoamingBlocked", + "Name": "AppleNewsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DateTimeConfigurationBlocked", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", - "Name": "DetailedHelpText", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", - "Name": "DeviceOwnerLockScreenMessage", + "Name": "ApplePersonalizedAdsBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnrollmentProfile", + "CIMType": "Boolean", + "Name": "AppleWatchBlockPairing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FactoryResetBlocked", + "Name": "AppleWatchForceWristDetection", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "FactoryResetDeviceAdministratorEmails", + "CIMType": "Boolean", + "Name": "AppRemovalBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerglobalproxy", - "Name": "GlobalProxy", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "AppsSingleAppModeList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GoogleAccountsBlocked", + "Name": "AppStoreBlockAutomaticDownloads", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskCustomizationDeviceSettingsBlocked", + "Name": "AppStoreBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskCustomizationPowerButtonActionsBlocked", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskCustomizationStatusBar", + "Name": "AppStoreBlockInAppPurchases", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskCustomizationSystemErrorWarnings", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskCustomizationSystemNavigation", + "Name": "AppStoreBlockUIAppInstallation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeAppOrderEnabled", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodeapppositionitem[]", - "Name": "KioskModeAppPositions", + "Name": "AppStoreRequirePassword", "Option": "Write" }, { "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "KioskModeApps", + "Name": "AppsVisibilityList", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAppsInFolderOrderedByName", + "CIMType": "String", + "Name": "AppsVisibilityListType", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBluetoothConfigurationEnabled", + "Name": "AutoFillForceAuthentication", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeDebugMenuEasyAccessEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeExitCode", + "Name": "AutoUnlockBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeFlashlightConfigurationEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeFolderIcon", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "KioskModeGridHeight", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "KioskModeGridWidth", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeIconSize", + "Name": "BlockSystemAppRemoval", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeLockHomeScreen", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownerkioskmodemanagedfolder[]", - "Name": "KioskModeManagedFolders", + "Name": "BluetoothBlockModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeManagedHomeScreenAutoSignout", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "KioskModeManagedHomeScreenInactiveSignOutDelayInSeconds", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "KioskModeManagedHomeScreenInactiveSignOutNoticeInSeconds", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeManagedHomeScreenPinComplexity", + "Name": "CameraBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeManagedHomeScreenPinRequired", + "Name": "CellularBlockDataRoaming", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeManagedHomeScreenPinRequiredToResume", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeManagedHomeScreenSignInBackground", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeManagedHomeScreenSignInBrandingLogo", + "Name": "CellularBlockGlobalBackgroundFetchWhileRoaming", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeManagedHomeScreenSignInEnabled", + "Name": "CellularBlockPerAppDataModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeManagedSettingsEntryDisabled", + "Name": "CellularBlockPersonalHotspot", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeMediaVolumeConfigurationEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeScreenOrientation", + "Name": "CellularBlockPersonalHotspotModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeScreenSaverConfigurationEnabled", + "Name": "CellularBlockPlanModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeScreenSaverDetectMediaDisabled", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "KioskModeScreenSaverDisplayTimeInSeconds", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "KioskModeScreenSaverImageUrl", + "Name": "CellularBlockVoiceRoaming", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "KioskModeScreenSaverStartDelayInSeconds", + "CIMType": "Boolean", + "Name": "CertificatesBlockUntrustedTlsCertificates", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeShowAppNotificationBadge", + "Name": "ClassroomAppBlockRemoteScreenObservation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeShowDeviceInfo", + "Name": "ClassroomAppForceUnpromptedScreenObservation", "Option": "Write" }, { - "CIMType": "String", - "Name": "KioskModeUseManagedHomeScreenApp", + "CIMType": "Boolean", + "Name": "ClassroomForceAutomaticallyJoinClasses", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeVirtualHomeButtonEnabled", + "Name": "ClassroomForceRequestPermissionToLeaveClasses", "Option": "Write" }, { - "CIMType": "String", - "Name": "KioskModeVirtualHomeButtonType", + "CIMType": "Boolean", + "Name": "ClassroomForceUnpromptedAppAndDeviceLock", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskModeWallpaperUrl", + "Name": "CompliantAppListType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "KioskModeWifiAllowedSsids", + "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "Name": "CompliantAppsList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeWiFiConfigurationEnabled", + "Name": "ConfigurationProfileBlockChanges", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrophoneForceMute", + "Name": "ContactsAllowManagedToUnmanagedWrite", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherConfigurationEnabled", + "Name": "ContactsAllowUnmanagedToManagedRead", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherCustomWallpaperAllowUserModification", + "Name": "ContinuousPathKeyboardBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherCustomWallpaperEnabled", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MicrosoftLauncherCustomWallpaperImageUrl", + "Name": "DateAndTimeForceSetAutomatically", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherDockPresenceAllowUserModification", + "Name": "DefinitionLookupBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "MicrosoftLauncherDockPresenceConfiguration", + "CIMType": "Boolean", + "Name": "DeviceBlockEnableRestrictions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherFeedAllowUserModification", + "Name": "DeviceBlockEraseContentAndSettings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MicrosoftLauncherFeedEnabled", + "Name": "DeviceBlockNameModification", "Option": "Write" }, { - "CIMType": "String", - "Name": "MicrosoftLauncherSearchBarPlacementConfiguration", + "CIMType": "Boolean", + "Name": "DiagnosticDataBlockSubmission", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NetworkEscapeHatchAllowed", + "Name": "DiagnosticDataBlockSubmissionModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NfcBlockOutgoingBeam", + "Name": "DocumentsBlockManagedDocumentsInUnmanagedApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockKeyguard", + "Name": "DocumentsBlockUnmanagedDocumentsInManagedApps", "Option": "Write" }, { "CIMType": "String[]", - "Name": "PasswordBlockKeyguardFeatures", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordExpirationDays", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumLength", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumLetterCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumLowerCaseCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumNonLetterCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumNumericCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumSymbolCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinimumUpperCaseCharacters", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordPreviousPasswordCountToBlock", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PasswordRequiredType", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "PasswordRequireUnlock", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "Name": "EmailInDomainSuffixes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PersonalProfileAppsAllowInstallFromUnknownSources", + "Name": "EnterpriseAppBlockTrust", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PersonalProfileCameraBlocked", + "Name": "EnterpriseAppBlockTrustModification", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "PersonalProfilePersonalApplications", + "CIMType": "Boolean", + "Name": "EnterpriseBookBlockBackup", "Option": "Write" }, { - "CIMType": "String", - "Name": "PersonalProfilePlayStoreMode", + "CIMType": "Boolean", + "Name": "EnterpriseBookBlockMetadataSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PersonalProfileScreenCaptureBlocked", + "Name": "EsimBlockModification", "Option": "Write" }, { - "CIMType": "String", - "Name": "PlayStoreMode", + "CIMType": "Boolean", + "Name": "FaceTimeBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "Name": "FilesNetworkDriveAccessBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityCommonCriteriaModeEnabled", + "Name": "FilesUsbDriveAccessBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityDeveloperSettingsEnabled", + "Name": "FindMyDeviceInFindMyAppBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityRequireVerifyApps", + "Name": "FindMyFriendsBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceowneruserfacingmessage", - "Name": "ShortHelpText", + "CIMType": "Boolean", + "Name": "FindMyFriendsInFindMyAppBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StatusBarBlocked", + "Name": "GameCenterBlocked", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "StayOnModes", + "CIMType": "Boolean", + "Name": "GamingBlockGameCenterFriends", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageAllowUsb", + "Name": "GamingBlockMultiplayer", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageBlockExternalMedia", + "Name": "HostPairingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageBlockUsbFileTransfer", + "Name": "IBooksStoreBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphandroiddeviceownersystemupdatefreezeperiod[]", - "Name": "SystemUpdateFreezePeriods", + "CIMType": "Boolean", + "Name": "IBooksStoreBlockErotica", "Option": "Write" }, { - "CIMType": "String", - "Name": "SystemUpdateInstallType", + "CIMType": "Boolean", + "Name": "ICloudBlockActivityContinuation", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SystemUpdateWindowEndMinutesAfterMidnight", + "CIMType": "Boolean", + "Name": "ICloudBlockBackup", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SystemUpdateWindowStartMinutesAfterMidnight", + "CIMType": "Boolean", + "Name": "ICloudBlockDocumentSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SystemWindowsBlocked", + "Name": "ICloudBlockManagedAppsSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UsersBlockAdd", + "Name": "ICloudBlockPhotoLibrary", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UsersBlockRemove", + "Name": "ICloudBlockPhotoStreamSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VolumeBlockAdjustment", + "Name": "ICloudBlockSharedPhotoStream", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VpnAlwaysOnLockdownMode", + "Name": "ICloudPrivateRelayBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "VpnAlwaysOnPackageIdentifier", + "CIMType": "Boolean", + "Name": "ICloudRequireEncryptedBackup", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WifiBlockEditConfigurations", + "Name": "ITunesBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WifiBlockEditPolicyDefinedConfigurations", + "Name": "ITunesBlockExplicitContent", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordExpirationDays", + "CIMType": "Boolean", + "Name": "ITunesBlockMusicService", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumLength", + "CIMType": "Boolean", + "Name": "ITunesBlockRadio", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumLetterCharacters", + "CIMType": "Boolean", + "Name": "KeyboardBlockAutoCorrect", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumLowerCaseCharacters", + "CIMType": "Boolean", + "Name": "KeyboardBlockDictation", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumNonLetterCharacters", + "CIMType": "Boolean", + "Name": "KeyboardBlockPredictive", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumNumericCharacters", + "CIMType": "Boolean", + "Name": "KeyboardBlockShortcuts", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumSymbolCharacters", + "CIMType": "Boolean", + "Name": "KeyboardBlockSpellCheck", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordMinimumUpperCaseCharacters", + "CIMType": "Boolean", + "Name": "KeychainBlockCloudSync", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordPreviousPasswordCountToBlock", + "CIMType": "Boolean", + "Name": "KioskModeAllowAssistiveSpeak", "Option": "Write" }, { - "CIMType": "String", - "Name": "WorkProfilePasswordRequiredType", + "CIMType": "Boolean", + "Name": "KioskModeAllowAssistiveTouchSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "WorkProfilePasswordRequireUnlock", + "CIMType": "Boolean", + "Name": "KioskModeAllowAutoLock", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "WorkProfilePasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "Boolean", + "Name": "KioskModeAllowColorInversionSettings", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "KioskModeAllowRingerSwitch", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "KioskModeAllowScreenRotation", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "KioskModeAllowSleepButton", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "KioskModeAllowTouchscreen", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "KioskModeAllowVoiceControlModification", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "KioskModeAllowVoiceOverSettings", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "KioskModeAllowVolumeButtons", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "KioskModeAllowZoomSettings", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject", - "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "KioskModeAppStoreUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "KioskModeAppType", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "KioskModeBlockAutoLock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsBlockInstallFromUnknownSources", + "Name": "KioskModeBlockRingerSwitch", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockConfiguration", + "Name": "KioskModeBlockScreenRotation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlocked", + "Name": "KioskModeBlockSleepButton", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CameraBlocked", + "Name": "KioskModeBlockTouchscreen", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FactoryResetBlocked", + "Name": "KioskModeBlockVolumeButtons", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinimumLength", + "CIMType": "String", + "Name": "KioskModeBuiltInAppId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "Boolean", + "Name": "KioskModeEnableVoiceControl", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "KioskModeManagedAppId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "Boolean", + "Name": "KioskModeRequireAssistiveTouch", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "Name": "KioskModeRequireColorInversion", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityAllowDebuggingFeatures", + "Name": "KioskModeRequireMonoAudio", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageBlockExternalMedia", + "Name": "KioskModeRequireVoiceOver", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StorageBlockUsbFileTransfer", + "Name": "KioskModeRequireZoom", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WifiBlockEditConfigurations", + "Name": "LockScreenBlockControlCenter", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "LockScreenBlockNotificationView", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "LockScreenBlockPassbook", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "LockScreenBlockTodayView", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "ManagedPasteboardRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "MediaContentRatingApps", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingaustralia", + "Name": "MediaContentRatingAustralia", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingcanada", + "Name": "MediaContentRatingCanada", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingfrance", + "Name": "MediaContentRatingFrance", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "MSFT_MicrosoftGraphmediacontentratinggermany", + "Name": "MediaContentRatingGermany", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile", - "Parameters": [ - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingireland", + "Name": "MediaContentRatingIreland", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingjapan", + "Name": "MediaContentRatingJapan", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockFaceUnlock", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingnewzealand", + "Name": "MediaContentRatingNewZealand", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockFingerprintUnlock", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingunitedkingdom", + "Name": "MediaContentRatingUnitedKingdom", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockIrisUnlock", + "CIMType": "MSFT_MicrosoftGraphmediacontentratingunitedstates", + "Name": "MediaContentRatingUnitedStates", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "passwordBlockTrustAgents", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "PasswordExpirationDays", + "Name": "MessagesBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinimumLength", + "CIMType": "MSFT_MicrosoftGraphiosnetworkusagerule[]", + "Name": "NetworkUsageRules", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "Boolean", + "Name": "NfcBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "Boolean", + "Name": "NotificationsBlockSettingsModification", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "Boolean", + "Name": "OnDeviceOnlyDictationForced", "Option": "Write" }, { - "CIMType": "String", - "Name": "PasswordRequiredType", + "CIMType": "Boolean", + "Name": "OnDeviceOnlyTranslationForced", "Option": "Write" }, { - "CIMType": "String", - "Name": "RequiredPasswordComplexity", + "CIMType": "Boolean", + "Name": "PasscodeBlockFingerprintModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileAllowAppInstallsFromUnknownSources", + "Name": "PasscodeBlockFingerprintUnlock", "Option": "Write" }, { - "CIMType": "String", - "Name": "WorkProfileDataSharingType", + "CIMType": "Boolean", + "Name": "PasscodeBlockModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileBlockNotificationsWhileDeviceLocked", + "Name": "PasscodeBlockSimple", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBlockAddingAccounts", + "CIMType": "UInt32", + "Name": "PasscodeExpirationDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBluetoothEnableContactSharing", + "CIMType": "UInt32", + "Name": "PasscodeMinimumCharacterSetCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBlockScreenCapture", + "CIMType": "UInt32", + "Name": "PasscodeMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBlockCrossProfileCallerId", + "CIMType": "UInt32", + "Name": "PasscodeMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBlockCamera", + "CIMType": "UInt32", + "Name": "PasscodeMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfileBlockCrossProfileContactsSearch", + "CIMType": "UInt32", + "Name": "PasscodePreviousPasscodeBlockCount", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileBlockCrossProfileCopyPaste", + "Name": "PasscodeRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "WorkProfileDefaultAppPermissionPolicy", + "Name": "PasscodeRequiredType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WorkProfilePasswordBlockFaceUnlock", + "CIMType": "UInt32", + "Name": "PasscodeSignInFailureCountBeforeWipe", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfilePasswordBlockFingerprintUnlock", + "Name": "PasswordBlockAirDropSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfilePasswordBlockIrisUnlock", + "Name": "PasswordBlockAutoFill", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfilePasswordBlockTrustAgents", - "Option": "Write" - }, - { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordExpirationDays", + "Name": "PasswordBlockProximityRequests", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinimumLength", + "CIMType": "Boolean", + "Name": "PkiBlockOTAUpdates", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinNumericCharacters", + "CIMType": "Boolean", + "Name": "PodcastsBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinNonLetterCharacters", + "CIMType": "Boolean", + "Name": "PrivacyForceLimitAdTracking", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinLetterCharacters", + "CIMType": "Boolean", + "Name": "ProximityBlockSetupToNewDevice", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinLowerCaseCharacters", + "CIMType": "Boolean", + "Name": "SafariBlockAutofill", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinUpperCaseCharacters", + "CIMType": "Boolean", + "Name": "SafariBlocked", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinSymbolCharacters", + "CIMType": "Boolean", + "Name": "SafariBlockJavaScript", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "Boolean", + "Name": "SafariBlockPopups", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordPreviousPasswordBlockCount", + "CIMType": "String", + "Name": "SafariCookieSettings", "Option": "Write" }, { - "CIMType": "Uint32", - "Name": "WorkProfilePasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "String[]", + "Name": "SafariManagedDomains", "Option": "Write" }, { - "CIMType": "String", - "Name": "WorkProfilePasswordRequiredType", + "CIMType": "String[]", + "Name": "SafariPasswordAutoFillDomains", "Option": "Write" }, { - "CIMType": "String", - "Name": "WorkProfileRequiredPasswordComplexity", + "CIMType": "Boolean", + "Name": "SafariRequireFraudWarning", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileRequirePassword", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SecurityRequireVerifyApps", + "Name": "SharedDeviceBlockTemporarySessions", "Option": "Write" }, { - "CIMType": "String", - "Name": "VpnAlwaysOnPackageIdentifier", + "CIMType": "Boolean", + "Name": "SiriBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VpnEnableAlwaysOnLockdownMode", + "Name": "SiriBlockedWhenLocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileAllowWidgets", + "Name": "SiriBlockUserGeneratedContent", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WorkProfileBlockPersonalAppInstallsFromUnknownSources", + "Name": "SiriRequireProfanityFilter", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "SoftwareUpdatesEnforcedDelayInDays", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "SoftwareUpdatesForceDelayed", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "SpotlightBlockInternetResults", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "UnpairedExternalBootToRecoveryAllowed", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "UsbRestrictedModeBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "VoiceDialingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "VpnBlockCreation", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingaustralia", - "Parameters": [ - { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "Boolean", + "Name": "WallpaperBlockModification", "Option": "Write" }, { - "CIMType": "String", - "Name": "tvRating", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingcanada", - "Parameters": [ - { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "Boolean", + "Name": "WiFiConnectOnlyToConfiguredNetworks", "Option": "Write" }, { - "CIMType": "String", - "Name": "tvRating", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingfrance", - "Parameters": [ - { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "Boolean", + "Name": "WiFiConnectToAllowedNetworksOnlyForced", "Option": "Write" }, { - "CIMType": "String", - "Name": "tvRating", + "CIMType": "Boolean", + "Name": "WifiPowerOnForced", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratinggermany", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "tvRating", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingireland", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "tvRating", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingjapan", - "Parameters": [ - { - "CIMType": "String", - "Name": "movieRating", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "tvRating", + "Name": "TenantId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingnewzealand", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "tvRating", + "Name": "CertificateThumbprint", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingunitedkingdom", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "movieRating", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "tvRating", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphmediacontentratingunitedstates", + "ClassName": "MSFT_MicrosoftGraphapplistitemMacOS", "Parameters": [ { "CIMType": "String", - "Name": "movieRating", + "Name": "odataType", "Option": "Write" }, { "CIMType": "String", - "Name": "tvRating", + "Name": "appId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphiosnetworkusagerule", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "cellularDataBlocked", + "CIMType": "String", + "Name": "appStoreUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "cellularDataBlockWhenRoaming", + "CIMType": "String", + "Name": "name", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "managedApps", + "CIMType": "String", + "Name": "publisher", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyIOS", + "ClassName": "MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "accessibility", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AccountBlockModification", + "Name": "addressBook", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ActivationLockAllowWhenSupervised", + "CIMType": "MSFT_MicrosoftGraphmacosappleeventreceiver[]", + "Name": "appleEventsAllowedReceivers", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AirDropBlocked", + "Name": "blockCamera", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AirDropForceUnmanagedDropTarget", + "Name": "blockListenEvent", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AirPlayForcePairingPasswordForOutgoingRequests", + "Name": "blockMicrophone", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AirPrintBlockCredentialsStorage", + "Name": "blockScreenCapture", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AirPrintBlocked", + "CIMType": "String", + "Name": "calendar", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AirPrintBlockiBeaconDiscovery", + "CIMType": "String", + "Name": "codeRequirement", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AirPrintForceTrustedTLS", + "CIMType": "String", + "Name": "displayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppClipsBlocked", + "CIMType": "String", + "Name": "fileProviderPresence", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppleNewsBlocked", + "CIMType": "String", + "Name": "identifier", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ApplePersonalizedAdsBlocked", + "CIMType": "String", + "Name": "identifierType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppleWatchBlockPairing", + "CIMType": "String", + "Name": "mediaLibrary", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppleWatchForceWristDetection", + "CIMType": "String", + "Name": "photos", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppRemovalBlocked", + "CIMType": "String", + "Name": "postEvent", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AppsSingleAppModeList", + "CIMType": "String", + "Name": "reminders", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppStoreBlockAutomaticDownloads", + "CIMType": "String", + "Name": "speechRecognition", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppStoreBlocked", + "Name": "staticCodeValidation", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppStoreBlockInAppPurchases", + "CIMType": "String", + "Name": "systemPolicyAllFiles", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppStoreBlockUIAppInstallation", + "CIMType": "String", + "Name": "systemPolicyDesktopFolder", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppStoreRequirePassword", + "CIMType": "String", + "Name": "systemPolicyDocumentsFolder", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", - "Name": "AppsVisibilityList", + "CIMType": "String", + "Name": "systemPolicyDownloadsFolder", "Option": "Write" }, { "CIMType": "String", - "Name": "AppsVisibilityListType", + "Name": "systemPolicyNetworkVolumes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutoFillForceAuthentication", + "CIMType": "String", + "Name": "systemPolicyRemovableVolumes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutoUnlockBlocked", + "CIMType": "String", + "Name": "systemPolicySystemAdminFiles", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphmacosappleeventreceiver", + "Parameters": [ { "CIMType": "Boolean", - "Name": "BlockSystemAppRemoval", + "Name": "allowed", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "BluetoothBlockModification", + "CIMType": "String", + "Name": "codeRequirement", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CameraBlocked", + "CIMType": "String", + "Name": "identifier", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockDataRoaming", + "CIMType": "String", + "Name": "identifierType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyMacOS", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "CellularBlockGlobalBackgroundFetchWhileRoaming", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "CellularBlockPerAppDataModification", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "CellularBlockPersonalHotspot", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockPersonalHotspotModification", + "Name": "AddingGameCenterFriendsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockPlanModification", + "Name": "AirDropBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockVoiceRoaming", + "Name": "AppleWatchBlockAutoUnlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CertificatesBlockUntrustedTlsCertificates", + "Name": "CameraBlocked", "Option": "Write" }, { @@ -29393,2838 +35054,2943 @@ "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitem[]", + "CIMType": "MSFT_MicrosoftGraphapplistitemMacOS[]", "Name": "CompliantAppsList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ConfigurationProfileBlockChanges", + "Name": "ContentCachingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ContactsAllowManagedToUnmanagedWrite", + "Name": "DefinitionLookupBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ContactsAllowUnmanagedToManagedRead", + "CIMType": "String[]", + "Name": "EmailInDomainSuffixes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ContinuousPathKeyboardBlocked", + "Name": "EraseContentAndSettingsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DateAndTimeForceSetAutomatically", + "Name": "GameCenterBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefinitionLookupBlocked", + "Name": "ICloudBlockActivityContinuation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceBlockEnableRestrictions", + "Name": "ICloudBlockAddressBook", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceBlockEraseContentAndSettings", + "Name": "ICloudBlockBookmarks", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceBlockNameModification", + "Name": "ICloudBlockCalendar", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DiagnosticDataBlockSubmission", + "Name": "ICloudBlockDocumentSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DiagnosticDataBlockSubmissionModification", + "Name": "ICloudBlockMail", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DocumentsBlockManagedDocumentsInUnmanagedApps", + "Name": "ICloudBlockNotes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DocumentsBlockUnmanagedDocumentsInManagedApps", + "Name": "ICloudBlockPhotoLibrary", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EmailInDomainSuffixes", + "CIMType": "Boolean", + "Name": "ICloudBlockReminders", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseAppBlockTrust", + "Name": "ICloudDesktopAndDocumentsBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseAppBlockTrustModification", + "Name": "ICloudPrivateRelayBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseBookBlockBackup", + "Name": "ITunesBlockFileSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnterpriseBookBlockMetadataSync", + "Name": "ITunesBlockMusicService", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EsimBlockModification", + "Name": "KeyboardBlockDictation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FaceTimeBlocked", + "Name": "KeychainBlockCloudSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FilesNetworkDriveAccessBlocked", + "Name": "MultiplayerGamingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FilesUsbDriveAccessBlocked", + "Name": "PasswordBlockAirDropSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindMyDeviceInFindMyAppBlocked", + "Name": "PasswordBlockAutoFill", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindMyFriendsBlocked", + "Name": "PasswordBlockFingerprintUnlock", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "FindMyFriendsInFindMyAppBlocked", + "Name": "PasswordBlockModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GameCenterBlocked", + "Name": "PasswordBlockProximityRequests", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GamingBlockGameCenterFriends", + "Name": "PasswordBlockSimple", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GamingBlockMultiplayer", + "CIMType": "UInt32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HostPairingBlocked", + "CIMType": "UInt32", + "Name": "PasswordMaximumAttemptCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IBooksStoreBlocked", + "CIMType": "UInt32", + "Name": "PasswordMinimumCharacterSetCount", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IBooksStoreBlockErotica", + "CIMType": "UInt32", + "Name": "PasswordMinimumLength", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockActivityContinuation", + "CIMType": "UInt32", + "Name": "PasswordMinutesOfInactivityBeforeLock", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockBackup", + "CIMType": "UInt32", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockDocumentSync", + "CIMType": "UInt32", + "Name": "PasswordMinutesUntilFailedLoginReset", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockManagedAppsSync", + "CIMType": "UInt32", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockPhotoLibrary", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockPhotoStreamSync", + "CIMType": "String", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockSharedPhotoStream", + "CIMType": "MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem[]", + "Name": "PrivacyAccessControls", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudPrivateRelayBlocked", + "Name": "SafariBlockAutofill", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudRequireEncryptedBackup", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ITunesBlocked", + "CIMType": "UInt32", + "Name": "SoftwareUpdateMajorOSDeferredInstallDelayInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ITunesBlockExplicitContent", + "CIMType": "UInt32", + "Name": "SoftwareUpdateMinorOSDeferredInstallDelayInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ITunesBlockMusicService", + "CIMType": "UInt32", + "Name": "SoftwareUpdateNonOSDeferredInstallDelayInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ITunesBlockRadio", + "CIMType": "UInt32", + "Name": "SoftwareUpdatesEnforcedDelayInDays", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KeyboardBlockAutoCorrect", + "Name": "SpotlightBlockInternetResults", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KeyboardBlockDictation", + "CIMType": "UInt32", + "Name": "TouchIdTimeoutInHours", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KeyboardBlockPredictive", + "CIMType": "String[]", + "Name": "UpdateDelayPolicy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KeyboardBlockShortcuts", + "Name": "WallpaperModificationBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KeyboardBlockSpellCheck", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KeychainBlockCloudSync", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowAssistiveSpeak", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowAssistiveTouchSettings", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowAutoLock", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowColorInversionSettings", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowRingerSwitch", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeAllowScreenRotation", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowSleepButton", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDefenderDetectedMalwareActions1", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "KioskModeAllowTouchscreen", + "CIMType": "String", + "Name": "HighSeverity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowVoiceControlModification", + "CIMType": "String", + "Name": "LowSeverity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowVoiceOverSettings", + "CIMType": "String", + "Name": "ModerateSeverity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowVolumeButtons", + "CIMType": "String", + "Name": "SevereSeverity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphEdgeHomeButtonConfiguration", + "Parameters": [ + { + "CIMType": "String", + "Name": "HomeButtonCustomURL", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeAllowZoomSettings", + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphEdgeSearchEngineBase", + "Parameters": [ + { + "CIMType": "String", + "Name": "EdgeSearchEngineType", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskModeAppStoreUrl", + "Name": "EdgeSearchEngineOpenSearchXmlUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskModeAppType", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindows10NetworkProxyServer", + "Parameters": [ + { + "CIMType": "String", + "Name": "Address", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeBlockAutoLock", + "CIMType": "String[]", + "Name": "Exceptions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBlockRingerSwitch", + "Name": "UseForLocalAddresses", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindows10AppsForceUpdateSchedule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Recurrence", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBlockScreenRotation", + "Name": "RunImmediatelyIfAfterStartDateTime", "Option": "Write" }, + { + "CIMType": "String", + "Name": "StartDateTime", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "KioskModeBlockSleepButton", + "Name": "AccountsBlockAddingNonMicrosoftAccountEmail", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeBlockTouchscreen", + "CIMType": "String", + "Name": "ActivateAppsWithVoice", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeBlockVolumeButtons", + "Name": "AntiTheftModeBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "KioskModeBuiltInAppId", + "CIMType": "Boolean", + "Name": "AppManagementMSIAllowUserControlOverInstall", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeEnableVoiceControl", + "Name": "AppManagementMSIAlwaysInstallWithElevatedPrivileges", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AppManagementPackageFamilyNamesToLaunchAfterLogOn", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskModeManagedAppId", + "Name": "AppsAllowTrustedAppsSideloading", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeRequireAssistiveTouch", + "Name": "AppsBlockWindowsStoreOriginatedApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeRequireColorInversion", + "Name": "AuthenticationAllowSecondaryDevice", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeRequireMonoAudio", + "CIMType": "String", + "Name": "AuthenticationPreferredAzureADTenantDomainName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KioskModeRequireVoiceOver", + "CIMType": "String", + "Name": "AuthenticationWebSignIn", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BluetoothAllowedServices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KioskModeRequireZoom", + "Name": "BluetoothBlockAdvertising", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockControlCenter", + "Name": "BluetoothBlockDiscoverableMode", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockNotificationView", + "Name": "BluetoothBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockPassbook", + "Name": "BluetoothBlockPrePairing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockTodayView", + "Name": "BluetoothBlockPromptedProximalConnections", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedPasteboardRequired", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "MediaContentRatingApps", + "Name": "CameraBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingaustralia", - "Name": "MediaContentRatingAustralia", + "CIMType": "Boolean", + "Name": "CellularBlockDataWhenRoaming", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingcanada", - "Name": "MediaContentRatingCanada", + "CIMType": "Boolean", + "Name": "CellularBlockVpn", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingfrance", - "Name": "MediaContentRatingFrance", + "CIMType": "Boolean", + "Name": "CellularBlockVpnWhenRoaming", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratinggermany", - "Name": "MediaContentRatingGermany", + "CIMType": "String", + "Name": "CellularData", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingireland", - "Name": "MediaContentRatingIreland", + "CIMType": "Boolean", + "Name": "CertificatesBlockManualRootCertificateInstallation", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingjapan", - "Name": "MediaContentRatingJapan", + "CIMType": "String", + "Name": "ConfigureTimeZone", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingnewzealand", - "Name": "MediaContentRatingNewZealand", + "CIMType": "Boolean", + "Name": "ConnectedDevicesServiceBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingunitedkingdom", - "Name": "MediaContentRatingUnitedKingdom", + "CIMType": "Boolean", + "Name": "CopyPasteBlocked", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmediacontentratingunitedstates", - "Name": "MediaContentRatingUnitedStates", + "CIMType": "Boolean", + "Name": "CortanaBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MessagesBlocked", + "Name": "CryptographyAllowFipsAlgorithmPolicy", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphiosnetworkusagerule[]", - "Name": "NetworkUsageRules", + "CIMType": "Boolean", + "Name": "DataProtectionBlockDirectMemoryAccess", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NfcBlocked", + "Name": "DefenderBlockEndUserAccess", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "NotificationsBlockSettingsModification", + "Name": "DefenderBlockOnAccessProtection", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OnDeviceOnlyDictationForced", + "CIMType": "String", + "Name": "DefenderCloudBlockLevel", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OnDeviceOnlyTranslationForced", + "CIMType": "UInt32", + "Name": "DefenderCloudExtendedTimeout", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasscodeBlockFingerprintModification", + "CIMType": "UInt32", + "Name": "DefenderCloudExtendedTimeoutInSeconds", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasscodeBlockFingerprintUnlock", + "CIMType": "UInt32", + "Name": "DefenderDaysBeforeDeletingQuarantinedMalware", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasscodeBlockModification", + "CIMType": "MSFT_MicrosoftGraphdefenderDetectedMalwareActions1", + "Name": "DefenderDetectedMalwareActions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasscodeBlockSimple", + "Name": "DefenderDisableCatchupFullScan", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeExpirationDays", + "CIMType": "Boolean", + "Name": "DefenderDisableCatchupQuickScan", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeMinimumCharacterSetCount", + "CIMType": "String[]", + "Name": "DefenderFileExtensionsToExclude", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeMinimumLength", + "CIMType": "String[]", + "Name": "DefenderFilesAndFoldersToExclude", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeMinutesOfInactivityBeforeLock", + "CIMType": "String", + "Name": "DefenderMonitorFileActivity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "String", + "Name": "DefenderPotentiallyUnwantedAppAction", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodePreviousPasscodeBlockCount", + "CIMType": "String", + "Name": "DefenderPotentiallyUnwantedAppActionSetting", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasscodeRequired", + "CIMType": "String[]", + "Name": "DefenderProcessesToExclude", "Option": "Write" }, { "CIMType": "String", - "Name": "PasscodeRequiredType", + "Name": "DefenderPromptForSampleSubmission", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasscodeSignInFailureCountBeforeWipe", + "CIMType": "Boolean", + "Name": "DefenderRequireBehaviorMonitoring", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockAirDropSharing", + "Name": "DefenderRequireCloudProtection", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockAutoFill", + "Name": "DefenderRequireNetworkInspectionSystem", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockProximityRequests", + "Name": "DefenderRequireRealTimeMonitoring", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PkiBlockOTAUpdates", + "Name": "DefenderScanArchiveFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PodcastsBlocked", + "Name": "DefenderScanDownloads", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PrivacyForceLimitAdTracking", + "Name": "DefenderScanIncomingMail", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ProximityBlockSetupToNewDevice", + "Name": "DefenderScanMappedNetworkDrivesDuringFullScan", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SafariBlockAutofill", + "CIMType": "UInt32", + "Name": "DefenderScanMaxCpu", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SafariBlocked", + "Name": "DefenderScanNetworkFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SafariBlockJavaScript", + "Name": "DefenderScanRemovableDrivesDuringFullScan", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SafariBlockPopups", + "Name": "DefenderScanScriptsLoadedInInternetExplorer", "Option": "Write" }, { "CIMType": "String", - "Name": "SafariCookieSettings", + "Name": "DefenderScanType", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SafariManagedDomains", + "CIMType": "String", + "Name": "DefenderScheduledQuickScanTime", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SafariPasswordAutoFillDomains", + "CIMType": "String", + "Name": "DefenderScheduledScanTime", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SafariRequireFraudWarning", + "Name": "DefenderScheduleScanEnableLowCpuPriority", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "CIMType": "UInt32", + "Name": "DefenderSignatureUpdateIntervalInHours", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SharedDeviceBlockTemporarySessions", + "CIMType": "String", + "Name": "DefenderSubmitSamplesConsentType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SiriBlocked", + "CIMType": "String", + "Name": "DefenderSystemScanSchedule", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SiriBlockedWhenLocked", + "CIMType": "String", + "Name": "DeveloperUnlockSetting", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SiriBlockUserGeneratedContent", + "Name": "DeviceManagementBlockFactoryResetOnMobile", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SiriRequireProfanityFilter", + "Name": "DeviceManagementBlockManualUnenroll", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SoftwareUpdatesEnforcedDelayInDays", + "CIMType": "String", + "Name": "DiagnosticsDataSubmissionMode", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SoftwareUpdatesForceDelayed", + "CIMType": "String[]", + "Name": "DisplayAppListWithGdiDPIScalingTurnedOff", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SpotlightBlockInternetResults", + "CIMType": "String[]", + "Name": "DisplayAppListWithGdiDPIScalingTurnedOn", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UnpairedExternalBootToRecoveryAllowed", + "Name": "EdgeAllowStartPagesModification", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UsbRestrictedModeBlocked", + "Name": "EdgeBlockAccessToAboutFlags", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VoiceDialingBlocked", + "Name": "EdgeBlockAddressBarDropdown", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "VpnBlockCreation", + "Name": "EdgeBlockAutofill", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WallpaperBlockModification", + "Name": "EdgeBlockCompatibilityList", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WiFiConnectOnlyToConfiguredNetworks", + "Name": "EdgeBlockDeveloperTools", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WiFiConnectToAllowedNetworksOnlyForced", + "Name": "EdgeBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WifiPowerOnForced", + "Name": "EdgeBlockEditFavorites", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "EdgeBlockExtensions", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "EdgeBlockFullScreenMode", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "EdgeBlockInPrivateBrowsing", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "EdgeBlockJavaScript", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "EdgeBlockLiveTileDataCollection", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "EdgeBlockPasswordManager", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "EdgeBlockPopups", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "EdgeBlockPrelaunch", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphapplistitemMacOS", - "Parameters": [ - { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "EdgeBlockPrinting", "Option": "Write" }, { - "CIMType": "String", - "Name": "appId", + "CIMType": "Boolean", + "Name": "EdgeBlockSavingHistory", "Option": "Write" }, { - "CIMType": "String", - "Name": "appStoreUrl", + "CIMType": "Boolean", + "Name": "EdgeBlockSearchEngineCustomization", "Option": "Write" }, { - "CIMType": "String", - "Name": "name", + "CIMType": "Boolean", + "Name": "EdgeBlockSearchSuggestions", "Option": "Write" }, { - "CIMType": "String", - "Name": "publisher", + "CIMType": "Boolean", + "Name": "EdgeBlockSendingDoNotTrackHeader", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "accessibility", + "CIMType": "Boolean", + "Name": "EdgeBlockSendingIntranetTrafficToInternetExplorer", "Option": "Write" }, { - "CIMType": "String", - "Name": "addressBook", + "CIMType": "Boolean", + "Name": "EdgeBlockSideloadingExtensions", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmacosappleeventreceiver[]", - "Name": "appleEventsAllowedReceivers", + "CIMType": "Boolean", + "Name": "EdgeBlockTabPreloading", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "blockCamera", + "Name": "EdgeBlockWebContentOnNewTabPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "blockListenEvent", + "Name": "EdgeClearBrowsingDataOnExit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "blockMicrophone", + "CIMType": "String", + "Name": "EdgeCookiePolicy", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "blockScreenCapture", + "Name": "EdgeDisableFirstRunPage", "Option": "Write" }, { "CIMType": "String", - "Name": "calendar", + "Name": "EdgeEnterpriseModeSiteListLocation", "Option": "Write" }, { "CIMType": "String", - "Name": "codeRequirement", + "Name": "EdgeFavoritesBarVisibility", "Option": "Write" }, { "CIMType": "String", - "Name": "displayName", + "Name": "EdgeFavoritesListLocation", "Option": "Write" }, { "CIMType": "String", - "Name": "fileProviderPresence", + "Name": "EdgeFirstRunUrl", "Option": "Write" }, { - "CIMType": "String", - "Name": "identifier", + "CIMType": "MSFT_MicrosoftGraphedgeHomeButtonConfiguration", + "Name": "EdgeHomeButtonConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "identifierType", + "CIMType": "Boolean", + "Name": "EdgeHomeButtonConfigurationEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "mediaLibrary", + "CIMType": "String[]", + "Name": "EdgeHomepageUrls", "Option": "Write" }, { "CIMType": "String", - "Name": "photos", + "Name": "EdgeKioskModeRestriction", "Option": "Write" }, { - "CIMType": "String", - "Name": "postEvent", + "CIMType": "UInt32", + "Name": "EdgeKioskResetAfterIdleTimeInMinutes", "Option": "Write" }, { "CIMType": "String", - "Name": "reminders", + "Name": "EdgeNewTabPageURL", "Option": "Write" }, { "CIMType": "String", - "Name": "speechRecognition", + "Name": "EdgeOpensWith", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "staticCodeValidation", + "Name": "EdgePreventCertificateErrorOverride", "Option": "Write" }, { - "CIMType": "String", - "Name": "systemPolicyAllFiles", + "CIMType": "String[]", + "Name": "EdgeRequiredExtensionPackageFamilyNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "systemPolicyDesktopFolder", + "CIMType": "Boolean", + "Name": "EdgeRequireSmartScreen", "Option": "Write" }, { - "CIMType": "String", - "Name": "systemPolicyDocumentsFolder", + "CIMType": "MSFT_MicrosoftGraphedgeSearchEngineBase", + "Name": "EdgeSearchEngine", "Option": "Write" }, { - "CIMType": "String", - "Name": "systemPolicyDownloadsFolder", + "CIMType": "Boolean", + "Name": "EdgeSendIntranetTrafficToInternetExplorer", "Option": "Write" }, { "CIMType": "String", - "Name": "systemPolicyNetworkVolumes", + "Name": "EdgeShowMessageWhenOpeningInternetExplorerSites", "Option": "Write" }, { - "CIMType": "String", - "Name": "systemPolicyRemovableVolumes", + "CIMType": "Boolean", + "Name": "EdgeSyncFavoritesWithInternetExplorer", "Option": "Write" }, { "CIMType": "String", - "Name": "systemPolicySystemAdminFiles", + "Name": "EdgeTelemetryForMicrosoft365Analytics", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphmacosappleeventreceiver", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "allowed", + "Name": "EnableAutomaticRedeployment", "Option": "Write" }, { - "CIMType": "String", - "Name": "codeRequirement", + "CIMType": "UInt32", + "Name": "EnergySaverOnBatteryThresholdPercentage", "Option": "Write" }, { - "CIMType": "String", - "Name": "identifier", + "CIMType": "UInt32", + "Name": "EnergySaverPluggedInThresholdPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "identifierType", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyMacOS", - "Parameters": [ - { - "CIMType": "String", - "Name": "Id", + "Name": "EnterpriseCloudPrintDiscoveryEndPoint", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "UInt32", + "Name": "EnterpriseCloudPrintDiscoveryMaxLimit", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "EnterpriseCloudPrintMopriaDiscoveryResourceIdentifier", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AddingGameCenterFriendsBlocked", + "CIMType": "String", + "Name": "EnterpriseCloudPrintOAuthAuthority", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AirDropBlocked", + "CIMType": "String", + "Name": "EnterpriseCloudPrintOAuthClientIdentifier", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AppleWatchBlockAutoUnlock", + "CIMType": "String", + "Name": "EnterpriseCloudPrintResourceIdentifier", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CameraBlocked", + "Name": "ExperienceBlockDeviceDiscovery", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ClassroomAppBlockRemoteScreenObservation", + "Name": "ExperienceBlockErrorDialogWhenNoSIM", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ClassroomAppForceUnpromptedScreenObservation", + "Name": "ExperienceBlockTaskSwitcher", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ClassroomForceAutomaticallyJoinClasses", + "CIMType": "String", + "Name": "ExperienceDoNotSyncBrowserSettings", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ClassroomForceRequestPermissionToLeaveClasses", + "CIMType": "String", + "Name": "FindMyFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ClassroomForceUnpromptedAppAndDeviceLock", + "Name": "GameDvrBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "CompliantAppListType", + "Name": "InkWorkspaceAccess", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphapplistitemMacOS[]", - "Name": "CompliantAppsList", + "CIMType": "String", + "Name": "InkWorkspaceAccessState", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ContentCachingBlocked", + "Name": "InkWorkspaceBlockSuggestedApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefinitionLookupBlocked", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "EmailInDomainSuffixes", + "Name": "InternetSharingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EraseContentAndSettingsBlocked", + "Name": "LocationServicesBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "GameCenterBlocked", + "CIMType": "String", + "Name": "LockScreenActivateAppsWithVoice", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockActivityContinuation", + "Name": "LockScreenAllowTimeoutConfiguration", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockAddressBook", + "Name": "LockScreenBlockActionCenterNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockBookmarks", + "Name": "LockScreenBlockCortana", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockCalendar", + "Name": "LockScreenBlockToastNotifications", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ICloudBlockDocumentSync", + "CIMType": "UInt32", + "Name": "LockScreenTimeoutInSeconds", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockMail", + "Name": "LogonBlockFastUserSwitching", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockNotes", + "Name": "MessagingBlockMMS", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockPhotoLibrary", + "Name": "MessagingBlockRichCommunicationServices", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudBlockReminders", + "Name": "MessagingBlockSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudDesktopAndDocumentsBlocked", + "Name": "MicrosoftAccountBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ICloudPrivateRelayBlocked", + "Name": "MicrosoftAccountBlockSettingsSync", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ITunesBlockFileSharing", + "CIMType": "String", + "Name": "MicrosoftAccountSignInAssistantSettings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ITunesBlockMusicService", + "Name": "NetworkProxyApplySettingsDeviceWide", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "KeyboardBlockDictation", + "CIMType": "String", + "Name": "NetworkProxyAutomaticConfigurationUrl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "KeychainBlockCloudSync", + "Name": "NetworkProxyDisableAutoDetect", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MultiplayerGamingBlocked", + "CIMType": "MSFT_MicrosoftGraphwindows10NetworkProxyServer", + "Name": "NetworkProxyServer", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockAirDropSharing", + "Name": "NfcBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockAutoFill", + "Name": "OneDriveDisableFileSync", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordBlockFingerprintUnlock", + "Name": "PasswordBlockSimple", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockModification", + "CIMType": "UInt32", + "Name": "PasswordExpirationDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockProximityRequests", + "CIMType": "UInt32", + "Name": "PasswordMinimumAgeInDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockSimple", + "CIMType": "UInt32", + "Name": "PasswordMinimumCharacterSetCount", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "PasswordExpirationDays", + "Name": "PasswordMinimumLength", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "PasswordMaximumAttemptCount", + "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "PasswordMinimumCharacterSetCount", + "Name": "PasswordPreviousPasswordBlockCount", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinimumLength", + "CIMType": "Boolean", + "Name": "PasswordRequired", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeLock", + "CIMType": "String", + "Name": "PasswordRequiredType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "Boolean", + "Name": "PasswordRequireWhenResumeFromIdleState", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "PasswordMinutesUntilFailedLoginReset", + "Name": "PasswordSignInFailureCountBeforeFactoryReset", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "String", + "Name": "PersonalizationDesktopImageUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordRequired", + "CIMType": "String", + "Name": "PersonalizationLockScreenImageUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "PowerButtonActionOnBattery", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem[]", - "Name": "PrivacyAccessControls", + "CIMType": "String", + "Name": "PowerButtonActionPluggedIn", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SafariBlockAutofill", + "CIMType": "String", + "Name": "PowerHybridSleepOnBattery", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "CIMType": "String", + "Name": "PowerHybridSleepPluggedIn", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SoftwareUpdateMajorOSDeferredInstallDelayInDays", + "CIMType": "String", + "Name": "PowerLidCloseActionOnBattery", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SoftwareUpdateMinorOSDeferredInstallDelayInDays", + "CIMType": "String", + "Name": "PowerLidCloseActionPluggedIn", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SoftwareUpdateNonOSDeferredInstallDelayInDays", + "CIMType": "String", + "Name": "PowerSleepButtonActionOnBattery", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SoftwareUpdatesEnforcedDelayInDays", + "CIMType": "String", + "Name": "PowerSleepButtonActionPluggedIn", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SpotlightBlockInternetResults", + "Name": "PrinterBlockAddition", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "TouchIdTimeoutInHours", + "CIMType": "String", + "Name": "PrinterDefaultName", "Option": "Write" }, { "CIMType": "String[]", - "Name": "UpdateDelayPolicy", + "Name": "PrinterNames", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WallpaperModificationBlocked", + "CIMType": "String", + "Name": "PrivacyAdvertisingId", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "PrivacyAutoAcceptPairingAndConsentPrompts", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "PrivacyBlockActivityFeed", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "PrivacyBlockInputPersonalization", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "PrivacyBlockPublishUserActivities", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "PrivacyDisableLaunchExperience", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "ResetProtectionModeBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "SafeSearchFilter", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "ScreenCaptureBlocked", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "SearchBlockDiacritics", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphDefenderDetectedMalwareActions1", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "HighSeverity", + "CIMType": "Boolean", + "Name": "SearchBlockWebResults", "Option": "Write" }, { - "CIMType": "String", - "Name": "LowSeverity", + "CIMType": "Boolean", + "Name": "SearchDisableAutoLanguageDetection", "Option": "Write" }, { - "CIMType": "String", - "Name": "ModerateSeverity", + "CIMType": "Boolean", + "Name": "SearchDisableIndexerBackoff", "Option": "Write" }, { - "CIMType": "String", - "Name": "SevereSeverity", + "CIMType": "Boolean", + "Name": "SearchDisableIndexingEncryptedItems", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphEdgeHomeButtonConfiguration", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "HomeButtonCustomURL", + "CIMType": "Boolean", + "Name": "SearchDisableIndexingRemovableDrive", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "SearchDisableLocation", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphEdgeSearchEngineBase", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "EdgeSearchEngineType", + "CIMType": "Boolean", + "Name": "SearchDisableUseLocation", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeSearchEngineOpenSearchXmlUrl", + "CIMType": "Boolean", + "Name": "SearchEnableAutomaticIndexSizeManangement", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "Boolean", + "Name": "SearchEnableRemoteQueries", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindows10NetworkProxyServer", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Address", + "CIMType": "Boolean", + "Name": "SecurityBlockAzureADJoinedDevicesAutoEncryption", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Exceptions", + "CIMType": "Boolean", + "Name": "SettingsBlockAccountsPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UseForLocalAddresses", + "Name": "SettingsBlockAddProvisioningPackage", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphWindows10AppsForceUpdateSchedule", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "Recurrence", + "CIMType": "Boolean", + "Name": "SettingsBlockAppsPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RunImmediatelyIfAfterStartDateTime", + "Name": "SettingsBlockChangeLanguage", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartDateTime", + "CIMType": "Boolean", + "Name": "SettingsBlockChangePowerSleep", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationPolicyWindows10", - "Parameters": [ + }, { "CIMType": "Boolean", - "Name": "AccountsBlockAddingNonMicrosoftAccountEmail", + "Name": "SettingsBlockChangeRegion", "Option": "Write" }, { - "CIMType": "String", - "Name": "ActivateAppsWithVoice", + "CIMType": "Boolean", + "Name": "SettingsBlockChangeSystemTime", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AntiTheftModeBlocked", + "Name": "SettingsBlockDevicesPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppManagementMSIAllowUserControlOverInstall", + "Name": "SettingsBlockEaseOfAccessPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppManagementMSIAlwaysInstallWithElevatedPrivileges", + "Name": "SettingsBlockEditDeviceName", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AppManagementPackageFamilyNamesToLaunchAfterLogOn", + "CIMType": "Boolean", + "Name": "SettingsBlockGamingPage", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppsAllowTrustedAppsSideloading", + "CIMType": "Boolean", + "Name": "SettingsBlockNetworkInternetPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AppsBlockWindowsStoreOriginatedApps", + "Name": "SettingsBlockPersonalizationPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AuthenticationAllowSecondaryDevice", + "Name": "SettingsBlockPrivacyPage", "Option": "Write" }, { - "CIMType": "String", - "Name": "AuthenticationPreferredAzureADTenantDomainName", + "CIMType": "Boolean", + "Name": "SettingsBlockRemoveProvisioningPackage", "Option": "Write" }, { - "CIMType": "String", - "Name": "AuthenticationWebSignIn", + "CIMType": "Boolean", + "Name": "SettingsBlockSettingsApp", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BluetoothAllowedServices", + "CIMType": "Boolean", + "Name": "SettingsBlockSystemPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockAdvertising", + "Name": "SettingsBlockTimeLanguagePage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockDiscoverableMode", + "Name": "SettingsBlockUpdateSecurityPage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlocked", + "Name": "SharedUserAppDataAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenAppInstallControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockPrePairing", + "Name": "SmartScreenBlockPromptOverride", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "BluetoothBlockPromptedProximalConnections", + "Name": "SmartScreenBlockPromptOverrideForFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CameraBlocked", + "Name": "SmartScreenEnableAppInstallControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockDataWhenRoaming", + "Name": "StartBlockUnpinningAppsFromTaskbar", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StartMenuAppListVisibility", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockVpn", + "Name": "StartMenuHideChangeAccountSettings", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CellularBlockVpnWhenRoaming", + "Name": "StartMenuHideFrequentlyUsedApps", "Option": "Write" }, { - "CIMType": "String", - "Name": "CellularData", + "CIMType": "Boolean", + "Name": "StartMenuHideHibernate", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CertificatesBlockManualRootCertificateInstallation", + "Name": "StartMenuHideLock", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConfigureTimeZone", + "CIMType": "Boolean", + "Name": "StartMenuHidePowerButton", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ConnectedDevicesServiceBlocked", + "Name": "StartMenuHideRecentJumpLists", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CopyPasteBlocked", + "Name": "StartMenuHideRecentlyAddedApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CortanaBlocked", + "Name": "StartMenuHideRestartOptions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CryptographyAllowFipsAlgorithmPolicy", + "Name": "StartMenuHideShutDown", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DataProtectionBlockDirectMemoryAccess", + "Name": "StartMenuHideSignOut", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderBlockEndUserAccess", + "Name": "StartMenuHideSleep", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderBlockOnAccessProtection", + "Name": "StartMenuHideSwitchAccount", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderCloudBlockLevel", + "CIMType": "Boolean", + "Name": "StartMenuHideUserTile", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderCloudExtendedTimeout", + "CIMType": "String", + "Name": "StartMenuLayoutEdgeAssetsXml", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderCloudExtendedTimeoutInSeconds", + "CIMType": "String", + "Name": "StartMenuLayoutXml", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderDaysBeforeDeletingQuarantinedMalware", + "CIMType": "String", + "Name": "StartMenuMode", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdefenderDetectedMalwareActions1", - "Name": "DefenderDetectedMalwareActions", + "CIMType": "String", + "Name": "StartMenuPinnedFolderDocuments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableCatchupFullScan", + "CIMType": "String", + "Name": "StartMenuPinnedFolderDownloads", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefenderDisableCatchupQuickScan", + "CIMType": "String", + "Name": "StartMenuPinnedFolderFileExplorer", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderFileExtensionsToExclude", + "CIMType": "String", + "Name": "StartMenuPinnedFolderHomeGroup", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderFilesAndFoldersToExclude", + "CIMType": "String", + "Name": "StartMenuPinnedFolderMusic", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderMonitorFileActivity", + "Name": "StartMenuPinnedFolderNetwork", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderPotentiallyUnwantedAppAction", + "Name": "StartMenuPinnedFolderPersonalFolder", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderPotentiallyUnwantedAppActionSetting", + "Name": "StartMenuPinnedFolderPictures", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DefenderProcessesToExclude", + "CIMType": "String", + "Name": "StartMenuPinnedFolderSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "DefenderPromptForSampleSubmission", + "Name": "StartMenuPinnedFolderVideos", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderRequireBehaviorMonitoring", + "Name": "StorageBlockRemovableStorage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderRequireCloudProtection", + "Name": "StorageRequireMobileDeviceEncryption", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderRequireNetworkInspectionSystem", + "Name": "StorageRestrictAppDataToSystemVolume", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderRequireRealTimeMonitoring", + "Name": "StorageRestrictAppInstallToSystemVolume", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SystemTelemetryProxyServer", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanArchiveFiles", + "Name": "TaskManagerBlockEndTask", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanDownloads", + "Name": "TenantLockdownRequireNetworkDuringOutOfBoxExperience", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanIncomingMail", + "Name": "UninstallBuiltInApps", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanMappedNetworkDrivesDuringFullScan", + "Name": "UsbBlocked", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderScanMaxCpu", + "CIMType": "Boolean", + "Name": "VoiceRecordingBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanNetworkFiles", + "Name": "WebRtcBlockLocalhostIpAddress", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanRemovableDrivesDuringFullScan", + "Name": "WiFiBlockAutomaticConnectHotspots", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScanScriptsLoadedInInternetExplorer", + "Name": "WiFiBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScanType", + "CIMType": "Boolean", + "Name": "WiFiBlockManualConfiguration", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScheduledQuickScanTime", + "CIMType": "UInt32", + "Name": "WiFiScanInterval", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderScheduledScanTime", + "CIMType": "MSFT_MicrosoftGraphwindows10AppsForceUpdateSchedule", + "Name": "Windows10AppsForceUpdateSchedule", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DefenderScheduleScanEnableLowCpuPriority", + "Name": "WindowsSpotlightBlockConsumerSpecificFeatures", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "DefenderSignatureUpdateIntervalInHours", + "CIMType": "Boolean", + "Name": "WindowsSpotlightBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderSubmitSamplesConsentType", + "CIMType": "Boolean", + "Name": "WindowsSpotlightBlockOnActionCenter", "Option": "Write" }, { - "CIMType": "String", - "Name": "DefenderSystemScanSchedule", + "CIMType": "Boolean", + "Name": "WindowsSpotlightBlockTailoredExperiences", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeveloperUnlockSetting", + "CIMType": "Boolean", + "Name": "WindowsSpotlightBlockThirdPartyNotifications", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceManagementBlockFactoryResetOnMobile", + "Name": "WindowsSpotlightBlockWelcomeExperience", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "DeviceManagementBlockManualUnenroll", + "Name": "WindowsSpotlightBlockWindowsTips", "Option": "Write" }, { "CIMType": "String", - "Name": "DiagnosticsDataSubmissionMode", + "Name": "WindowsSpotlightConfigureOnLockScreen", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DisplayAppListWithGdiDPIScalingTurnedOff", + "CIMType": "Boolean", + "Name": "WindowsStoreBlockAutoUpdate", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DisplayAppListWithGdiDPIScalingTurnedOn", + "CIMType": "Boolean", + "Name": "WindowsStoreBlocked", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeAllowStartPagesModification", + "Name": "WindowsStoreEnablePrivateStoreOnly", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeBlockAccessToAboutFlags", + "Name": "WirelessDisplayBlockProjectionToThisDevice", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeBlockAddressBarDropdown", + "Name": "WirelessDisplayBlockUserInputFromReceiver", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeBlockAutofill", + "Name": "WirelessDisplayRequirePinForPairing", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockCompatibilityList", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, { "CIMType": "Boolean", - "Name": "EdgeBlockDeveloperTools", + "Name": "SupportsScopeTags", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlocked", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockEditFavorites", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockExtensions", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockFullScreenMode", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockInPrivateBrowsing", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockJavaScript", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockLiveTileDataCollection", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockPasswordManager", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeBlockPopups", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockPrelaunch", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "CertificateStore", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockPrinting", + "CIMType": "String", + "Name": "HashAlgorithm", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSavingHistory", + "CIMType": "String", + "Name": "KeySize", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSearchEngineCustomization", + "CIMType": "String[]", + "Name": "KeyUsage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSearchSuggestions", + "CIMType": "String[]", + "Name": "ScepServerUrls", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSendingDoNotTrackHeader", + "CIMType": "String", + "Name": "SubjectAlternativeNameFormatString", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSendingIntranetTrafficToInternetExplorer", + "CIMType": "String", + "Name": "SubjectNameFormatString", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockSideloadingExtensions", + "CIMType": "MSFT_MicrosoftGraphcustomSubjectAlternativeName[]", + "Name": "CustomSubjectAlternativeNames", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockTabPreloading", + "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage[]", + "Name": "ExtendedKeyUsages", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeBlockWebContentOnNewTabPage", + "CIMType": "String", + "Name": "CertificateValidityPeriodScale", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeClearBrowsingDataOnExit", + "CIMType": "UInt32", + "Name": "CertificateValidityPeriodValue", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeCookiePolicy", + "Name": "KeyStorageProvider", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgeDisableFirstRunPage", + "CIMType": "UInt32", + "Name": "RenewalThresholdPercentage", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeEnterpriseModeSiteListLocation", + "Name": "SubjectAlternativeNameType", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeFavoritesBarVisibility", + "Name": "SubjectNameFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RootCertificateDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeFavoritesListLocation", + "Name": "RootCertificateId", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeFirstRunUrl", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphedgeHomeButtonConfiguration", - "Name": "EdgeHomeButtonConfiguration", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "EdgeHomeButtonConfigurationEnabled", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EdgeHomepageUrls", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeKioskModeRestriction", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EdgeKioskResetAfterIdleTimeInMinutes", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeNewTabPageURL", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeOpensWith", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EdgePreventCertificateErrorOverride", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "EdgeRequiredExtensionPackageFamilyNames", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeRequireSmartScreen", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphedgeSearchEngineBase", - "Name": "EdgeSearchEngine", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "EdgeSendIntranetTrafficToInternetExplorer", + "Name": "AllowPrinting", "Option": "Write" }, { - "CIMType": "String", - "Name": "EdgeShowMessageWhenOpeningInternetExplorerSites", + "CIMType": "Boolean", + "Name": "AllowScreenCapture", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EdgeSyncFavoritesWithInternetExplorer", + "Name": "AllowTextSuggestion", "Option": "Write" }, { "CIMType": "String", - "Name": "EdgeTelemetryForMicrosoft365Analytics", + "Name": "AssessmentAppUserModelId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableAutomaticRedeployment", + "CIMType": "String", + "Name": "ConfigurationAccount", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EnergySaverOnBatteryThresholdPercentage", + "CIMType": "String", + "Name": "ConfigurationAccountType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EnergySaverPluggedInThresholdPercentage", + "CIMType": "String", + "Name": "LaunchUri", "Option": "Write" }, { "CIMType": "String", - "Name": "EnterpriseCloudPrintDiscoveryEndPoint", + "Name": "LocalGuestAccountName", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "EnterpriseCloudPrintDiscoveryMaxLimit", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "EnterpriseCloudPrintMopriaDiscoveryResourceIdentifier", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "EnterpriseCloudPrintOAuthAuthority", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnterpriseCloudPrintOAuthClientIdentifier", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnterpriseCloudPrintResourceIdentifier", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExperienceBlockDeviceDiscovery", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExperienceBlockErrorDialogWhenNoSIM", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ExperienceBlockTaskSwitcher", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExperienceDoNotSyncBrowserSettings", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "FindMyFiles", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "GameDvrBlocked", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "InkWorkspaceAccess", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphSharedPCAccountManagerPolicy", + "Parameters": [ { "CIMType": "String", - "Name": "InkWorkspaceAccessState", + "Name": "AccountDeletionPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InkWorkspaceBlockSuggestedApps", + "CIMType": "UInt32", + "Name": "CacheAccountsAboveDiskFreePercentage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InternetSharingBlocked", + "CIMType": "UInt32", + "Name": "InactiveThresholdDays", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LocationServicesBlocked", + "CIMType": "UInt32", + "Name": "RemoveAccountsBelowDiskFreePercentage", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10", + "Parameters": [ { - "CIMType": "String", - "Name": "LockScreenActivateAppsWithVoice", + "CIMType": "MSFT_MicrosoftGraphsharedPCAccountManagerPolicy", + "Name": "AccountManagerPolicy", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LockScreenAllowTimeoutConfiguration", + "CIMType": "String[]", + "Name": "AllowedAccounts", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockActionCenterNotifications", + "Name": "AllowLocalStorage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockCortana", + "Name": "DisableAccountManager", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LockScreenBlockToastNotifications", + "Name": "DisableEduPolicies", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "LockScreenTimeoutInSeconds", + "CIMType": "Boolean", + "Name": "DisablePowerPolicies", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "LogonBlockFastUserSwitching", + "Name": "DisableSignInOnResume", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MessagingBlockMMS", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MessagingBlockRichCommunicationServices", + "CIMType": "String", + "Name": "FastFirstSignIn", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MessagingBlockSync", + "CIMType": "UInt32", + "Name": "IdleTimeBeforeSleepInSeconds", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MicrosoftAccountBlocked", + "CIMType": "String", + "Name": "KioskAppDisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MicrosoftAccountBlockSettingsSync", + "CIMType": "String", + "Name": "KioskAppUserModelId", "Option": "Write" }, { "CIMType": "String", - "Name": "MicrosoftAccountSignInAssistantSettings", + "Name": "LocalStorage", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NetworkProxyApplySettingsDeviceWide", + "CIMType": "String", + "Name": "MaintenanceStartTime", "Option": "Write" }, { "CIMType": "String", - "Name": "NetworkProxyAutomaticConfigurationUrl", + "Name": "SetAccountManager", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NetworkProxyDisableAutoDetect", + "CIMType": "String", + "Name": "SetEduPolicies", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindows10NetworkProxyServer", - "Name": "NetworkProxyServer", + "CIMType": "String", + "Name": "SetPowerPolicies", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "NfcBlocked", + "CIMType": "String", + "Name": "SignInOnResume", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OneDriveDisableFileSync", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordBlockSimple", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "UInt32", - "Name": "PasswordExpirationDays", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinimumAgeInDays", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinimumCharacterSetCount", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinimumLength", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordMinutesOfInactivityBeforeScreenTimeout", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordPreviousPasswordBlockCount", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PasswordRequired", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "PasswordRequiredType", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PasswordRequireWhenResumeFromIdleState", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PasswordSignInFailureCountBeforeFactoryReset", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "PersonalizationDesktopImageUrl", + "Name": "CertFileName", "Option": "Write" }, { "CIMType": "String", - "Name": "PersonalizationLockScreenImageUrl", + "Name": "DestinationStore", "Option": "Write" }, { "CIMType": "String", - "Name": "PowerButtonActionOnBattery", + "Name": "TrustedRootCertificate", "Option": "Write" }, { "CIMType": "String", - "Name": "PowerButtonActionPluggedIn", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "PowerHybridSleepOnBattery", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "PowerHybridSleepPluggedIn", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "PowerLidCloseActionOnBattery", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "PowerLidCloseActionPluggedIn", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "PowerSleepButtonActionOnBattery", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "PowerSleepButtonActionPluggedIn", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PrinterBlockAddition", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PrinterDefaultName", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "PrinterNames", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "PrivacyAdvertisingId", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "PrivacyAutoAcceptPairingAndConsentPrompts", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PrivacyBlockActivityFeed", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindows10AssociatedApps", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "PrivacyBlockInputPersonalization", + "CIMType": "String", + "Name": "AppType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PrivacyBlockPublishUserActivities", + "CIMType": "String", + "Name": "Identifier", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphCryptographySuite", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "PrivacyDisableLaunchExperience", + "CIMType": "String", + "Name": "AuthenticationTransformConstants", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ResetProtectionModeBlocked", + "CIMType": "String", + "Name": "CipherTransformConstants", "Option": "Write" }, { "CIMType": "String", - "Name": "SafeSearchFilter", + "Name": "DhGroup", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ScreenCaptureBlocked", + "CIMType": "String", + "Name": "EncryptionMethod", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchBlockDiacritics", + "CIMType": "String", + "Name": "IntegrityCheckMethod", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchBlockWebResults", + "CIMType": "String", + "Name": "PfsGroup", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphVpnDnsRule", + "Parameters": [ { "CIMType": "Boolean", - "Name": "SearchDisableAutoLanguageDetection", + "Name": "AutoTrigger", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchDisableIndexerBackoff", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SearchDisableIndexingEncryptedItems", + "Name": "Persistent", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchDisableIndexingRemovableDrive", + "CIMType": "String", + "Name": "ProxyServerUri", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchDisableLocation", + "CIMType": "String[]", + "Name": "Servers", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphWindows10VpnProxyServer", + "Parameters": [ { "CIMType": "Boolean", - "Name": "SearchDisableUseLocation", + "Name": "BypassProxyServerForLocalAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchEnableAutomaticIndexSizeManangement", + "CIMType": "String", + "Name": "Address", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SearchEnableRemoteQueries", + "CIMType": "String", + "Name": "AutomaticConfigurationScriptUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SecurityBlockAzureADJoinedDevicesAutoEncryption", + "CIMType": "UInt32", + "Name": "Port", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SettingsBlockAccountsPage", + "Name": "AutomaticallyDetectProxySettings", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockAddProvisioningPackage", + "CIMType": "String", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphVpnRoute", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SettingsBlockAppsPage", + "CIMType": "String", + "Name": "DestinationPrefix", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockChangeLanguage", + "CIMType": "UInt32", + "Name": "PrefixSize", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphVpnTrafficRule", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SettingsBlockChangePowerSleep", + "CIMType": "String", + "Name": "AppId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockChangeRegion", + "CIMType": "String", + "Name": "AppType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockChangeSystemTime", + "CIMType": "String", + "Name": "Claims", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockDevicesPage", + "CIMType": "MSFT_MicrosoftGraphIPv4Range[]", + "Name": "LocalAddressRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockEaseOfAccessPage", + "CIMType": "MSFT_MicrosoftGraphNumberRange[]", + "Name": "LocalPortRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockEditDeviceName", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockGamingPage", + "CIMType": "UInt32", + "Name": "Protocols", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockNetworkInternetPage", + "CIMType": "MSFT_MicrosoftGraphIPv4Range[]", + "Name": "RemoteAddressRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockPersonalizationPage", + "CIMType": "MSFT_MicrosoftGraphNumberRange[]", + "Name": "RemotePortRanges", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockPrivacyPage", + "CIMType": "String", + "Name": "RoutingPolicyType", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockRemoveProvisioningPackage", + "CIMType": "String", + "Name": "VpnTrafficDirection", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIPv4Range", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SettingsBlockSettingsApp", + "CIMType": "String", + "Name": "LowerAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockSystemPage", + "CIMType": "String", + "Name": "UpperAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockTimeLanguagePage", + "CIMType": "String", + "Name": "CidrAddress", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockUpdateSecurityPage", + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphNumberRange", + "Parameters": [ + { + "CIMType": "UInt32", + "Name": "LowerNumber", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SharedUserAppDataAllowed", + "CIMType": "UInt32", + "Name": "UpperNumber", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphVpnServer", + "Parameters": [ + { + "CIMType": "String", + "Name": "Address", "Option": "Write" }, { "CIMType": "String", - "Name": "SmartScreenAppInstallControl", + "Name": "Description", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SmartScreenBlockPromptOverride", + "Name": "IsDefaultServer", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationVpnPolicyWindows10", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "SmartScreenBlockPromptOverrideForFiles", + "CIMType": "MSFT_MicrosoftGraphwindows10AssociatedApps[]", + "Name": "AssociatedApps", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SmartScreenEnableAppInstallControl", + "CIMType": "String", + "Name": "AuthenticationMethod", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartBlockUnpinningAppsFromTaskbar", + "CIMType": "String", + "Name": "ConnectionType", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuAppListVisibility", + "CIMType": "MSFT_MicrosoftGraphcryptographySuite", + "Name": "CryptographySuite", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideChangeAccountSettings", + "CIMType": "MSFT_MicrosoftGraphvpnDnsRule[]", + "Name": "DnsRules", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideFrequentlyUsedApps", + "CIMType": "String[]", + "Name": "DnsSuffixes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideHibernate", + "CIMType": "String", + "Name": "EapXml", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideLock", + "Name": "EnableAlwaysOn", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHidePowerButton", + "Name": "EnableConditionalAccess", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideRecentJumpLists", + "Name": "EnableDeviceTunnel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideRecentlyAddedApps", + "Name": "EnableDnsRegistration", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideRestartOptions", + "Name": "EnableSingleSignOnWithAlternateCertificate", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideShutDown", + "Name": "EnableSplitTunneling", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideSignOut", + "CIMType": "String", + "Name": "MicrosoftTunnelSiteId", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "StartMenuHideSleep", + "Name": "OnlyAssociatedAppsCanUseConnection", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideSwitchAccount", + "CIMType": "String", + "Name": "ProfileTarget", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StartMenuHideUserTile", + "CIMType": "MSFT_MicrosoftGraphwindows10VpnProxyServer", + "Name": "ProxyServer", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuLayoutEdgeAssetsXml", + "CIMType": "Boolean", + "Name": "RememberUserCredentials", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuLayoutXml", + "CIMType": "MSFT_MicrosoftGraphvpnRoute[]", + "Name": "Routes", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuMode", + "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage", + "Name": "SingleSignOnEku", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderDocuments", + "Name": "SingleSignOnIssuerHash", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuPinnedFolderDownloads", + "CIMType": "MSFT_MicrosoftGraphvpnTrafficRule[]", + "Name": "TrafficRules", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuPinnedFolderFileExplorer", + "CIMType": "String[]", + "Name": "TrustedNetworkDomains", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderHomeGroup", + "Name": "WindowsInformationProtectionDomain", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderMusic", + "Name": "ConnectionName", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderNetwork", + "Name": "CustomXml", "Option": "Write" }, { - "CIMType": "String", - "Name": "StartMenuPinnedFolderPersonalFolder", + "CIMType": "MSFT_MicrosoftGraphvpnServer[]", + "Name": "ServerCollection", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderPictures", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderSettings", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "StartMenuPinnedFolderVideos", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageBlockRemovableStorage", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRequireMobileDeviceEncryption", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRestrictAppDataToSystemVolume", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "StorageRestrictAppInstallToSystemVolume", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "SystemTelemetryProxyServer", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TaskManagerBlockEndTask", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TenantLockdownRequireNetworkDuringOutOfBoxExperience", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "UninstallBuiltInApps", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UsbBlocked", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10", + "Parameters": [ { "CIMType": "Boolean", - "Name": "VoiceRecordingBlocked", + "Name": "AzureOperationalInsightsBlockTelemetry", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WebRtcBlockLocalhostIpAddress", + "CIMType": "String", + "Name": "AzureOperationalInsightsWorkspaceId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WiFiBlockAutomaticConnectHotspots", + "CIMType": "String", + "Name": "AzureOperationalInsightsWorkspaceKey", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WiFiBlocked", + "Name": "ConnectAppBlockAutoLaunch", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WiFiBlockManualConfiguration", + "Name": "MaintenanceWindowBlocked", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "WiFiScanInterval", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphwindows10AppsForceUpdateSchedule", - "Name": "Windows10AppsForceUpdateSchedule", + "Name": "MaintenanceWindowDurationInHours", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockConsumerSpecificFeatures", + "CIMType": "String", + "Name": "MaintenanceWindowStartTime", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsSpotlightBlocked", + "Name": "MiracastBlocked", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockOnActionCenter", + "CIMType": "String", + "Name": "MiracastChannel", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockTailoredExperiences", + "Name": "MiracastRequirePin", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockThirdPartyNotifications", + "Name": "SettingsBlockMyMeetingsAndFiles", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockWelcomeExperience", + "Name": "SettingsBlockSessionResume", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WindowsSpotlightBlockWindowsTips", + "Name": "SettingsBlockSigninSuggestions", "Option": "Write" }, { - "CIMType": "String", - "Name": "WindowsSpotlightConfigureOnLockScreen", + "CIMType": "UInt32", + "Name": "SettingsDefaultVolume", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WindowsStoreBlockAutoUpdate", + "CIMType": "UInt32", + "Name": "SettingsScreenTimeoutInMinutes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WindowsStoreBlocked", + "CIMType": "UInt32", + "Name": "SettingsSessionTimeoutInMinutes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WindowsStoreEnablePrivateStoreOnly", + "CIMType": "UInt32", + "Name": "SettingsSleepTimeoutInMinutes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WirelessDisplayBlockProjectionToThisDevice", + "CIMType": "String", + "Name": "WelcomeScreenBackgroundImageUrl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "WirelessDisplayBlockUserInputFromReceiver", + "Name": "WelcomeScreenBlockAutomaticWakeUp", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WirelessDisplayRequirePinForPairing", + "CIMType": "String", + "Name": "WelcomeScreenMeetingInformation", "Option": "Write" }, { @@ -32295,196 +38061,151 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationScepCertificatePolicyWindows10", + "ClassName": "MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10", "Parameters": [ { - "CIMType": "String", - "Name": "CertificateStore", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "HashAlgorithm", + "CIMType": "UInt32", + "Name": "AuthenticationBlockPeriodInMinutes", "Option": "Write" }, { "CIMType": "String", - "Name": "KeySize", + "Name": "AuthenticationMethod", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "KeyUsage", + "CIMType": "UInt32", + "Name": "AuthenticationPeriodInSeconds", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ScepServerUrls", + "CIMType": "UInt32", + "Name": "AuthenticationRetryDelayPeriodInSeconds", "Option": "Write" }, { "CIMType": "String", - "Name": "SubjectAlternativeNameFormatString", + "Name": "AuthenticationType", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectNameFormatString", + "CIMType": "Boolean", + "Name": "CacheCredentials", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphcustomSubjectAlternativeName[]", - "Name": "CustomSubjectAlternativeNames", + "CIMType": "Boolean", + "Name": "DisableUserPromptForServerValidation", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage[]", - "Name": "ExtendedKeyUsages", + "CIMType": "UInt32", + "Name": "EapolStartPeriodInSeconds", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateValidityPeriodScale", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "CertificateValidityPeriodValue", + "Name": "EapType", "Option": "Write" }, { - "CIMType": "String", - "Name": "KeyStorageProvider", + "CIMType": "Boolean", + "Name": "Enforce8021X", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RenewalThresholdPercentage", + "CIMType": "Boolean", + "Name": "ForceFIPSCompliance", "Option": "Write" }, { "CIMType": "String", - "Name": "SubjectAlternativeNameType", + "Name": "InnerAuthenticationProtocolForEAPTTLS", "Option": "Write" }, { - "CIMType": "String", - "Name": "SubjectNameFormat", + "CIMType": "UInt32", + "Name": "MaximumAuthenticationFailures", "Option": "Write" }, { - "CIMType": "String", - "Name": "RootCertificateDisplayName", + "CIMType": "UInt32", + "Name": "MaximumEAPOLStartMessages", "Option": "Write" }, { "CIMType": "String", - "Name": "RootCertificateId", + "Name": "OuterIdentityPrivacyTemporaryValue", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "PerformServerValidation", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "RequireCryptographicBinding", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "SecondaryAuthenticationMethod", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String[]", + "Name": "TrustedServerCertificateNames", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String[]", + "Name": "RootCertificatesForServerValidationIds", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "RootCertificatesForServerValidationDisplayNames", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "IdentityCertificateForClientAuthenticationId", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "IdentityCertificateForClientAuthenticationDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10", - "Parameters": [ - { - "CIMType": "Boolean", - "Name": "AllowPrinting", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowScreenCapture", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowTextSuggestion", + "Name": "SecondaryIdentityCertificateForClientAuthenticationId", "Option": "Write" }, { "CIMType": "String", - "Name": "AssessmentAppUserModelId", + "Name": "SecondaryIdentityCertificateForClientAuthenticationDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigurationAccount", + "Name": "RootCertificateForClientValidationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigurationAccountType", + "Name": "RootCertificateForClientValidationDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "LaunchUri", + "Name": "SecondaryRootCertificateForClientValidationId", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalGuestAccountName", + "Name": "SecondaryRootCertificateForClientValidationDisplayName", "Option": "Write" }, { @@ -32550,216 +38271,256 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphSharedPCAccountManagerPolicy", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule", "Parameters": [ { - "CIMType": "String", - "Name": "AccountDeletionPolicy", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry[]", + "Name": "Entry", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "CacheAccountsAboveDiskFreePercentage", + "CIMType": "String", + "Name": "Name", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "InactiveThresholdDays", + "CIMType": "String[]", + "Name": "ExcludedIdList_GroupId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "RemoveAccountsBelowDiskFreePercentage", + "CIMType": "String[]", + "Name": "IncludedIdList_GroupId", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry", "Parameters": [ { - "CIMType": "MSFT_MicrosoftGraphsharedPCAccountManagerPolicy", - "Name": "AccountManagerPolicy", + "CIMType": "String", + "Name": "Type", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedAccounts", + "CIMType": "String", + "Name": "Options", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowLocalStorage", + "CIMType": "String", + "Name": "Sid", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableAccountManager", + "CIMType": "SInt32[]", + "Name": "AccessMask", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableEduPolicies", + "CIMType": "String", + "Name": "ComputerSid", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceControlPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisablePowerPolicies", + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisableSignInOnResume", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule[]", + "Name": "PolicyRule", "Option": "Write" }, { "CIMType": "String", - "Name": "FastFirstSignIn", + "Name": "DeviceInstall_Allow_Deny_Layered", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "IdleTimeBeforeSleepInSeconds", + "CIMType": "String", + "Name": "DeviceInstall_IDs_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_IDs_Allow_List", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskAppDisplayName", + "Name": "DeviceInstall_Instance_IDs_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Instance_IDs_Allow_List", "Option": "Write" }, { "CIMType": "String", - "Name": "KioskAppUserModelId", + "Name": "DeviceInstall_Classes_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Allow_List", "Option": "Write" }, { "CIMType": "String", - "Name": "LocalStorage", + "Name": "DeviceInstall_Unspecified_Deny", "Option": "Write" }, { "CIMType": "String", - "Name": "MaintenanceStartTime", + "Name": "DeviceInstall_IDs_Deny", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_IDs_Deny_List", "Option": "Write" }, { "CIMType": "String", - "Name": "SetAccountManager", + "Name": "DeviceInstall_IDs_Deny_Retroactive", "Option": "Write" }, { "CIMType": "String", - "Name": "SetEduPolicies", + "Name": "DeviceInstall_Instance_IDs_Deny", "Option": "Write" }, { "CIMType": "String", - "Name": "SetPowerPolicies", + "Name": "DeviceInstall_Instance_IDs_Deny_Retroactive", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Instance_IDs_Deny_List", "Option": "Write" }, { "CIMType": "String", - "Name": "SignInOnResume", + "Name": "DeviceInstall_Classes_Deny", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Deny_List", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "DeviceInstall_Classes_Deny_Retroactive", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "DeviceInstall_Removable_Deny", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "WPDDevices_DenyRead_Access_2", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "WPDDevices_DenyRead_Access_1", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "WPDDevices_DenyWrite_Access_2", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "WPDDevices_DenyWrite_Access_1", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "AllowFullScanRemovableDriveScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "AllowDirectMemoryAccess", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "DeviceEnumerationPolicy", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "RemovableDiskDenyWriteAccess", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "AllowUSBConnection", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "AllowBluetooth", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "CertFileName", + "Name": "AllowAdvertising", "Option": "Write" }, { "CIMType": "String", - "Name": "DestinationStore", + "Name": "AllowDiscoverableMode", "Option": "Write" }, { "CIMType": "String", - "Name": "TrustedRootCertificate", + "Name": "AllowPrepairing", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "AllowPromptedProximalConnections", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "String[]", + "Name": "ServicesAllowedList", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "AllowStorageCard", "Option": "Write" }, { @@ -32810,416 +38571,366 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphWindows10AssociatedApps", + "ClassName": "MSFT_IntuneDeviceEnrollmentLimitRestriction", "Parameters": [ { "CIMType": "String", - "Name": "AppType", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "Identifier", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphCryptographySuite", - "Parameters": [ - { - "CIMType": "String", - "Name": "AuthenticationTransformConstants", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "CipherTransformConstants", + "CIMType": "UInt32", + "Name": "Limit", "Option": "Write" }, { - "CIMType": "String", - "Name": "DhGroup", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "EncryptionMethod", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "IntegrityCheckMethod", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PfsGroup", + "Name": "TenantId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphVpnDnsRule", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "AutoTrigger", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "Persistent", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ProxyServerUri", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "Servers", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphWindows10VpnProxyServer", + "ClassName": "MSFT_DeviceEnrollmentPlatformRestriction", "Parameters": [ { "CIMType": "Boolean", - "Name": "BypassProxyServerForLocalAddress", + "Name": "PlatformBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "Address", + "CIMType": "Boolean", + "Name": "PersonalDeviceEnrollmentBlocked", "Option": "Write" }, { "CIMType": "String", - "Name": "AutomaticConfigurationScriptUrl", + "Name": "OsMinimumVersion", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Port", + "CIMType": "String", + "Name": "OsMaximumVersion", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutomaticallyDetectProxySettings", + "CIMType": "String[]", + "Name": "BlockedManufacturers", "Option": "Write" }, { - "CIMType": "String", - "Name": "odataType", + "CIMType": "String[]", + "Name": "BlockedSkus", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphVpnRoute", + "ClassName": "MSFT_IntuneDeviceEnrollmentPlatformRestriction", "Parameters": [ { "CIMType": "String", - "Name": "DestinationPrefix", - "Option": "Write" + "Name": "Identity", + "Option": "Key" }, { - "CIMType": "UInt32", - "Name": "PrefixSize", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphVpnTrafficRule", - "Parameters": [ + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, { "CIMType": "String", - "Name": "AppId", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "AppType", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "AndroidForWorkRestriction", "Option": "Write" }, { - "CIMType": "String", - "Name": "Claims", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "AndroidRestriction", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIPv4Range[]", - "Name": "LocalAddressRanges", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "IosRestriction", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphNumberRange[]", - "Name": "LocalPortRanges", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "MacOSRestriction", "Option": "Write" }, { - "CIMType": "String", - "Name": "Name", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "MacRestriction", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Protocols", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "WindowsHomeSkuRestriction", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIPv4Range[]", - "Name": "RemoteAddressRanges", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "WindowsMobileRestriction", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphNumberRange[]", - "Name": "RemotePortRanges", + "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", + "Name": "WindowsRestriction", "Option": "Write" }, { "CIMType": "String", - "Name": "RoutingPolicyType", + "Name": "DeviceEnrollmentConfigurationType", "Option": "Write" }, { - "CIMType": "String", - "Name": "VpnTrafficDirection", + "CIMType": "UInt32", + "Name": "Priority", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIPv4Range", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "LowerAddress", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpperAddress", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "CidrAddress", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "ApplicationId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphNumberRange", - "Parameters": [ + }, { - "CIMType": "UInt32", - "Name": "LowerNumber", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "UpperNumber", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphVpnServer", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Address", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsDefaultServer", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationVpnPolicyWindows10", + "ClassName": "MSFT_IntuneDeviceEnrollmentStatusPageWindows10", "Parameters": [ - { - "CIMType": "MSFT_MicrosoftGraphwindows10AssociatedApps[]", - "Name": "AssociatedApps", - "Option": "Write" - }, { "CIMType": "String", - "Name": "AuthenticationMethod", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "ConnectionType", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphcryptographySuite", - "Name": "CryptographySuite", - "Option": "Write" - }, - { - "CIMType": "MSFT_MicrosoftGraphvpnDnsRule[]", - "Name": "DnsRules", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DnsSuffixes", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String", - "Name": "EapXml", + "CIMType": "Boolean", + "Name": "AllowDeviceResetOnInstallFailure", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableAlwaysOn", + "Name": "AllowDeviceUseOnInstallFailure", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableConditionalAccess", + "Name": "AllowLogCollectionOnInstallFailure", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableDeviceTunnel", + "Name": "AllowNonBlockingAppInstallation", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableDnsRegistration", + "Name": "BlockDeviceSetupRetryByUser", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnableSingleSignOnWithAlternateCertificate", + "CIMType": "String", + "Name": "CustomErrorMessage", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "EnableSplitTunneling", + "Name": "DisableUserStatusTrackingAfterFirstUser", "Option": "Write" }, { - "CIMType": "String", - "Name": "MicrosoftTunnelSiteId", + "CIMType": "UInt32", + "Name": "InstallProgressTimeoutInMinutes", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "OnlyAssociatedAppsCanUseConnection", + "Name": "InstallQualityUpdates", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProfileTarget", + "CIMType": "String[]", + "Name": "SelectedMobileAppIds", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphwindows10VpnProxyServer", - "Name": "ProxyServer", + "CIMType": "String[]", + "Name": "SelectedMobileAppNames", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RememberUserCredentials", + "Name": "ShowInstallationProgress", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphvpnRoute[]", - "Name": "Routes", + "CIMType": "Boolean", + "Name": "TrackInstallProgressForAutopilotOnly", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphextendedKeyUsage", - "Name": "SingleSignOnEku", + "CIMType": "UInt32", + "Name": "Priority", "Option": "Write" }, { - "CIMType": "String", - "Name": "SingleSignOnIssuerHash", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphvpnTrafficRule[]", - "Name": "TrafficRules", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TrustedNetworkDomains", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "WindowsInformationProtectionDomain", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "ConnectionName", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "CustomXml", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphvpnServer[]", - "Name": "ServerCollection", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagementComplianceSettings", + "Parameters": [ { "CIMType": "String", - "Name": "Id", - "Option": "Write" + "Name": "IsSingleInstance", + "Option": "Key" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "SecureByDefault", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "UInt32", + "Name": "DeviceComplianceCheckinThresholdDays", "Option": "Write" }, { @@ -33260,131 +38971,186 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10", + "ClassName": "MSFT_IntuneDeviceManagementEnrollmentAndroidGooglePlay", "Parameters": [ { - "CIMType": "Boolean", - "Name": "AzureOperationalInsightsBlockTelemetry", + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "BindStatus", "Option": "Write" }, { "CIMType": "String", - "Name": "AzureOperationalInsightsWorkspaceId", + "Name": "OwnerUserPrincipalName", "Option": "Write" }, { "CIMType": "String", - "Name": "AzureOperationalInsightsWorkspaceKey", + "Name": "OwnerOrganizationName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ConnectAppBlockAutoLaunch", + "CIMType": "String", + "Name": "EnrollmentTarget", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "MaintenanceWindowBlocked", + "Name": "DeviceOwnerManagementEnabled", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaintenanceWindowDurationInHours", + "CIMType": "Boolean", + "Name": "AndroidDeviceOwnerFullyManagedEnrollmentEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "MaintenanceWindowStartTime", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MiracastBlocked", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "MiracastChannel", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "MiracastRequirePin", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockMyMeetingsAndFiles", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SettingsBlockSessionResume", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SettingsBlockSigninSuggestions", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SettingsDefaultVolume", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage", + "Parameters": [ + { + "CIMType": "String", + "Name": "type", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SettingsScreenTimeoutInMinutes", + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SettingsSessionTimeoutInMinutes", + "CIMType": "String", + "Name": "AccountId", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "SettingsSleepTimeoutInMinutes", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "WelcomeScreenBackgroundImageUrl", + "Name": "TokenValue", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "WelcomeScreenBlockAutomaticWakeUp", + "CIMType": "String", + "Name": "TokenCreationDateTime", "Option": "Write" }, { "CIMType": "String", - "Name": "WelcomeScreenMeetingInformation", + "Name": "TokenExpirationDateTime", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrolledDeviceCount", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrollmentTokenUsageCount", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "QrCodeContent", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "QrCodeImage", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" }, { "CIMType": "Boolean", - "Name": "SupportsScopeTags", + "Name": "ConfigureWifi", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "WifiSsid", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "MSFT_Credential", + "Name": "WifiPassword", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WifiHidden", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsTeamsDeviceProfile", "Option": "Write" }, { @@ -33407,11 +39173,6 @@ "Name": "TenantId", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, { "CIMType": "String", "Name": "CertificateThumbprint", @@ -33430,170 +39191,165 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10", + "ClassName": "MSFT_IntuneDeviceRemediationRunSchedule", "Parameters": [ - { - "CIMType": "UInt32", - "Name": "AuthenticationBlockPeriodInMinutes", - "Option": "Write" - }, { "CIMType": "String", - "Name": "AuthenticationMethod", + "Name": "dataType", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "AuthenticationPeriodInSeconds", + "CIMType": "String", + "Name": "Date", "Option": "Write" }, { "CIMType": "UInt32", - "Name": "AuthenticationRetryDelayPeriodInSeconds", + "Name": "Interval", "Option": "Write" }, { "CIMType": "String", - "Name": "AuthenticationType", + "Name": "Time", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "CacheCredentials", + "Name": "UseUtc", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceRemediationPolicyAssignments", + "Parameters": [ { "CIMType": "Boolean", - "Name": "DisableUserPromptForServerValidation", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "EapolStartPeriodInSeconds", + "Name": "RunRemediationScript", "Option": "Write" }, { - "CIMType": "String", - "Name": "EapType", + "CIMType": "MSFT_IntuneDeviceRemediationRunSchedule", + "Name": "RunSchedule", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enforce8021X", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments", + "Name": "Assignment", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceHealthScriptParameter", + "Parameters": [ { "CIMType": "Boolean", - "Name": "ForceFIPSCompliance", + "Name": "ApplyDefaultValueWhenNotAssigned", "Option": "Write" }, { "CIMType": "String", - "Name": "InnerAuthenticationProtocolForEAPTTLS", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "MaximumAuthenticationFailures", + "Name": "Description", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MaximumEAPOLStartMessages", + "CIMType": "Boolean", + "Name": "IsRequired", "Option": "Write" }, { "CIMType": "String", - "Name": "OuterIdentityPrivacyTemporaryValue", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "PerformServerValidation", + "Name": "Name", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "RequireCryptographicBinding", + "Name": "DefaultValue", "Option": "Write" }, { "CIMType": "String", - "Name": "SecondaryAuthenticationMethod", + "Name": "odataType", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceRemediation", + "Parameters": [ { - "CIMType": "String[]", - "Name": "TrustedServerCertificateNames", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RootCertificatesForServerValidationIds", + "CIMType": "String", + "Name": "DetectionScriptContent", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RootCertificatesForServerValidationDisplayNames", + "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", + "Name": "DetectionScriptParameters", "Option": "Write" }, { "CIMType": "String", - "Name": "IdentityCertificateForClientAuthenticationId", + "Name": "DeviceHealthScriptType", "Option": "Write" }, { "CIMType": "String", - "Name": "IdentityCertificateForClientAuthenticationDisplayName", - "Option": "Write" + "Name": "DisplayName", + "Option": "Required" }, { - "CIMType": "String", - "Name": "SecondaryIdentityCertificateForClientAuthenticationId", + "CIMType": "Boolean", + "Name": "EnforceSignatureCheck", "Option": "Write" }, { - "CIMType": "String", - "Name": "SecondaryIdentityCertificateForClientAuthenticationDisplayName", + "CIMType": "Boolean", + "Name": "IsGlobalScript", "Option": "Write" }, { "CIMType": "String", - "Name": "RootCertificateForClientValidationId", + "Name": "Publisher", "Option": "Write" }, { "CIMType": "String", - "Name": "RootCertificateForClientValidationDisplayName", + "Name": "RemediationScriptContent", "Option": "Write" }, { - "CIMType": "String", - "Name": "SecondaryRootCertificateForClientValidationId", + "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", + "Name": "RemediationScriptParameters", "Option": "Write" }, { - "CIMType": "String", - "Name": "SecondaryRootCertificateForClientValidationDisplayName", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "RunAs32Bit", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "RunAsAccount", + "Option": "Write" }, { "CIMType": "String", "Name": "Id", - "Option": "Write" + "Option": "Key" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "CIMType": "MSFT_IntuneDeviceRemediationPolicyAssignments[]", "Name": "Assignments", "Option": "Write" }, @@ -33640,466 +39396,411 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule", + "ClassName": "MSFT_IntuneDiskEncryptionMacOS", "Parameters": [ - { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry[]", - "Name": "Entry", - "Option": "Write" - }, { "CIMType": "String", - "Name": "Name", + "Name": "Description", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ExcludedIdList_GroupId", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String[]", - "Name": "IncludedIdList_GroupId", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry", - "Parameters": [ - { - "CIMType": "String", - "Name": "Type", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "Options", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "Sid", + "CIMType": "Boolean", + "Name": "Enabled", "Option": "Write" }, { - "CIMType": "SInt32[]", - "Name": "AccessMask", + "CIMType": "UInt32", + "Name": "PersonalRecoveryKeyRotationInMonths", "Option": "Write" }, { - "CIMType": "String", - "Name": "ComputerSid", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceControlPolicyWindows10", - "Parameters": [ - { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "DisablePromptAtSignOut", "Option": "Write" }, - { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, { "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "Name": "SelectedRecoveryKeyTypes", "Option": "Write" }, { - "CIMType": "String", - "Name": "Id", + "CIMType": "Boolean", + "Name": "AllowDeferralUntilSignOut", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule[]", - "Name": "PolicyRule", + "CIMType": "sInt32", + "Name": "NumberOfTimesUserCanIgnore", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceInstall_Allow_Deny_Layered", + "CIMType": "Boolean", + "Name": "HidePersonalRecoveryKey", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_IDs_Allow", + "Name": "PersonalRecoveryKeyHelpMessage", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DeviceInstall_IDs_Allow_List", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceInstall_Instance_IDs_Allow", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DeviceInstall_Instance_IDs_Allow_List", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_Classes_Allow", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DeviceInstall_Classes_Allow_List", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceInstall_Unspecified_Deny", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_IDs_Deny", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DeviceInstall_IDs_Deny_List", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceInstall_IDs_Deny_Retroactive", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneDiskEncryptionWindows10", + "Parameters": [ { "CIMType": "String", - "Name": "DeviceInstall_Instance_IDs_Deny", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_Instance_IDs_Deny_Retroactive", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String[]", - "Name": "DeviceInstall_Instance_IDs_Deny_List", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_Classes_Deny", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "DeviceInstall_Classes_Deny_List", + "CIMType": "String", + "Name": "RequireDeviceEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_Classes_Deny_Retroactive", + "Name": "EncryptionMethodWithXts_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceInstall_Removable_Deny", + "Name": "EncryptionMethodWithXtsOsDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "WPDDevices_DenyRead_Access_2", + "Name": "EncryptionMethodWithXtsFdvDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "WPDDevices_DenyRead_Access_1", + "Name": "EncryptionMethodWithXtsRdvDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "WPDDevices_DenyWrite_Access_2", + "Name": "IdentificationField_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "WPDDevices_DenyWrite_Access_1", + "Name": "IdentificationField", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowFullScanRemovableDriveScanning", + "Name": "SecIdentificationField", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowDirectMemoryAccess", + "Name": "AllowWarningForOtherDiskEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceEnumerationPolicy", + "Name": "AllowStandardUserEncryption", "Option": "Write" }, { "CIMType": "String", - "Name": "RemovableDiskDenyWriteAccess", + "Name": "ConfigureRecoveryPasswordRotation", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowUSBConnection", + "Name": "OSEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowBluetooth", + "Name": "OSEncryptionTypeDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowAdvertising", + "Name": "ConfigureAdvancedStartup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowDiscoverableMode", + "Name": "ConfigureTPMStartupKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowPrepairing", + "Name": "ConfigureTPMPINKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowPromptedProximalConnections", + "Name": "ConfigureTPMUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ServicesAllowedList", + "CIMType": "String", + "Name": "ConfigureNonTPMStartupKeyUsage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowStorageCard", + "Name": "ConfigurePINUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "MinimumPINLength_Name", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "SInt32", + "Name": "MinPINLength", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "EnhancedPIN_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DisallowStandardUsersCanChangePIN_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "EnablePreBootPinExceptionOnDECapableDevice_Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "EnablePrebootInputProtectorsOnSlates_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "OSRecoveryUsage_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "OSRequireActiveDirectoryBackup_Name", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceEnrollmentLimitRestriction", - "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "OSActiveDirectoryBackup_Name", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "OSRecoveryPasswordUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Limit", + "CIMType": "String", + "Name": "OSHideRecoveryPage_Name", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "OSAllowDRA_Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "OSRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "OSActiveDirectoryBackupDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "PrebootRecoveryInfo_Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "PrebootRecoveryInfoDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "RecoveryUrl_Input", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "RecoveryMessage_Input", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceEnrollmentPlatformRestriction", - "Parameters": [ - { - "CIMType": "Boolean", - "Name": "PlatformBlocked", + "CIMType": "String", + "Name": "FDVEncryptionType_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PersonalDeviceEnrollmentBlocked", + "CIMType": "String", + "Name": "FDVEncryptionTypeDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMinimumVersion", + "Name": "FDVRecoveryUsage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "OsMaximumVersion", + "Name": "FDVActiveDirectoryBackup_Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "BlockedManufacturers", + "CIMType": "String", + "Name": "FDVHideRecoveryPage_Name", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "BlockedSkus", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceEnrollmentPlatformRestriction", - "Parameters": [ { "CIMType": "String", - "Name": "Identity", - "Option": "Key" + "Name": "FDVRecoveryPasswordUsageDropDown_Name", + "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "FDVRequireActiveDirectoryBackup_Name", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "FDVAllowDRA_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "AndroidForWorkRestriction", + "CIMType": "String", + "Name": "FDVActiveDirectoryBackupDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "AndroidRestriction", + "CIMType": "String", + "Name": "FDVRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "IosRestriction", + "CIMType": "String", + "Name": "FDVDenyWriteAccess_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "MacOSRestriction", + "CIMType": "String", + "Name": "RDVConfigureBDE", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "MacRestriction", + "CIMType": "String", + "Name": "RDVAllowBDE_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "WindowsHomeSkuRestriction", + "CIMType": "String", + "Name": "RDVEncryptionType_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "WindowsMobileRestriction", + "CIMType": "String", + "Name": "RDVEncryptionTypeDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceEnrollmentPlatformRestriction", - "Name": "WindowsRestriction", + "CIMType": "String", + "Name": "RDVDisableBDE_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "DeviceEnrollmentConfigurationType", + "Name": "RDVDenyWriteAccess_Name", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "String", + "Name": "RDVCrossOrg", "Option": "Write" }, { @@ -34150,91 +39851,36 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceEnrollmentStatusPageWindows10", + "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyLinux", "Parameters": [ { "CIMType": "String", "Name": "DisplayName", "Option": "Key" }, - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, { "CIMType": "String", "Name": "Description", "Option": "Write" }, - { - "CIMType": "Boolean", - "Name": "AllowDeviceResetOnInstallFailure", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowDeviceUseOnInstallFailure", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowLogCollectionOnInstallFailure", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "AllowNonBlockingAppInstallation", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "BlockDeviceSetupRetryByUser", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CustomErrorMessage", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "DisableUserStatusTrackingAfterFirstUser", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "InstallProgressTimeoutInMinutes", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "InstallQualityUpdates", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "SelectedMobileAppIds", - "Option": "Write" - }, { "CIMType": "String[]", - "Name": "SelectedMobileAppNames", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ShowInstallationProgress", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "TrackInstallProgressForAutopilotOnly", + "CIMType": "String", + "Name": "tags_item_value", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Priority", + "CIMType": "String", + "Name": "tags_item_key", "Option": "Write" }, { @@ -34285,220 +39931,200 @@ ] }, { - "ClassName": "MSFT_IntuneDeviceManagementComplianceSettings", + "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS", "Parameters": [ { "CIMType": "String", - "Name": "IsSingleInstance", + "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "SecureByDefault", - "Option": "Write" - }, - { - "CIMType": "UInt32", - "Name": "DeviceComplianceCheckinThresholdDays", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "Name": "tags_item_value", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "tags_item_key", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceRemediationRunSchedule", - "Parameters": [ - { - "CIMType": "String", - "Name": "dataType", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "Date", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "Interval", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "Time", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UseUtc", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceRemediationPolicyAssignments", - "Parameters": [ + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, { - "CIMType": "Boolean", - "Name": "RunRemediationScript", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_IntuneDeviceRemediationRunSchedule", - "Name": "RunSchedule", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments", - "Name": "Assignment", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" } ] }, { - "ClassName": "MSFT_MicrosoftGraphDeviceHealthScriptParameter", + "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10", "Parameters": [ { - "CIMType": "Boolean", - "Name": "ApplyDefaultValueWhenNotAssigned", + "CIMType": "String", + "Name": "Identity", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "IsRequired", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "Name", + "Name": "Description", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DefaultValue", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { "CIMType": "String", - "Name": "odataType", + "Name": "SampleSharing", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDeviceRemediation", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "ConfigurationType", "Option": "Write" }, { "CIMType": "String", - "Name": "DetectionScriptContent", + "Name": "ConfigurationBlob", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", - "Name": "DetectionScriptParameters", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "DeviceHealthScriptType", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Required" - }, - { - "CIMType": "Boolean", - "Name": "EnforceSignatureCheck", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsGlobalScript", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "Publisher", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "RemediationScriptContent", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", - "Name": "RemediationScriptParameters", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "RunAs32Bit", + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "RunAsAccount", + "Name": "ExploitProtectionSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", - "Option": "Key" + "Name": "DisallowExploitProtectionOverride", + "Option": "Write" }, { - "CIMType": "MSFT_IntuneDeviceRemediationPolicyAssignments[]", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", "Name": "Assignments", "Option": "Write" }, @@ -34545,7 +40171,7 @@ ] }, { - "ClassName": "MSFT_IntuneDiskEncryptionMacOS", + "ClassName": "MSFT_IntuneFirewallPolicyWindows10", "Parameters": [ { "CIMType": "String", @@ -34568,388 +40194,388 @@ "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Enabled", + "CIMType": "String", + "Name": "CRLcheck", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "PersonalRecoveryKeyRotationInMonths", + "CIMType": "String", + "Name": "DisableStatefulFtp", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisablePromptAtSignOut", + "CIMType": "SInt32[]", + "Name": "EnablePacketQueue", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "SelectedRecoveryKeyTypes", + "CIMType": "SInt32[]", + "Name": "IPsecExempt", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowDeferralUntilSignOut", + "CIMType": "String", + "Name": "OpportunisticallyMatchAuthSetPerKM", "Option": "Write" }, { - "CIMType": "sInt32", - "Name": "NumberOfTimesUserCanIgnore", + "CIMType": "String", + "Name": "PresharedKeyEncoding", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "HidePersonalRecoveryKey", + "CIMType": "SInt32", + "Name": "SaIdleTime", "Option": "Write" }, { "CIMType": "String", - "Name": "PersonalRecoveryKeyHelpMessage", + "Name": "DomainProfile_EnableFirewall", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "DomainProfile_DisableUnicastResponsesToMulticastBroadcast", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "DomainProfile_EnableLogIgnoredRules", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "DomainProfile_GlobalPortsAllowUserPrefMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DomainProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "DomainProfile_DisableStealthModeIpsecSecuredPacketExemption", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "DomainProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "DomainProfile_EnableLogSuccessConnections", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "DomainProfile_AllowLocalIpsecPolicyMerge", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "DomainProfile_LogFilePath", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneDiskEncryptionWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "DomainProfile_DisableStealthMode", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "DomainProfile_AuthAppsAllowUserPrefMerge", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "DomainProfile_EnableLogDroppedPackets", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "DomainProfile_Shielded", "Option": "Write" }, { "CIMType": "String", - "Name": "RequireDeviceEncryption", + "Name": "DomainProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "EncryptionMethodWithXts_Name", + "Name": "DomainProfile_DisableInboundNotifications", "Option": "Write" }, { - "CIMType": "String", - "Name": "EncryptionMethodWithXtsOsDropDown_Name", + "CIMType": "SInt32", + "Name": "DomainProfile_LogMaxFileSize", "Option": "Write" }, { "CIMType": "String", - "Name": "EncryptionMethodWithXtsFdvDropDown_Name", + "Name": "PrivateProfile_EnableFirewall", "Option": "Write" }, { "CIMType": "String", - "Name": "EncryptionMethodWithXtsRdvDropDown_Name", + "Name": "PrivateProfile_AllowLocalIpsecPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "IdentificationField_Name", + "Name": "PrivateProfile_DisableStealthModeIpsecSecuredPacketExemption", "Option": "Write" }, { "CIMType": "String", - "Name": "IdentificationField", + "Name": "PrivateProfile_DisableInboundNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "SecIdentificationField", + "Name": "PrivateProfile_Shielded", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowWarningForOtherDiskEncryption", + "Name": "PrivateProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowStandardUserEncryption", + "Name": "PrivateProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureRecoveryPasswordRotation", + "Name": "PrivateProfile_AuthAppsAllowUserPrefMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "OSEncryptionType_Name", + "Name": "PrivateProfile_EnableLogIgnoredRules", "Option": "Write" }, { - "CIMType": "String", - "Name": "OSEncryptionTypeDropDown_Name", + "CIMType": "SInt32", + "Name": "PrivateProfile_LogMaxFileSize", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureAdvancedStartup_Name", + "Name": "PrivateProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureTPMStartupKeyUsageDropDown_Name", + "Name": "PrivateProfile_DisableUnicastResponsesToMulticastBroadcast", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureTPMPINKeyUsageDropDown_Name", + "Name": "PrivateProfile_LogFilePath", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureTPMUsageDropDown_Name", + "Name": "PrivateProfile_DisableStealthMode", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigureNonTPMStartupKeyUsage_Name", + "Name": "PrivateProfile_EnableLogSuccessConnections", "Option": "Write" }, { "CIMType": "String", - "Name": "ConfigurePINUsageDropDown_Name", + "Name": "PrivateProfile_GlobalPortsAllowUserPrefMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "MinimumPINLength_Name", + "Name": "PrivateProfile_EnableLogDroppedPackets", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "MinPINLength", + "CIMType": "String", + "Name": "PublicProfile_EnableFirewall", "Option": "Write" }, { "CIMType": "String", - "Name": "EnhancedPIN_Name", + "Name": "PublicProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "DisallowStandardUsersCanChangePIN_Name", + "Name": "PublicProfile_DisableInboundNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "EnablePreBootPinExceptionOnDECapableDevice_Name", + "Name": "PublicProfile_DisableStealthModeIpsecSecuredPacketExemption", "Option": "Write" }, { "CIMType": "String", - "Name": "EnablePrebootInputProtectorsOnSlates_Name", + "Name": "PublicProfile_Shielded", "Option": "Write" }, { "CIMType": "String", - "Name": "OSRecoveryUsage_Name", + "Name": "PublicProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "OSRequireActiveDirectoryBackup_Name", + "Name": "PublicProfile_AuthAppsAllowUserPrefMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "OSActiveDirectoryBackup_Name", + "Name": "PublicProfile_LogFilePath", "Option": "Write" }, { "CIMType": "String", - "Name": "OSRecoveryPasswordUsageDropDown_Name", + "Name": "PublicProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "OSHideRecoveryPage_Name", + "Name": "PublicProfile_DisableUnicastResponsesToMulticastBroadcast", "Option": "Write" }, { "CIMType": "String", - "Name": "OSAllowDRA_Name", + "Name": "PublicProfile_GlobalPortsAllowUserPrefMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "OSRecoveryKeyUsageDropDown_Name", + "Name": "PublicProfile_EnableLogSuccessConnections", "Option": "Write" }, { "CIMType": "String", - "Name": "OSActiveDirectoryBackupDropDown_Name", + "Name": "PublicProfile_AllowLocalIpsecPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "PrebootRecoveryInfo_Name", + "Name": "PublicProfile_EnableLogDroppedPackets", "Option": "Write" }, { "CIMType": "String", - "Name": "PrebootRecoveryInfoDropDown_Name", + "Name": "PublicProfile_EnableLogIgnoredRules", "Option": "Write" }, { - "CIMType": "String", - "Name": "RecoveryUrl_Input", + "CIMType": "SInt32", + "Name": "PublicProfile_LogMaxFileSize", "Option": "Write" }, { "CIMType": "String", - "Name": "RecoveryMessage_Input", + "Name": "PublicProfile_DisableStealthMode", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVEncryptionType_Name", + "Name": "ObjectAccess_AuditFilteringPlatformConnection", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVEncryptionTypeDropDown_Name", + "Name": "ObjectAccess_AuditFilteringPlatformPacketDrop", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowedTlsAuthenticationEndpoints", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVRecoveryUsage_Name", + "Name": "ConfiguredTlsAuthenticationNetworkName", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVActiveDirectoryBackup_Name", + "Name": "Target", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVHideRecoveryPage_Name", + "Name": "HyperVVMSettings_DomainProfile_EnableFirewall", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVRecoveryPasswordUsageDropDown_Name", + "Name": "HyperVVMSettings_DomainProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVRequireActiveDirectoryBackup_Name", + "Name": "HyperVVMSettings_DomainProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVAllowDRA_Name", + "Name": "HyperVVMSettings_DomainProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVActiveDirectoryBackupDropDown_Name", + "Name": "EnableLoopback", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVRecoveryKeyUsageDropDown_Name", + "Name": "HyperVVMSettings_PublicProfile_EnableFirewall", "Option": "Write" }, { "CIMType": "String", - "Name": "FDVDenyWriteAccess_Name", + "Name": "HyperVVMSettings_PublicProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVConfigureBDE", + "Name": "HyperVVMSettings_PublicProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVAllowBDE_Name", + "Name": "HyperVVMSettings_PublicProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVEncryptionType_Name", + "Name": "HyperVVMSettings_PrivateProfile_EnableFirewall", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVEncryptionTypeDropDown_Name", + "Name": "HyperVVMSettings_PrivateProfile_DefaultOutboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVDisableBDE_Name", + "Name": "HyperVVMSettings_PrivateProfile_DefaultInboundAction", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVDenyWriteAccess_Name", + "Name": "HyperVVMSettings_PrivateProfile_AllowLocalPolicyMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "RDVCrossOrg", + "Name": "AllowHostPolicyMerge", "Option": "Write" }, { @@ -35000,87 +40626,127 @@ ] }, { - "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyLinux", + "ClassName": "MSFT_DeviceManagementMobileAppAssignment", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "dataType", + "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "deviceAndAppManagementAssignmentFilterId", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "groupId", "Option": "Write" }, { "CIMType": "String", - "Name": "tags_item_value", + "Name": "groupDisplayName", "Option": "Write" }, { "CIMType": "String", - "Name": "tags_item_key", + "Name": "intent", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMinimumOperatingSystem", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "v10_7", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "v10_8", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "v10_9", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "v10_10", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "v10_11", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "v10_12", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "v10_13", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "v10_14", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "v10_15", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "v11_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v12_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v13_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v14_0", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS", + "ClassName": "MSFT_DeviceManagementMimeContent", + "Parameters": [ + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMobileAppCategory", "Parameters": [ { "CIMType": "String", @@ -35089,88 +40755,98 @@ }, { "CIMType": "String", - "Name": "Description", + "Name": "Id", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMobileAppChildApp", + "Parameters": [ { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "BundleId", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "BuildNumber", "Option": "Write" }, { "CIMType": "String", - "Name": "tags_item_value", + "Name": "VersionNumber", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneMobileAppsMacOSLobApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { "CIMType": "String", - "Name": "tags_item_key", + "Name": "Id", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "Description", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "Developer", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "InformationUrl", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "IsFeatured", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "Notes", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "Owner", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "PrivacyInformationUrl", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "Publisher", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "BundleId", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Identity", + "Name": "BuildNumber", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "VersionNumber", + "Option": "Write" }, { "CIMType": "String[]", @@ -35178,32 +40854,42 @@ "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "IgnoreVersionDetection", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "InstallAsManaged", "Option": "Write" }, { - "CIMType": "String", - "Name": "SampleSharing", + "CIMType": "MSFT_DeviceManagementMimeContent", + "Name": "LargeIcon", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConfigurationType", + "CIMType": "MSFT_DeviceManagementMinimumOperatingSystem", + "Name": "MinimumSupportedOperatingSystem", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConfigurationBlob", + "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", + "Name": "Categories", "Option": "Write" }, { - "CIMType": "string", + "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppChildApp[]", + "Name": "ChildApps", + "Option": "Write" + }, + { + "CIMType": "String", "Name": "Ensure", "Option": "Write" }, @@ -35245,491 +40931,536 @@ ] }, { - "ClassName": "MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog", + "ClassName": "MSFT_DeviceManagementMobileAppExcludedApp", "Parameters": [ { - "CIMType": "String", - "Name": "Identity", + "CIMType": "Boolean", + "Name": "Access", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Bing", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "Boolean", + "Name": "Excel", + "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "Boolean", + "Name": "Groove", "Option": "Write" }, { - "CIMType": "String", - "Name": "ExploitProtectionSettings", + "CIMType": "Boolean", + "Name": "InfoPath", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisallowExploitProtectionOverride", + "CIMType": "Boolean", + "Name": "Lync", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "Boolean", + "Name": "OneDrive", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "Boolean", + "Name": "OneNote", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "Boolean", + "Name": "Outlook", "Option": "Write" }, { - "CIMType": "String", - "Name": "ApplicationId", + "CIMType": "Boolean", + "Name": "PowerPoint", "Option": "Write" }, { - "CIMType": "String", - "Name": "TenantId", + "CIMType": "Boolean", + "Name": "Publisher", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "Boolean", + "Name": "SharePointDesigner", "Option": "Write" }, { - "CIMType": "String", - "Name": "CertificateThumbprint", + "CIMType": "Boolean", + "Name": "Teams", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "ManagedIdentity", + "Name": "Visio", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "Boolean", + "Name": "Word", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneFirewallPolicyWindows10", + "ClassName": "MSFT_IntuneMobileAppsWindowsOfficeSuiteApp", "Parameters": [ - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, { "CIMType": "String", "Name": "DisplayName", "Option": "Key" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsFeatured", "Option": "Write" }, { "CIMType": "String", - "Name": "CRLcheck", + "Name": "PrivacyInformationUrl", "Option": "Write" }, { "CIMType": "String", - "Name": "DisableStatefulFtp", + "Name": "InformationUrl", "Option": "Write" }, { - "CIMType": "SInt32[]", - "Name": "EnablePacketQueue", + "CIMType": "String", + "Name": "Notes", "Option": "Write" }, { - "CIMType": "SInt32[]", - "Name": "IPsecExempt", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String", - "Name": "OpportunisticallyMatchAuthSetPerKM", + "CIMType": "Boolean", + "Name": "AutoAcceptEula", "Option": "Write" }, { - "CIMType": "String", - "Name": "PresharedKeyEncoding", + "CIMType": "String[]", + "Name": "ProductIds", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "SaIdleTime", + "CIMType": "Boolean", + "Name": "UseSharedComputerActivation", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_EnableFirewall", + "Name": "UpdateChannel", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_DisableUnicastResponsesToMulticastBroadcast", + "Name": "OfficeSuiteAppDefaultFileFormat", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_EnableLogIgnoredRules", + "Name": "OfficePlatformArchitecture", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_GlobalPortsAllowUserPrefMerge", + "CIMType": "String[]", + "Name": "LocalesToInstall", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_DefaultInboundAction", + "Name": "InstallProgressDisplayLevel", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_DisableStealthModeIpsecSecuredPacketExemption", + "CIMType": "Boolean", + "Name": "ShouldUninstallOlderVersionsOfOffice", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_AllowLocalPolicyMerge", + "Name": "TargetVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_EnableLogSuccessConnections", + "Name": "UpdateVersion", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_AllowLocalIpsecPolicyMerge", + "Name": "OfficeConfigurationXml", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_LogFilePath", + "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", + "Name": "Categories", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_DisableStealthMode", + "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_AuthAppsAllowUserPrefMerge", + "CIMType": "MSFT_DeviceManagementMobileAppExcludedApp", + "Name": "ExcludedApps", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_EnableLogDroppedPackets", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "DomainProfile_Shielded", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_DefaultOutboundAction", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "DomainProfile_DisableInboundNotifications", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "DomainProfile_LogMaxFileSize", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "PrivateProfile_EnableFirewall", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_AllowLocalIpsecPolicyMerge", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_DisableStealthModeIpsecSecuredPacketExemption", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneMobileThreatDefenseConnector", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" }, { "CIMType": "String", - "Name": "PrivateProfile_DisableInboundNotifications", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_Shielded", + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosApplicationMetadata", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_AllowLocalPolicyMerge", + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosPersonalApplicationMetadata", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_DefaultOutboundAction", + "CIMType": "Boolean", + "Name": "AndroidDeviceBlockedOnMissingPartnerData", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_AuthAppsAllowUserPrefMerge", + "CIMType": "Boolean", + "Name": "AndroidEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_EnableLogIgnoredRules", + "CIMType": "Boolean", + "Name": "AndroidMobileApplicationManagementEnabled", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "PrivateProfile_LogMaxFileSize", + "CIMType": "Boolean", + "Name": "IosDeviceBlockedOnMissingPartnerData", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_DefaultInboundAction", + "CIMType": "Boolean", + "Name": "IosEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_DisableUnicastResponsesToMulticastBroadcast", + "CIMType": "Boolean", + "Name": "IosMobileApplicationManagementEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_LogFilePath", + "CIMType": "DateTime", + "Name": "LastHeartbeatDateTime", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_DisableStealthMode", + "CIMType": "Boolean", + "Name": "MicrosoftDefenderForEndpointAttachEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "PrivateProfile_EnableLogSuccessConnections", + "Name": "PartnerState", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_GlobalPortsAllowUserPrefMerge", + "CIMType": "Uint32", + "Name": "PartnerUnresponsivenessThresholdInDays", "Option": "Write" }, { - "CIMType": "String", - "Name": "PrivateProfile_EnableLogDroppedPackets", + "CIMType": "Boolean", + "Name": "PartnerUnsupportedOSVersionBlocked", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_EnableFirewall", + "CIMType": "Boolean", + "Name": "WindowsDeviceBlockedOnMissingPartnerData", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_DefaultOutboundAction", + "CIMType": "Boolean", + "Name": "WindowsEnabled", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_DisableInboundNotifications", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_DisableStealthModeIpsecSecuredPacketExemption", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_Shielded", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_AllowLocalPolicyMerge", + "Name": "TenantId", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_AuthAppsAllowUserPrefMerge", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_LogFilePath", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_DefaultInboundAction", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", + "Parameters": [ { "CIMType": "String", - "Name": "PublicProfile_DisableUnicastResponsesToMulticastBroadcast", + "Name": "dataType", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_GlobalPortsAllowUserPrefMerge", + "Name": "payloadId", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_EnableLogSuccessConnections", + "Name": "displayName", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_AllowLocalIpsecPolicyMerge", + "Name": "itemType", "Option": "Write" }, + { + "CIMType": "String[]", + "Name": "guidedDeploymentTags", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntunePolicySets", + "Parameters": [ { "CIMType": "String", - "Name": "PublicProfile_EnableLogDroppedPackets", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "PublicProfile_EnableLogIgnoredRules", - "Option": "Write" + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "SInt32", - "Name": "PublicProfile_LogMaxFileSize", + "CIMType": "String[]", + "Name": "GuidedDeploymentTags", "Option": "Write" }, { - "CIMType": "String", - "Name": "PublicProfile_DisableStealthMode", + "CIMType": "String[]", + "Name": "RoleScopeTags", "Option": "Write" }, { "CIMType": "String", - "Name": "ObjectAccess_AuditFilteringPlatformConnection", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String", - "Name": "ObjectAccess_AuditFilteringPlatformPacketDrop", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AllowedTlsAuthenticationEndpoints", + "CIMType": "MSFT_DeviceManagementConfigurationPolicyItems[]", + "Name": "Items", "Option": "Write" }, { - "CIMType": "String", - "Name": "ConfiguredTlsAuthenticationNetworkName", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "String", - "Name": "Target", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_DomainProfile_EnableFirewall", + "Name": "ApplicationId", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_DomainProfile_AllowLocalPolicyMerge", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "String", - "Name": "HyperVVMSettings_DomainProfile_DefaultInboundAction", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_DomainProfile_DefaultOutboundAction", + "Name": "CertificateThumbprint", "Option": "Write" }, { - "CIMType": "String", - "Name": "EnableLoopback", + "CIMType": "Boolean", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "String", - "Name": "HyperVVMSettings_PublicProfile_EnableFirewall", + "CIMType": "String[]", + "Name": "AccessTokens", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneRoleAssignment", + "Parameters": [ { "CIMType": "String", - "Name": "HyperVVMSettings_PublicProfile_DefaultInboundAction", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_PublicProfile_DefaultOutboundAction", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_PublicProfile_AllowLocalPolicyMerge", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "ResourceScopes", "Option": "Write" }, { - "CIMType": "String", - "Name": "HyperVVMSettings_PrivateProfile_EnableFirewall", + "CIMType": "String[]", + "Name": "ResourceScopesDisplayNames", "Option": "Write" }, { "CIMType": "String", - "Name": "HyperVVMSettings_PrivateProfile_DefaultOutboundAction", + "Name": "ScopeType", "Option": "Write" }, { - "CIMType": "String", - "Name": "HyperVVMSettings_PrivateProfile_DefaultInboundAction", + "CIMType": "String[]", + "Name": "Members", "Option": "Write" }, { - "CIMType": "String", - "Name": "HyperVVMSettings_PrivateProfile_AllowLocalPolicyMerge", + "CIMType": "String[]", + "Name": "MembersDisplayNames", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowHostPolicyMerge", + "Name": "RoleDefinition", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "RoleDefinitionDisplayName", "Option": "Write" }, { @@ -35775,763 +41506,733 @@ ] }, { - "ClassName": "MSFT_DeviceManagementMobileAppAssignment", + "ClassName": "MSFT_IntuneRoleDefinition", "Parameters": [ { "CIMType": "String", - "Name": "dataType", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterId", + "Name": "Description", "Option": "Write" }, { "CIMType": "String", - "Name": "deviceAndAppManagementAssignmentFilterType", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsBuiltIn", "Option": "Write" }, { - "CIMType": "String", - "Name": "groupId", + "CIMType": "String[]", + "Name": "allowedResourceActions", "Option": "Write" }, { - "CIMType": "String", - "Name": "groupDisplayName", + "CIMType": "String[]", + "Name": "notAllowedResourceActions", "Option": "Write" }, { - "CIMType": "String", - "Name": "intent", + "CIMType": "String[]", + "Name": "roleScopeTagIds", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementMinimumOperatingSystem", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "v10_7", + "CIMType": "string", + "Name": "Ensure", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_8", + "CIMType": "MSFT_Credential", + "Name": "Credential", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_9", + "CIMType": "String", + "Name": "ApplicationId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_10", + "CIMType": "String", + "Name": "TenantId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_11", + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_12", + "CIMType": "String", + "Name": "CertificateThumbprint", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "v10_13", + "Name": "ManagedIdentity", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_14", + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v10_15", + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Deny_List", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v11_0", + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny_Retroactive", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v12_0", + "CIMType": "String", + "Name": "EncryptionMethodWithXts_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v13_0", + "CIMType": "String", + "Name": "EncryptionMethodWithXtsOsDropDown_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "v14_0", + "CIMType": "String", + "Name": "EncryptionMethodWithXtsFdvDropDown_Name", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementMimeContent", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Type", + "Name": "EncryptionMethodWithXtsRdvDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Value", + "Name": "FDVRecoveryUsage_Name", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementMobileAppCategory", - "Parameters": [ + }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "FDVActiveDirectoryBackup_Name", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "FDVHideRecoveryPage_Name", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementMobileAppChildApp", - "Parameters": [ + }, { "CIMType": "String", - "Name": "BundleId", + "Name": "FDVRecoveryPasswordUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "BuildNumber", + "Name": "FDVRequireActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "VersionNumber", + "Name": "FDVAllowDRA_Name", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneMobileAppsMacOSLobApp", - "Parameters": [ + }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "FDVActiveDirectoryBackupDropDown_Name", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "FDVRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "FDVDenyWriteAccess_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Developer", + "Name": "FDVEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "InformationUrl", + "Name": "FDVEncryptionTypeDropDown_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsFeatured", + "CIMType": "String", + "Name": "EnablePreBootPinExceptionOnDECapableDevice_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Notes", + "Name": "EnhancedPIN_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Owner", + "Name": "OSRecoveryUsage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSRequireActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "PrivacyInformationUrl", + "Name": "OSActiveDirectoryBackup_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Publisher", + "Name": "OSRecoveryPasswordUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "PublishingState", + "Name": "OSHideRecoveryPage_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "BundleId", + "Name": "OSAllowDRA_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "BuildNumber", + "Name": "OSRecoveryKeyUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "VersionNumber", + "Name": "OSActiveDirectoryBackupDropDown_Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "CIMType": "String", + "Name": "EnablePrebootInputProtectorsOnSlates_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IgnoreVersionDetection", + "CIMType": "String", + "Name": "OSEncryptionType_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMimeContent", - "Name": "LargeIcon", + "CIMType": "String", + "Name": "OSEncryptionTypeDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMinimumOperatingSystem", - "Name": "MinimumSupportedOperatingSystem", + "CIMType": "String", + "Name": "ConfigureAdvancedStartup_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", - "Name": "Categories", + "CIMType": "String", + "Name": "ConfigureTPMStartupKeyUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "ConfigureTPMPINKeyUsageDropDown_Name", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppChildApp[]", - "Name": "ChildApps", + "CIMType": "String", + "Name": "ConfigureTPMUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "ConfigureNonTPMStartupKeyUsage_Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "ConfigurePINUsageDropDown_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "RDVConfigureBDE", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "RDVAllowBDE_Name", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "RDVEncryptionType_Name", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "RDVEncryptionTypeDropDown_Name", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "RDVDisableBDE_Name", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "RDVDenyWriteAccess_Name", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementMobileAppExcludedApp", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "Access", + "CIMType": "String", + "Name": "RDVCrossOrg", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Bing", + "CIMType": "String", + "Name": "EnableSmartScreen", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Excel", + "CIMType": "String", + "Name": "EnableSmartScreenDropdown", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Groove", + "CIMType": "String", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "InfoPath", + "CIMType": "String", + "Name": "Disable_Managing_Safety_Filter_IE9", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Lync", + "CIMType": "String", + "Name": "IE9SafetyFilterOptions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OneDrive", + "CIMType": "String", + "Name": "AllowWarningForOtherDiskEncryption", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "OneNote", + "CIMType": "String", + "Name": "AllowStandardUserEncryption", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Outlook", + "CIMType": "String", + "Name": "ConfigureRecoveryPasswordRotation", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "PowerPoint", + "CIMType": "String", + "Name": "RequireDeviceEncryption", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Publisher", + "CIMType": "String", + "Name": "AllowArchiveScanning", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "SharePointDesigner", + "CIMType": "String", + "Name": "AllowBehaviorMonitoring", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Teams", + "CIMType": "String", + "Name": "AllowCloudProtection", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Visio", + "CIMType": "String", + "Name": "AllowEmailScanning", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "Word", + "CIMType": "String", + "Name": "AllowFullScanRemovableDriveScanning", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneMobileAppsWindowsOfficeSuiteApp", - "Parameters": [ + }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "AllowOnAccessProtection", + "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "AllowRealtimeMonitoring", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "AllowScanningNetworkFiles", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsFeatured", + "CIMType": "String", + "Name": "AllowIOAVProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "PrivacyInformationUrl", + "Name": "AllowScriptScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "InformationUrl", + "Name": "AllowUserUIAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "Notes", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AutoAcceptEula", + "CIMType": "String", + "Name": "BlockWin32APICallsFromOfficeMacros", "Option": "Write" }, { "CIMType": "String[]", - "Name": "ProductIds", + "Name": "BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "UseSharedComputerActivation", + "CIMType": "String", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpdateChannel", + "CIMType": "String[]", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficeSuiteAppDefaultFileFormat", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficePlatformArchitecture", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", "Option": "Write" }, { "CIMType": "String[]", - "Name": "LocalesToInstall", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "InstallProgressDisplayLevel", + "Name": "BlockAdobeReaderFromCreatingChildProcesses", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ShouldUninstallOlderVersionsOfOffice", + "CIMType": "String[]", + "Name": "BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "TargetVersion", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", "Option": "Write" }, { - "CIMType": "String", - "Name": "UpdateVersion", + "CIMType": "String[]", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "OfficeConfigurationXml", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", - "Name": "Categories", + "CIMType": "String[]", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", - "Name": "Assignments", + "CIMType": "String", + "Name": "BlockWebshellCreationForServers", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementMobileAppExcludedApp", - "Name": "ExcludedApps", + "CIMType": "String[]", + "Name": "BlockWebshellCreationForServers_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "Ensure", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "BlockPersistenceThroughWMIEventSubscription", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String[]", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String[]", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", - "Parameters": [ + }, { - "CIMType": "String", - "Name": "dataType", + "CIMType": "String[]", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "payloadId", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", "Option": "Write" }, { - "CIMType": "String", - "Name": "displayName", + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "itemType", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", "Option": "Write" }, { "CIMType": "String[]", - "Name": "guidedDeploymentTags", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntunePolicySets", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Description", + "Name": "BlockRebootingMachineInSafeMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "CIMType": "String[]", + "Name": "BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions", + "Option": "Write" }, { - "CIMType": "String[]", - "Name": "GuidedDeploymentTags", + "CIMType": "String", + "Name": "UseAdvancedProtectionAgainstRansomware", "Option": "Write" }, { "CIMType": "String[]", - "Name": "RoleScopeTags", + "Name": "UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", + "Name": "BlockExecutableContentFromEmailClientAndWebmail", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", - "Name": "Assignments", + "CIMType": "String[]", + "Name": "BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions", "Option": "Write" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyItems[]", - "Name": "Items", + "CIMType": "String", + "Name": "CheckForSignaturesBeforeRunningScan", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "CloudBlockLevel", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "SInt32", + "Name": "CloudExtendedTimeout", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "DisableLocalAdminMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "EnableNetworkProtection", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "HideExclusionsFromLocalAdmins", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "HideExclusionsFromLocalUsers", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "OobeEnableRtpAndSigUpdate", "Option": "Write" }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneRoleAssignment", - "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "PUAProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "RealTimeScanDirection", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String[]", - "Name": "ResourceScopes", + "Name": "ScanParameter", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ResourceScopesDisplayNames", + "CIMType": "SInt32", + "Name": "ScheduleQuickScanTime", "Option": "Write" }, { "CIMType": "String", - "Name": "ScopeType", + "Name": "ScheduleScanDay", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "SInt32", + "Name": "ScheduleScanTime", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MembersDisplayNames", + "CIMType": "SInt32", + "Name": "SignatureUpdateInterval", "Option": "Write" }, { "CIMType": "String", - "Name": "RoleDefinition", + "Name": "SubmitSamplesConsent", "Option": "Write" }, { "CIMType": "String", - "Name": "RoleDefinitionDisplayName", + "Name": "LsaCfgFlags", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "DeviceEnumerationPolicy", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "SmartScreenEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "SmartScreenPuaEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "SmartScreenDnsRequestsEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "NewSmartScreenLibraryEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "SmartScreenForTrustedDownloadsEnabled", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverride", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverrideForFiles", "Option": "Write" } ] }, { - "ClassName": "MSFT_IntuneRoleDefinition", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", "Parameters": [ { "CIMType": "String", - "Name": "Id", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ { "CIMType": "String", "Name": "Description", @@ -36543,23 +42244,28 @@ "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "IsBuiltIn", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "allowedResourceActions", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "notAllowedResourceActions", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "DeviceSettings", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "roleScopeTagIds", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -41744,7 +47450,7 @@ "Parameters": [ { "CIMType": "String", - "Name": "ResourceName", + "Name": "ResourceTypeName", "Option": "Key" }, { @@ -42867,6 +48573,21 @@ "Name": "EnvironmentSKU", "Option": "Required" }, + { + "CIMType": "Boolean", + "Name": "ProvisionDatabase", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LanguageName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CurrencyName", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -42977,6 +48698,176 @@ "Name": "IsSingleInstance", "Option": "Key" }, + { + "CIMType": "Boolean", + "Name": "DisableCopilotFeedback", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableMakerMatch", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableUnusedLicenseAssignment", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableCreateFromImage", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableConnectionSharingWithEveryone", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowNewOrgChannelDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableCopilot", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableCopilotWithBing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableAdminDigest", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisablePreferredDataLocationForTeamsEnvironment", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableDeveloperEnvironmentCreationByNonAdminUsers", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnvironmentRoutingAllMakers", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableDefaultEnvironmentRouting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableDesktopFlowDataPolicyManagement", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableCanvasAppInsights", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableCreateFromFigma", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableBillingPolicyCreationByNonAdminUsers", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "StorageCapacityConsumptionWarningThreshold", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableTenantCapacityReportForEnvironmentAdmins", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableTenantLicensingReportForEnvironmentAdmins", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableUseOfUnassignedAIBuilderCredits", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableGenerativeAIFeaturesForSiteUsers", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableExternalAuthenticationProvidersInPowerPages", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableChampionsInvitationReachout", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableSkillsMatchInvitationReachout", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableOpenAiBotPublishing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableAiPrompts", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableCopilotFeedbackMetadata", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableModelDataSharing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableDataLogging", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PowerCatalogAudienceSetting", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableDeleteDisabledUserinAllEnvironments", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableHelpSupportCopilot", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisableSurveyScreenshots", + "Option": "Write" + }, { "CIMType": "boolean", "Name": "WalkMeOptOut", @@ -46787,6 +52678,21 @@ "Name": "ProfileInScopeTimeSpan", "Option": "Write" }, + { + "CIMType": "UInt32", + "Name": "GPUUtilizationLimit", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "CPUUtilizationLimit", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MDATPTriageStatus", + "Option": "Write" + }, { "CIMType": "string", "Name": "Ensure", @@ -46974,6 +52880,556 @@ } ] }, + { + "ClassName": "MSFT_PolicyConfigApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Executable", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigStorageAccount", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlobUri", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigSiteGroupAddress", + "Parameters": [ + { + "CIMType": "String", + "Name": "MatchType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Url", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AddressLower", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AddressUpper", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPSiteGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigSiteGroupAddress[]", + "Name": "addresses", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigRemovableMedia", + "Parameters": [ + { + "CIMType": "String", + "Name": "deviceId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "removableMediaVID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alias", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "removableMediaPID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "instancePathId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "serialNumberId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "hardwareId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPRemovableMediaGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigRemovableMedia[]", + "Name": "removableMedia", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigIPRange", + "Parameters": [ + { + "CIMType": "String", + "Name": "fromAddress", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "toAddress", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigPrinter", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "universalPrinter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "usbPrinter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "usbPrinterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alias", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "usbPrinterVID", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigIPRange", + "Name": "ipRange", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "corporatePrinter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "printToLocal", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "printToFile", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPNetworkShareGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "networkPaths", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "ExecutableName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Quarantine", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPAppGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPApp[]", + "Name": "Apps", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigEvidenceStoreSettings", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "FileEvidenceIsEnabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "NumberOfDaysToRetain", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigStorageAccount[]", + "Name": "StorageAccounts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Store", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigBusinessJustificationList", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "justificationText", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enable", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigDLPPrinterGroups", + "Parameters": [ + { + "CIMType": "String", + "Name": "groupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigPrinter[]", + "Name": "printers", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PolicyConfigQuarantineParameters", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "EnableQuarantineForCloudSyncApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QuarantinePath", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MacQuarantinePath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ShouldReplaceFile", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FileReplacementText", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SCPolicyConfig", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AdvancedClassificationEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AuditFileActivity", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "BandwidthLimitEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigBusinessJustificationList[]", + "Name": "BusinessJustificationList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CloudAppMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "CloudAppRestrictionList", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "CustomBusinessJustificationNotification", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DailyBandwidthLimitInMB", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPAppGroups[]", + "Name": "DLPAppGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPNetworkShareGroups[]", + "Name": "DLPNetworkShareGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPPrinterGroups[]", + "Name": "DLPPrinterGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPRemovableMediaGroups[]", + "Name": "DLPRemovableMediaGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IncludePredefinedUnallowedBluetoothApps", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MacDefaultPathExclusionsEnabled", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MacPathExclusion", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NetworkPathEnforcementEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NetworkPathExclusion", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "PathExclusion", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "serverDlpEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigEvidenceStoreSettings", + "Name": "EvidenceStoreSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigDLPSiteGroups[]", + "Name": "SiteGroups", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedCloudSyncApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedBluetoothApp", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigApp[]", + "Name": "UnallowedBrowser", + "Option": "Write" + }, + { + "CIMType": "MSFT_PolicyConfigQuarantineParameters", + "Name": "QuarantineParameters", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "VPNSettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableLabelCoauth", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableSpoAipMigration", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SCProtectionAlert", "Parameters": [ @@ -48264,6 +54720,361 @@ } ] }, + { + "ClassName": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "aggregationKind", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleCustomDetails", + "Parameters": [ + { + "CIMType": "String", + "Name": "DetailKey", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DetailValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEntityMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "entityType", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMappingFieldMapping[]", + "Name": "fieldMappings", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleEntityMappingFieldMapping", + "Parameters": [ + { + "CIMType": "String", + "Name": "columnName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "identifier", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Parameters": [ + { + "CIMType": "String", + "Name": "alertDescriptionFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertDisplayNameFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertSeverityColumnName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertTacticsColumnName", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[]", + "Name": "alertDynamicProperties", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty", + "Parameters": [ + { + "CIMType": "String", + "Name": "alertProperty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "alertPropertyValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "createIncident", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Name": "groupingConfiguration", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "enabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[]", + "Name": "groupByAlertDetails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "groupByCustomDetails", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "groupByEntities", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "lookbackDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "matchingMethod", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "reopenClosedIncident", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Severity", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_SentinelAlertRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ProductFilter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Enabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Severity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Tactics", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Techniques", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SubTechniques", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Query", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryFrequency", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryPeriod", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TriggerOperator", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "TriggerThreshold", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SuppressionDuration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SuppressionEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AlertRuleTemplateName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DisplayNamesExcludeFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DisplayNamesFilter", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SeveritiesFilter", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEventGroupingSettings", + "Name": "EventGroupingSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleCustomDetails[]", + "Name": "CustomDetails", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleEntityMapping[]", + "Name": "EntityMappings", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleAlertDetailsOverride", + "Name": "AlertDetailsOverride", + "Option": "Write" + }, + { + "CIMType": "MSFT_SentinelAlertRuleIncidentConfiguration", + "Name": "IncidentConfiguration", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Kind", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SentinelSetting", "Parameters": [ @@ -48334,6 +55145,131 @@ } ] }, + { + "ClassName": "MSFT_SentinelThreatIntelligenceIndicator", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PatternType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pattern", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Revoked", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidFrom", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ValidUntil", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Source", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Labels", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatIntelligenceTags", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ThreatTypes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "KillChainPhases", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Confidence", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SentinelWatchlist", "Parameters": [ @@ -50307,6 +57243,31 @@ "Name": "EnableAIPIntegration", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "ExemptNativeUsersFromTenantLevelRestricedAccessControl", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSGsInODBListInTenant", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DenySelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AllowSelectSecurityGroupsInSPSitesList", + "Option": "Write" + }, { "CIMType": "String", "Name": "TenantDefaultTimezone", @@ -53069,102 +60030,107 @@ }, { "CIMType": "Boolean", - "Name": "AllowChannelMeetingScheduling", + "Name": "AllowAnnotations", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowMeetNow", + "Name": "AllowAnonymousUsersToDialOut", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPrivateMeetNow", + "Name": "AllowAnonymousUsersToJoinMeeting", "Option": "Write" }, { - "CIMType": "String", - "Name": "MeetingChatEnabledType", + "CIMType": "Boolean", + "Name": "AllowAnonymousUsersToStartMeeting", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveCaptionsEnabledType", + "Name": "AllowCartCaptionsScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowIPAudio", + "Name": "AllowChannelMeetingScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowIPVideo", + "Name": "AllowCloudRecording", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowEngagementReport", + "Name": "AllowDocumentCollaboration", "Option": "Write" }, { "CIMType": "String", - "Name": "IPAudioMode", + "Name": "AllowedStreamingMediaInput", "Option": "Write" }, { "CIMType": "String", - "Name": "IPVideoMode", + "Name": "AllowEngagementReport", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToDialOut", + "Name": "AllowExternalParticipantGiveRequestControl", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToStartMeeting", + "Name": "AllowIPAudio", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPrivateMeetingScheduling", + "Name": "AllowIPVideo", "Option": "Write" }, { - "CIMType": "String", - "Name": "AutoAdmittedUsers", + "CIMType": "Boolean", + "Name": "AllowMeetingCoach", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPSTNUsersToBypassLobby", + "Name": "AllowMeetingReactions", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowCloudRecording", + "Name": "AllowMeetingRegistration", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowRecordingStorageOutsideRegion", + "Name": "AllowMeetNow", "Option": "Write" }, { - "CIMType": "String", - "Name": "DesignatedPresenterRoleMode", + "CIMType": "Boolean", + "Name": "AllowNDIStreaming", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowOutlookAddIn", + "Name": "AllowNetworkConfigurationSettingsLookup", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowPowerPointSharing", + "Name": "AllowOrganizersToOverrideLobbySettings", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowOutlookAddIn", "Option": "Write" }, { @@ -53174,182 +60140,192 @@ }, { "CIMType": "Boolean", - "Name": "AllowExternalParticipantGiveRequestControl", + "Name": "AllowPowerPointSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowSharedNotes", + "Name": "AllowPrivateMeetingScheduling", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowWhiteboard", + "Name": "AllowPrivateMeetNow", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowTranscription", + "Name": "AllowPSTNUsersToBypassLobby", "Option": "Write" }, { - "CIMType": "UInt32", - "Name": "MediaBitRateKb", + "CIMType": "Boolean", + "Name": "AllowRecordingStorageOutsideRegion", "Option": "Write" }, { - "CIMType": "String", - "Name": "ScreenSharingMode", + "CIMType": "Boolean", + "Name": "AllowSharedNotes", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTranscription", "Option": "Write" }, { "CIMType": "String", - "Name": "VideoFiltersMode", + "Name": "AllowUserToJoinExternalMeeting", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowOrganizersToOverrideLobbySettings", + "Name": "AllowWatermarkForCameraVideo", "Option": "Write" }, { - "CIMType": "String", - "Name": "PreferredMeetingProviderForIslandsMode", + "CIMType": "Boolean", + "Name": "AllowWatermarkForScreenSharing", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowNDIStreaming", + "Name": "AllowWhiteboard", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowUserToJoinExternalMeeting", + "Name": "AttendeeIdentityMasking", "Option": "Write" }, { "CIMType": "String", - "Name": "EnrollUserOverride", + "Name": "AutoAdmittedUsers", "Option": "Write" }, { "CIMType": "String", - "Name": "RoomAttributeUserOverride", + "Name": "AutomaticallyStartCopilot", "Option": "Write" }, { "CIMType": "String", - "Name": "StreamingAttendeeMode", + "Name": "AutoRecording", "Option": "Write" }, { "CIMType": "String", - "Name": "TeamsCameraFarEndPTZMode", + "Name": "BlockedAnonymousJoinClientTypes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMeetingReactions", + "CIMType": "String", + "Name": "ChannelRecordingDownload", "Option": "Write" }, { "CIMType": "String", - "Name": "WhoCanRegister", + "Name": "ConnectToMeetingControls", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnnotations", + "CIMType": "String", + "Name": "ContentSharingInExternalMeetings", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowAnonymousUsersToJoinMeeting", + "CIMType": "String", + "Name": "Copilot", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowMeetingCoach", + "Name": "CopyRestriction", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowMeetingRegistration", + "CIMType": "String", + "Name": "DesignatedPresenterRoleMode", "Option": "Write" }, { "CIMType": "Boolean", - "Name": "AllowNetworkConfigurationSettingsLookup", + "Name": "DetectSensitiveContentDuringScreenSharing", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWatermarkForCameraVideo", + "CIMType": "String", + "Name": "EnrollUserOverride", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowWatermarkForScreenSharing", + "CIMType": "String", + "Name": "ExplicitRecordingConsent", "Option": "Write" }, { - "CIMType": "SInt32", - "Name": "NewMeetingRecordingExpirationDays", + "CIMType": "String", + "Name": "ExternalMeetingJoin", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowCartCaptionsScheduling", + "Name": "InfoShownInReportMode", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowDocumentCollaboration", + "Name": "IPAudioMode", "Option": "Write" }, { "CIMType": "String", - "Name": "AllowedStreamingMediaInput", + "Name": "IPVideoMode", "Option": "Write" }, { "CIMType": "String", - "Name": "BlockedAnonymousJoinClientTypes", + "Name": "LiveCaptionsEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "ChannelRecordingDownload", + "Name": "LiveInterpretationEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "ExplicitRecordingConsent", + "Name": "LiveStreamingMode", "Option": "Write" }, { - "CIMType": "String", - "Name": "ForceStreamingAttendeeMode", + "CIMType": "UInt32", + "Name": "MediaBitRateKb", "Option": "Write" }, { "CIMType": "String", - "Name": "InfoShownInReportMode", + "Name": "MeetingChatEnabledType", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveInterpretationEnabledType", + "Name": "MeetingInviteLanguages", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "NewMeetingRecordingExpirationDays", "Option": "Write" }, { "CIMType": "String", - "Name": "LiveStreamingMode", + "Name": "ParticipantNameChange", "Option": "Write" }, { "CIMType": "String", - "Name": "MeetingInviteLanguages", + "Name": "PreferredMeetingProviderForIslandsMode", "Option": "Write" }, { @@ -53357,16 +60333,56 @@ "Name": "QnAEngagementMode", "Option": "Write" }, + { + "CIMType": "String", + "Name": "RoomAttributeUserOverride", + "Option": "Write" + }, { "CIMType": "String", "Name": "RoomPeopleNameUserOverride", "Option": "Write" }, + { + "CIMType": "String", + "Name": "ScreenSharingMode", + "Option": "Write" + }, { "CIMType": "String", "Name": "SpeakerAttributionMode", "Option": "Write" }, + { + "CIMType": "String", + "Name": "StreamingAttendeeMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TeamsCameraFarEndPTZMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VideoFiltersMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VoiceIsolation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WhoCanRegister", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ForceStreamingAttendeeMode", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index 0f8d094ab5..085b2decca 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -1,4 +1,3 @@ - function New-M365DSCResource { param ( @@ -58,10 +57,14 @@ function New-M365DSCResource $DateFormat = "o", # SettingTemplates for DeviceManagementConfigurationPolicy - [Parameter()] + [Parameter(ParameterSetName = 'SettingsCatalog')] [System.Array] $SettingsCatalogSettingTemplates, + [Parameter(ParameterSetName = 'SettingsCatalog')] + [switch] + $SkipPlatformsAndTechnologies, + # Use this switch with caution. # Navigation Properties could cause the DRG to enter an infinite loop # Navigation Properties are the properties refered as Relationships in the Graph REST API documentation. @@ -84,6 +87,9 @@ function New-M365DSCResource $graphWorkloads = @('MicrosoftGraph','Intune') if ($Workload -in $graphWorkloads) { + Write-Verbose "Import Intune Settings Catalog Helper module" + Import-Module ..\Modules\Microsoft365DSC\Modules\M365DSCIntuneSettingsCatalogUtil.psm1 -Force + $Global:CIMInstancesAlreadyFound = @() $GetcmdletName = "Get-$CmdLetNoun" $commandDetails = Find-MgGraphCommand -Command $GetcmdletName -ApiVersion $APIVersion -ErrorAction SilentlyContinue @@ -211,6 +217,12 @@ function New-M365DSCResource $addIntuneAssignments = $true $ParametersToSkip += 'Assignments' } + + if ($SkipPlatformsAndTechnologies) + { + $ParametersToSkip += 'Platforms' + $ParametersToSkip += 'Technologies' + } } $parameterInformation = $parameterInformation | Where-Object -FilterScript {$_.Name -notin $ParametersToSkip} @@ -251,6 +263,12 @@ function New-M365DSCResource $userSettingsCatalogTemplates = $SettingsCatalogSettingTemplates | Where-Object -FilterScript { $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("user_") } $userSettingDefinitions = $userSettingsCatalogTemplates.SettingDefinitions + $defaultSettingsCatalogTemplates = $SettingsCatalogSettingTemplates | Where-Object -FilterScript { + -not $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("device_") -and + -not $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("user_") + } + $defaultSettingDefinitions = $defaultSettingsCatalogTemplates.SettingDefinitions + $containsDeviceAndUserSettings = $false if ($deviceSettingDefinitions.Count -gt 0 -and $userSettingDefinitions.Count -gt 0) { @@ -275,6 +293,15 @@ function New-M365DSCResource -AllSettingDefinitions $userSettingDefinitions } + $defaultTemplateSettings = @() + foreach ($defaultSettingTemplate in $defaultSettingsCatalogTemplates) + { + $defaultTemplateSettings += New-SettingsCatalogSettingDefinitionSettingsFromTemplate ` + -FromRoot ` + -SettingTemplate $defaultSettingTemplate ` + -AllSettingDefinitions $defaultSettingDefinitions + } + $deviceDefinitionSettings = @() foreach ($deviceTemplateSetting in $deviceTemplateSettings) { @@ -297,6 +324,19 @@ function New-M365DSCResource -TemplateSetting $userTemplateSetting } + $defaultDefinitionSettings = @() + foreach ($defaultTemplateSetting in $defaultTemplateSettings) + { + foreach ($defaultChildSetting in $defaultTemplateSetting.ChildSettings) + { + $defaultChildSetting.DisplayName += " - Depends on $($defaultTemplateSetting.Name)" + } + $defaultDefinitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` + -TemplateSetting $defaultTemplateSetting + } + + Write-Verbose -Message "* Check the description for the parameters. CIM types might include a 'Depends on' information, although it is not required." + if ($containsDeviceAndUserSettings) { $definitionSettings = @{ @@ -333,7 +373,7 @@ $($userDefinitionSettings.MOF -join "`r`n") } else { - $definitionSettings = $deviceDefinitionSettings + $userDefinitionSettings + $definitionSettings = $deviceDefinitionSettings + $userDefinitionSettings + $defaultDefinitionSettings } $parameterString += $definitionSettings.PowerShell -join ",`r`n`r`n" @@ -967,7 +1007,15 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments -Workload $Workload ` -CmdLetNoun $CmdLetNoun ` -ApiVersion $ApiVersion ` - -UpdateVerb $updateVerb).permissions | ConvertTo-Json -Depth 20 + -UpdateVerb $updateVerb).permissions + if ($ResourceName -like "Intune*") + { + $resourcePermissions.graph.application.read += @{ name = 'Group.Read.All' } + $resourcePermissions.graph.application.update += @{ name = 'Group.Read.All' } + $resourcePermissions.graph.delegated.read += @{ name = 'Group.Read.All' } + $resourcePermissions.graph.delegated.update += @{ name = 'Group.Read.All' } + } + $resourcePermissions = $resourcePermissions | ConvertTo-Json -Depth 20 $resourcePermissions = ' ' + $resourcePermissions Write-TokenReplacement -Token '' -Value $ResourceName -FilePath $settingsFilePath Write-TokenReplacement -Token '' -Value $resourceDescription -FilePath $settingsFilePath @@ -2032,7 +2080,6 @@ function Get-ComplexTypeConstructorToString $complexString.AppendLine($spacing + "`$$tempPropertyName.Add('" + $nestedPropertyName + "', `$$referencePrefix$AssignedPropertyName)" ) | Out-Null } } - } } } @@ -3786,7 +3833,7 @@ function Get-SettingsCatalogSettingDefinitionValueType { # Type can be Choice, Simple or *Collection $type = $SettingDefinition.AdditionalProperties.'@odata.type'.Replace($settingDefinitionOdataTypeBase, "").Replace("Setting", "").Replace("Definition", "") if ($type -eq 'Simple') { - $type += $SettingDefinition.AdditionalProperties.defaultValue.'@odata.type'.Replace($settingDefinitionOdataTypeBase, "").Replace("SettingValue", "") + $type += $SettingDefinition.AdditionalProperties.valueDefinition.'@odata.type'.Replace($settingDefinitionOdataTypeBase, "").Replace("SettingValueDefinition", "") } elseif ($type -eq 'SimpleCollection') { if ($null -ne $SettingDefinition.AdditionalProperties.defaultValue) { $type = $type.Replace("Collection", $SettingDefinition.AdditionalProperties.defaultValue.'@odata.type'.Replace($settingDefinitionOdataTypeBase, "").Replace("SettingValue", "") + "Collection") @@ -3871,99 +3918,7 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { $options = Get-SettingsCatalogSettingDefinitionValueOption -SettingDefinition $SettingDefinition -SettingDefinitionOdataTypeBase $settingDefinitionOdataTypeBase $valueRestriction = Get-SettingsCatalogSettingDefinitionValueDefinition -SettingDefinition $SettingDefinition -SettingDefinitionOdataTypeBase $settingDefinitionOdataTypeBase - $settingName = $SettingDefinition.Name - - $settingsWithSameName = $AllSettingDefinitions | Where-Object -FilterScript { $_.Name -eq $settingName } - if ($settingsWithSameName.Count -gt 1) - { - # Get the parent setting of the current setting - $parentSetting = Get-ParentSettingDefinition -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions - if ($null -ne $parentSetting) - { - $combinationMatchesWithParent = $settingsWithSameName | Where-Object -FilterScript { - "$($parentSetting.Name)_$($_.Name)" -eq "$($parentSetting.Name)_$settingName" - } - # If the combination of parent setting and setting name is unique, add the parent setting name to the setting name - if ($combinationMatchesWithParent.Count -eq 1) - { - $settingName = $parentSetting.Name + "_" + $settingName - } - # If the combination of parent setting and setting name is still not unique, do it with the OffsetUri of the current setting - else - { - $skip = 0 - $breakCounter = 0 - $newSettingName = $settingName - do { - $previousSettingName = $newSettingName - $newSettingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $SettingDefinition.OffsetUri -SettingName $newSettingName -Skip $skip - - $combinationMatchesWithOffsetUri = @() - $settingsWithSameName | ForEach-Object { - $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip - if ($newName -eq $newSettingName) - { - # Exclude v2 versions from the comparison - if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or - $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") - { - $combinationMatchesWithOffsetUri += $_ - } - } - } - $settingsWithSameName = $combinationMatchesWithOffsetUri - $skip++ - $breakCounter++ - } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt 8) - - if ($breakCounter -lt 8) - { - if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") - { - $newSettingName += "_v2" - } - $settingName = $newSettingName - } - else - { - # Alternative way if no unique setting name can be found - $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] - $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") - # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id - $settingName = $settingDefinition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") - } - } - } - - # When there is no parent, we can't use the parent setting name to make the setting name unique - # Instead, we traverse up the OffsetUri. Since no parent setting can only happen at the root level, the result - # of Get-SettingDefinitionNameWithParentFromOffsetUri is absolute and cannot change. There cannot be multiple settings with the same name - # in the same level of OffsetUri - if ($null -eq $parentSetting) - { - $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $SettingDefinition.OffsetUri -SettingName $settingName - } - - # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. - switch -wildcard ($settingName) - { - 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } - 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } - 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } - 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } - 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } - 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } - 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } - 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } - 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } - '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } - '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } - '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } - '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } - '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } - '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } - } - } + $settingName = Get-SettingsCatalogSettingName -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions $childSettings = @() $childSettings += $SettingTemplate.SettingDefinitions | Where-Object -FilterScript { @@ -3973,9 +3928,10 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { } $instanceName = "MSFT_MicrosoftGraphIntuneSettingsCatalog" - if ($Level -gt 1 -and $type -like "GroupCollection*" -and $childSettings.Count -gt 1) + if (($Level -gt 1 -and $type -like "GroupCollection*" -and $childSettings.Count -gt 1) -or + ($Level -eq 1 -and $type -like "GroupCollection*" -and $childSettings.Count -ge 1 -and $childSettings.AdditionalProperties.'@odata.type' -notcontains "#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition")) { - $instanceName = $ParentInstanceName + $SettingDefinition.Name + $instanceName = $ParentInstanceName + $settingName } $innerChildSettings = @() @@ -4000,7 +3956,7 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { ChildSettings = $innerChildSettings } - if ($type -eq "GroupCollectionCollection" -and $childSettings.Count -eq 1) + if ($type -eq "GroupCollectionCollection" -and $childSettings.Count -eq 1 -and $SettingDefinition.AdditionalProperties.maximumCount -eq 1) { # Reset type and make child setting a collection $setting.Type = "GroupCollection" @@ -4010,85 +3966,6 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { $setting } -<# - This function also exists in M365DSCDRGUtil.psm1. Changes here must be added there as well for compatibility. -#> -function Get-SettingDefinitionNameWithParentFromOffsetUri { - param ( - [Parameter(Mandatory = $true)] - [System.String] - $OffsetUri, - - [Parameter(Mandatory = $true)] - [System.String] - $SettingName, - - [Parameter(Mandatory = $false)] - [System.Int32] - $Skip = 0 - ) - - # If the last part of the OffsetUri is the same as the setting name or it contains invalid characters, we traverse up until we reach the first element - # Invalid characters are { and } which are used in the OffsetUri to indicate a variable - $splittedOffsetUri = $OffsetUri.Split("/") - if ([string]::IsNullOrEmpty($splittedOffsetUri[0])) - { - $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] - } - - if ($Skip -gt $splittedOffsetUri.Length - 1) - { - return $SettingName - } - - $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] - $traversed = $false - while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri - { - $traversed = $true - if ($splittedOffsetUri[-1] -eq $SettingName -or $splittedOffsetUri[-1] -match "[\{\}]" -or $SettingName.StartsWith($splittedOffsetUri[-1])) - { - $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 2)] - $traversed = $false - } - } - - if ($splittedOffsetUri.Length -gt 1) - { - $splittedOffsetUri[-1] + "_" + $SettingName - } - else - { - $SettingName - } -} - -function Get-ParentSettingDefinition { - param( - [Parameter(Mandatory = $true)] - $SettingDefinition, - - [Parameter(Mandatory = $true)] - $AllSettingDefinitions - ) - - $parentSetting = $null - if ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId.Count -gt 0) - { - $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { - $_.Id -eq ($SettingDefinition.AdditionalProperties.dependentOn.parentSettingId | Select-Object -Unique -First 1) - } - } - elseif ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId.Count -gt 0) - { - $parentSetting = $AllSettingDefinitions | Where-Object -FilterScript { - $_.Id -eq ($SettingDefinition.AdditionalProperties.options.dependentOn.parentSettingId | Select-Object -Unique -First 1) - } - } - - $parentSetting -} - function New-ParameterDefinitionFromSettingsCatalogTemplateSetting { param( [Parameter(Mandatory = $true)] diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index d0e9424d6f..a46d077fd1 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -34,6 +34,97 @@ $Domain = $TenantId Node Localhost { + AADAccessReviewDefinition 'AADAccessReviewDefinition-Example' + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADAdministrativeUnit 'TestUnit' { DisplayName = 'Test-Unit' @@ -118,6 +209,32 @@ Id = "c3"; IsAvailable = $True; } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationStrengthPolicy 'AADAuthenticationStrengthPolicy-Example' { AllowedCombinations = @("windowsHelloForBusiness","fido2","x509CertificateMultiFactor","deviceBasedPush"); @@ -128,6 +245,71 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADClaimsMappingPolicy 'AADClaimsMappingPolicy-Test1234' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } AADConditionalAccessPolicy 'ConditionalAccessPolicy' { BuiltInControls = @("mfa"); @@ -191,6 +373,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -343,6 +552,85 @@ IsAppliedToOrganization = $False; IsEnabled = $True; } + AADFederationConfiguration 'MyFederation' + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-Web' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { DisplayName = "DSCGroup" @@ -360,6 +648,89 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; @@ -401,6 +772,38 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description"; + DisplayName = "Example"; + Ensure = "Present"; + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" @@ -412,6 +815,67 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + AADRemoteNetwork 'AADRemoteNetwork-Test Remote Network' + { + Ensure = "Present"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } AADRoleDefinition 'AADRoleDefinition1' { DisplayName = "DSCRole1" @@ -498,6 +962,104 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index 86e91dc321..aa51a57c7a 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -34,6 +34,17 @@ $Domain = $TenantId Node Localhost { + AADAccessReviewDefinition 'AADAccessReviewDefinition-Example' + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Absent"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADAdministrativeUnit 'TestUnit' { DisplayName = 'Test-Unit' @@ -77,6 +88,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { Ensure = "Absent"; @@ -141,6 +160,15 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADClaimsMappingPolicy 'AADClaimsMappingPolicy-Test1234' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Test1234"; + Ensure = "Absent"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + } AADConditionalAccessPolicy 'ConditionalAccessPolicy' { DisplayName = 'Example CAP' @@ -166,6 +194,14 @@ Ensure = "Absent"; PartnerTenantId = "12345-12345-12345-12345-12345"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -247,6 +283,85 @@ DisplayName = "CertificateBasedAuthentication rollout policy"; Ensure = "Absent"; } + AADFederationConfiguration 'MyFederation' + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Absent' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-Web' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { MailNickname = "M365DSC" @@ -285,6 +400,43 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; @@ -326,6 +478,37 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } + AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Example"; + Ensure = "Absent"; + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" @@ -334,6 +517,54 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADOrganizationCertificateBasedAuthConfiguration 'AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + AADRemoteNetwork 'AADRemoteNetwork-Test Remote Network' + { + Ensure = "Absent"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } AADRoleDefinition 'AADRoleDefinition1' { IsEnabled = $true @@ -401,6 +632,102 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index cce664e8ec..e51178069f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -34,6 +34,105 @@ $Domain = $TenantId Node Localhost { + AADAccessReviewDefinition 'AADAccessReviewDefinition-Example' + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers updated"; # drifted properties + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADAccessReviewPolicy 'AADAccessReviewPolicy' + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADAdminConsentRequestPolicy 'AADAdminConsentRequestPolicy' { ApplicationId = $ApplicationId; @@ -266,6 +365,32 @@ ); State = "enabled"; # Updated Property } + AADAuthenticationMethodPolicyExternal 'AADAuthenticationMethodPolicyExternal-Cisco Duo' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } AADAuthenticationMethodPolicyFido2 'AADAuthenticationMethodPolicyFido2-Fido2' { ApplicationId = $ApplicationId @@ -475,6 +600,71 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADClaimsMappingPolicy 'AADClaimsMappingPolicy-Test1234' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } AADConditionalAccessPolicy 'ConditionalAccessPolicy' { BuiltInControls = @("mfa"); @@ -641,6 +831,33 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomAuthenticationExtension 'AADCustomAuthenticationExtension1' + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' { ApplicationId = $ApplicationId; @@ -688,6 +905,16 @@ PasswordValidityPeriodInDays = 2147483647; TenantId = $TenantId; } + AADEnrichedAuditLogs 'AADEnrichedAuditLogs' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } AADEntitlementManagementAccessPackage 'myAccessPackage' { AccessPackagesIncompatibleWith = @(); @@ -803,6 +1030,70 @@ IsAppliedToOrganization = $False; IsEnabled = $False; } + AADFederationConfiguration 'MyFederation' + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/drift' # drift + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADFilteringPolicy 'AADFilteringPolicy-MyPolicy' + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + AADFilteringPolicyRule 'AADFilteringPolicyRule-FQDN' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringProfile 'AADFilteringProfile-My Profile' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } AADGroup 'MyGroups' { DisplayName = "DSCGroup" @@ -861,6 +1152,89 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADHomeRealmDiscoveryPolicy 'AADHomeRealmDiscoveryPolicy-displayName-value' + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADIdentityB2XUserFlow 'AADIdentityB2XUserFlow-B2X_1_TestFlow' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' { Category = "joiner"; @@ -905,6 +1279,46 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + AADIdentityGovernanceProgram 'AADIdentityGovernanceProgram-Example' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description Updated"; + DisplayName = "Example"; + Ensure = "Present"; + } + AADIdentityProtectionPolicySettings 'AADIdentityProtectionPolicySettings' + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADLifecycleWorkflowSettings 'AADLifecycleWorkflowSettings' { ApplicationId = $ApplicationId; @@ -926,6 +1340,105 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADNetworkAccessForwardingPolicy 'AADNetworkAccessForwardingPolicy-Custom Bypass' + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADNetworkAccessSettingConditionalAccess 'AADNetworkAccessSettingConditionalAccess' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + AADNetworkAccessSettingCrossTenantAccess 'AADNetworkAccessSettingCrossTenantAccess' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } + AADOnPremisesPublishingProfilesSettings 'AADOnPremisesPublishingProfilesSettings' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $False; + IsSingleInstance = "Yes"; + TenantId = $TenantId; + } + AADRemoteNetwork 'AADRemoteNetwork-Test Remote Network' + { + Ensure = "Present"; + ForwardingProfiles = @(); #creating drift here + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link Random' # creating drift here + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } AADRoleDefinition 'AADRoleDefinition1' { DisplayName = "DSCRole1" @@ -959,6 +1472,19 @@ } }; } + AADRoleManagementPolicyRule 'AADRoleManagementPolicyRule-Expiration_Admin_Eligibility' + { + expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{ + isExpirationRequired = $False + maximumDuration = 'P180D' + }; + id = "Expiration_Admin_Eligibility"; + roleDisplayName = "Global Administrator"; + ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADRoleSetting '28b253d8-cde5-471f-a331-fe7320023cdd' { ActivateApprover = @(); @@ -1077,6 +1603,104 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index ab1e4fab0a..0551a400ba 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" @@ -965,6 +1027,17 @@ Identity = "_Exe:SecOpsOverrid:ca3c51ac-925c-49f4-af42-43e26b874245"; Policy = "40528418-717d-4368-a1ae-7912918f8a1f"; } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" @@ -1016,6 +1089,17 @@ SubmissionID = "Non-Submission"; Value = "example.com"; } + EXOTenantAllowBlockListSpoofItems 'EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71' + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } EXOTransportRule 'ConfigureTransportRule' { Name = "Ethical Wall - Sales and Executives Departments" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index 9e231050c0..f05ed4fe10 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -54,6 +54,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" @@ -575,6 +637,17 @@ Ensure = "Absent"; Identity = "_Exe:SecOpsOverrid:ca3c51ac-925c-49f4-af42-43e26b874245"; } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" @@ -607,6 +680,17 @@ Name = "From Michelle"; TenantId = $TenantId; } + EXOTenantAllowBlockListSpoofItems 'EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71' + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } EXOTransportRule 'ConfigureTransportRule' { Name = "Ethical Wall - Sales and Brokerage Departments" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index 30dc923214..9ee67bf086 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -55,6 +55,68 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOAddressBookPolicy 'ConfigureAddressBookPolicy' { Name = "All Fabrikam ABP" @@ -607,6 +669,14 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMailboxAuditBypassAssociation 'EXOMailboxAuditBypassAssociation-Test' + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOMailboxAutoReplyConfiguration 'EXOMailboxAutoReplyConfiguration' { AutoDeclineFutureRequestsWhenOOF = $False; @@ -1393,6 +1463,17 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOSharedMailbox 'SharedMailbox' { DisplayName = "Integration" @@ -1444,6 +1525,17 @@ SubmissionID = "Non-Submission"; Value = "example.com"; } + EXOTenantAllowBlockListSpoofItems 'EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71' + { + Action = "Block"; #Drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } EXOTransportConfig 'EXOTransportConfig ' { IsSingleInstance = "Yes"; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 368146fdd0..2f5d212150 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -106,6 +106,41 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + allowedThreats = @("Threat 1"); + Assignments = @(); + Description = ""; + disallowedThreatActions = @("Disallowed Thread Action 1"); + DisplayName = "Test"; + enabled = "true"; + Ensure = "Present"; + exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + threatTypeSettings = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '1' + ThreatTypeSettings_item_value = '1' + } + ); + unmonitoredFilesystems = @("Filesystem 1"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAntivirusPolicyWindows10SettingCatalog 'myAVWindows10Policy' { DisplayName = 'av exclusions' @@ -150,6 +185,32 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAppCategory 'IntuneAppCategory-Data Management' { Id = "a1fc9fe2-728d-4867-9a72-a61e18f8c606"; @@ -196,6 +257,17 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAppleMDMPushNotificationCertificate 'IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5' + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneApplicationControlPolicyWindows10 'ConfigureApplicationControlPolicyWindows10' { DisplayName = 'Windows 10 Desktops' @@ -2237,6 +2309,27 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile 'IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile' + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( @@ -2598,6 +2691,30 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + IntuneMobileThreatDefenseConnector 'IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint' + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntunePolicySets 'Example' { Assignments = @( @@ -2659,6 +2776,25 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' { DisplayName = 'test' diff --git a/Tests/QA/Graph.PermissionList.txt b/Tests/QA/Graph.PermissionList.txt index 9afee7e857..79424d5ef9 100644 Binary files a/Tests/QA/Graph.PermissionList.txt and b/Tests/QA/Graph.PermissionList.txt differ diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewDefinition.Tests.ps1 new file mode 100644 index 0000000000..b09051f17f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewDefinition.Tests.ps1 @@ -0,0 +1,259 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADAccessReviewDefinition" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + } + + Mock -CommandName New-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADAccessReviewDefinition should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = (New-CimInstance -ClassName MSFT_MicrosoftGraphaccessReviewScope -Property @{ + QueryRoot = "FakeStringValue" + odataType = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + QueryType = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityGovernanceAccessReviewDefinition -Exactly 1 + } + } + + Context -Name "The AADAccessReviewDefinition exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = (New-CimInstance -ClassName MSFT_MicrosoftGraphaccessReviewScope -Property @{ + QueryRoot = "FakeStringValue" + odataType = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + QueryType = "FakeStringValue" + } -ClientOnly) + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + return @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = @{ + AdditionalProperties = @{ + QueryType = "FakeStringValue" + QueryRoot = "FakeStringValue" + '@odata.type' = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityGovernanceAccessReviewDefinition -Exactly 1 + } + } + Context -Name "The AADAccessReviewDefinition Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + ScopeValue = (New-CimInstance -ClassName MSFT_MicrosoftGraphaccessReviewScope -Property @{ + QueryRoot = "FakeStringValue" + odataType = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + QueryType = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + return @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = @{ + AdditionalProperties = @{ + QueryType = "FakeStringValue" + QueryRoot = "FakeStringValue" + '@odata.type' = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + } + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADAccessReviewDefinition exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + ScopeValue = (New-CimInstance -ClassName MSFT_MicrosoftGraphaccessReviewScope -Property @{ + QueryRoot = "FakeStringValue" + odataType = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + QueryType = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + return @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue2" # drift + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = @{ + AdditionalProperties = @{ + QueryType = "FakeStringValue" + QueryRoot = "FakeStringValue" + '@odata.type' = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MgBetaIdentityGovernanceAccessReviewDefinition -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityGovernanceAccessReviewDefinition -MockWith { + return @{ + DescriptionForAdmins = "FakeStringValue" + DescriptionForReviewers = "FakeStringValue2" # drift + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Scope = @{ + AdditionalProperties = @{ + QueryType = "FakeStringValue" + QueryRoot = "FakeStringValue" + '@odata.type' = "#microsoft.graph.accessReviewQueryScope" + Query = "FakeStringValue" + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 new file mode 100644 index 0000000000..76d5306bcf --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAccessReviewPolicy.Tests.ps1 @@ -0,0 +1,118 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -Command Get-MgBetaPolicyAccessReviewPolicy -MockWith { + } + + Mock -Command Update-MgBetaPolicyAccessReviewPolicy -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $True; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $True; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsGroupOwnerManagementEnabled = $True; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $False; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyAccessReviewPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAccessReviewPolicy -MockWith { + return @{ + IsGroupOwnerManagementEnabled = $True; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 new file mode 100644 index 0000000000..ec4f10ace8 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationMethodPolicyExternal.Tests.ps1 @@ -0,0 +1,365 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADAuthenticationMethodPolicyExternal" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADAuthenticationMethodPolicyExternal should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Absent" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + Context -Name "The AADAuthenticationMethodPolicyExternal Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000002" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADAuthenticationMethodPolicyExternal exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExcludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFTAADAuthenticationMethodPolicyExternalExcludeTarget -Property @{ + TargetType = "group" + Id = "Fakegroup" + } -ClientOnly) + ) + IncludeTargets = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget -Property @{ + TargetType = 'group' + Id = 'Fakegroup' + } -ClientOnly) + ) + OpenIdConnectSetting = (New-CimInstance -ClassName MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting -Property @{ + discoveryUrl = 'https://microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } -ClientOnly); + DisplayName = "ExternalOath" + State = "enabled" + Ensure = "Present" + AppId = "00000000-0000-0000-0000-000000000003" + Credential = $Credential; + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgGroup -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + authenticationMethodConfigurations = @{ + IncludeTargets = @( + @{ + TargetType = 'group' + Id = 'Fakegroup' + } + ) + ExcludeTargets = @( + @{ + TargetType = "group" + Id = "00000000-0000-0000-0000-000000000000" + } + ) + OpenIdConnectSetting = @{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '00000000-0000-0000-0000-000000000001' + } + DisplayName = "ExternalOath" + AppId = "00000000-0000-0000-0000-000000000002" + State = "enabled" + '@odata.type' = "#microsoft.graph.externalAuthenticationMethodConfiguration" + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADClaimsMappingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADClaimsMappingPolicy.Tests.ps1 new file mode 100644 index 0000000000..a462d49748 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADClaimsMappingPolicy.Tests.ps1 @@ -0,0 +1,348 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADClaimsMappingPolicy" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyClaimMappingPolicy -MockWith { + } + + Mock -CommandName New-MgBetaPolicyClaimMappingPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyClaimMappingPolicy -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADClaimsMappingPolicy should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinition -Property @{ + ClaimsMappingPolicy = New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy -Property @{ + ClaimsSchema = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema -Property @{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } -ClientOnly + ) + ClaimsTransformation = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation -Property @{ + OutputClaims = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims -Property @{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } -ClientOnly + ) + Id = 'CreateTermsOfService' + InputParameters = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter -Property @{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } -ClientOnly + ) + TransformationMethod = 'CreateStringClaim' + } -ClientOnly + ) + IncludeBasicClaimSet = $True + Version = 1 + } -ClientOnly + } -ClientOnly + ); + + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyClaimMappingPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyClaimMappingPolicy -Exactly 1 + } + } + + Context -Name "The AADClaimsMappingPolicy exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinition -Property @{ + ClaimsMappingPolicy = New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy -Property @{ + ClaimsSchema = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema -Property @{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } -ClientOnly + ) + ClaimsTransformation = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation -Property @{ + OutputClaims = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims -Property @{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } -ClientOnly + ) + Id = 'CreateTermsOfService' + InputParameters = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter -Property @{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } -ClientOnly + ) + TransformationMethod = 'CreateStringClaim' + } -ClientOnly + ) + IncludeBasicClaimSet = $True + Version = 1 + } -ClientOnly + } -ClientOnly + ); + + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyClaimMappingPolicy -MockWith { + return @{ + Definition = @("{`"ClaimsMappingPolicy`":{`"Version`":1,`"IncludeBasicClaimSet`":`"true`",`"ClaimsSchema`":[{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`"},{`"Source`":`"user`",`"ID`":`"givenname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`"},{`"Source`":`"user`",`"ID`":`"displayname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`"},{`"Source`":`"user`",`"ID`":`"surname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`"},{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"username`"}],`"ClaimsTransformation`":[{`"ID`":`"CreateTermsOfService`",`"TransformationMethod`":`"CreateStringClaim`",`"InputParameters`":[{`"ID`":`"value`",`"DataType`":`"string`", `"Value`":`"sandbox`"}],`"OutputClaims`":[{`"ClaimTypeReferenceId`":`"TOS`",`"TransformationClaimType`":`"createdClaim`"}]}]}}") + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyClaimMappingPolicy -Exactly 1 + } + } + Context -Name "The AADClaimsMappingPolicy Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinition -Property @{ + ClaimsMappingPolicy = New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy -Property @{ + ClaimsSchema = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema -Property @{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } -ClientOnly + ) + ClaimsTransformation = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation -Property @{ + OutputClaims = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims -Property @{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } -ClientOnly + ) + Id = 'CreateTermsOfService' + InputParameters = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter -Property @{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } -ClientOnly + ) + TransformationMethod = 'CreateStringClaim' + } -ClientOnly + ) + IncludeBasicClaimSet = $True + Version = 1 + } -ClientOnly + } -ClientOnly + ); + + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyClaimMappingPolicy -MockWith { + return @{ + Definition = @("{`"ClaimsMappingPolicy`":{`"Version`":1,`"IncludeBasicClaimSet`":`"true`",`"ClaimsSchema`":[{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`"}],`"ClaimsTransformation`":[{`"ID`":`"CreateTermsOfService`",`"TransformationMethod`":`"CreateStringClaim`",`"InputParameters`":[{`"ID`":`"value`",`"DataType`":`"string`", `"Value`":`"sandbox`"}],`"OutputClaims`":[{`"ClaimTypeReferenceId`":`"TOS`",`"TransformationClaimType`":`"createdClaim`"}]}]}}") + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADClaimsMappingPolicy exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinition -Property @{ + ClaimsMappingPolicy = New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy -Property @{ + ClaimsSchema = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema -Property @{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } -ClientOnly + ) + ClaimsTransformation = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation -Property @{ + OutputClaims = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims -Property @{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } -ClientOnly + ) + Id = 'CreateTermsOfService' + InputParameters = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter -Property @{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } -ClientOnly + ) + TransformationMethod = 'CreateStringClaim' + } -ClientOnly + ) + IncludeBasicClaimSet = $True + Version = 1 + } -ClientOnly + } -ClientOnly + ); + + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyClaimMappingPolicy -MockWith { + return @{ + Definition = @("{`"ClaimsMappingPolicy`":{`"Version`":1,`"IncludeBasicClaimSet`":`"true`",`"ClaimsSchema`":[{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`"},{`"Source`":`"user`",`"ID`":`"givenname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`"},{`"Source`":`"user`",`"ID`":`"displayname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`"},{`"Source`":`"user`",`"ID`":`"surname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`"},{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"username`"}],`"ClaimsTransformation`":[{`"ID`":`"CreateTermsOfService`",`"TransformationMethod`":`"CreateStringClaim`",`"InputParameters`":[{`"ID`":`"value`",`"DataType`":`"string`", `"Value`":`"sandbox`"}],`"OutputClaims`":[{`"ClaimTypeReferenceId`":`"TOS`",`"TransformationClaimType`":`"createdClaim`"}]}]}}") + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyClaimMappingPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaPolicyClaimMappingPolicy -MockWith { + return @{ + Definition = @("{`"ClaimsMappingPolicy`":{`"Version`":1,`"IncludeBasicClaimSet`":`"true`",`"ClaimsSchema`":[{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`"},{`"Source`":`"user`",`"ID`":`"givenname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`"},{`"Source`":`"user`",`"ID`":`"displayname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`"},{`"Source`":`"user`",`"ID`":`"surname`",`"SamlClaimType`":`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`"},{`"Source`":`"user`",`"ID`":`"userprincipalname`",`"SamlClaimType`":`"username`"}],`"ClaimsTransformation`":[{`"ID`":`"CreateTermsOfService`",`"TransformationMethod`":`"CreateStringClaim`",`"InputParameters`":[{`"ID`":`"value`",`"DataType`":`"string`", `"Value`":`"sandbox`"}],`"OutputClaims`":[{`"ClaimTypeReferenceId`":`"TOS`",`"TransformationClaimType`":`"createdClaim`"}]}]}}") + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsOrganizationDefault = $True + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 new file mode 100644 index 0000000000..828ee261ff --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomAuthenticationExtension.Tests.ps1 @@ -0,0 +1,186 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADCustomAuthenticationExtension" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityCustomAuthenticationExtension -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $False + } + + # Test Contexts + Context -Name "The AADCustomAuthenticationExtension should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityCustomAuthenticationExtension -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists but it should not' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Absent" + Credential = $Credential + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/a5352e69-55c0-4160-b4b5-03d034d842f" + ClientConfigurationTimeoutMilliseconds = 2000 + ClientConfigurationMaximumRetries = 1 + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + ClaimsForTokenConfiguration = @() + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the app from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The AADCustomAuthenticationExtension exists and values are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "testcustomextension" + Description = "test description modified" + Ensure = "Present" + Id = "1f0c894f-d068-4f9c-af71-81d602569ad1" + } + + Mock -CommandName Get-MgBetaIdentityCustomAuthenticationExtension -MockWith { + $customextension = New-Object PSCustomObject + $customextension | Add-Member -MemberType NoteProperty -Name DisplayName -Value "testcustomextension" + $customextension | Add-Member -MemberType NoteProperty -Name Description -Value "test description" + $customextension | Add-Member -MemberType NoteProperty -Name Id -Value "1f0c894f-d068-4f9c-af71-81d602569ad1" + + return $customextension + } + } + + It 'Should return values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaIdentityCustomAuthenticationExtension' -Exactly 1 + } + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 new file mode 100644 index 0000000000..403ed9873f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADEnrichedAuditLogs.Tests.ps1 @@ -0,0 +1,116 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessSettingEnrichedAuditLog -MockWith { + return @{ + exchange = @{ + status = 'disabled' + } + sharepoint = @{ + status = 'enabled' + } + teams = @{ + status = 'disabled' + } + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "disabled"; #drift + Teams = "disabled"; + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFederationConfiguration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFederationConfiguration.Tests.ps1 new file mode 100644 index 0000000000..63a52ce0d5 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFederationConfiguration.Tests.ps1 @@ -0,0 +1,252 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 2 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @( + @{ + issuerUri = 'https://contoso.com/issuerUri' + displayName = 'contoso display name' + metadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + passiveSignInUri = 'https://contoso.com/signin' + preferredAuthenticationProtocol = 'wsFed' + domains = @( + @{ + "@odata.type" = "microsoft.graph.externalDomainName" + id = "contoso.com" + } + ) + signingCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 2 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @( + @{ + issuerUri = 'https://contoso.com/issuerUri' + displayName = 'contoso display name' + metadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + passiveSignInUri = 'https://contoso.com/signin' + preferredAuthenticationProtocol = 'wsFed' + domains = @( + @{ + "@odata.type" = "microsoft.graph.externalDomainName" + id = "contoso.com" + } + ) + signingCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/Drift' # Drift + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @( + @{ + issuerUri = 'https://contoso.com/issuerUri' + displayName = 'contoso display name' + metadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + passiveSignInUri = 'https://contoso.com/signin' + preferredAuthenticationProtocol = 'wsFed' + domains = @( + @{ + "@odata.type" = "microsoft.graph.externalDomainName" + id = "contoso.com" + } + ) + signingCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @( + @{ + issuerUri = 'https://contoso.com/issuerUri' + displayName = 'contoso display name' + metadataExchangeUri = 'https://contoso.com/metadataExchangeUri' + passiveSignInUri = 'https://contoso.com/signin' + preferredAuthenticationProtocol = 'wsFed' + domains = @( + @{ + "@odata.type" = "microsoft.graph.externalDomainName" + id = "contoso.com" + } + ) + signingCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 new file mode 100644 index 0000000000..abf53bb182 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicy.Tests.ps1 @@ -0,0 +1,192 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaNetworkAccessFilteringPolicy -MockWith {} + Mock -CommandName Update-MgBetaNetworkAccessFilteringPolicy -MockWith {} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringPolicy -MockWith {} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "block"; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "allow"; #Drift + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessFilteringPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith { + return @{ + name = 'MyPolicy' + description = 'This is a demo policy' + action = 'block' + id = '12345-12345-12345-12345-12345' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 new file mode 100644 index 0000000000..c73f7a4135 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringPolicyRule.Tests.ps1 @@ -0,0 +1,242 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -CommandName New-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringPolicyRule -MockWith{} + Mock -COmmandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith{ + return @{ + Id = '12345-12345-12345-12345-12345' + Name = 'MyPolicy' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'Microsoft365DSC.com' + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Destinations = @( + (New-CimInstance -ClassName MSFT_AADFilteringPolicyRuleDestination -property @{ + value = 'contoso.com' #Drift + } -ClientOnly) + ); + Name = "MyFQDN"; + Policy = "MyPolicy"; + RuleType = "fqdn"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessFilteringPolicyRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicyRule -MockWith { + return @{ + Name = 'MyFQDN' + Id = '12345-12345-12345-12345-12345' + AdditionalProperties = @{ + ruleType = 'fqdn' + destinations = @( + @{ + value = 'Microsoft365DSC.com' + } + ) + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 new file mode 100644 index 0000000000..f680555b49 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADFilteringProfile.Tests.ps1 @@ -0,0 +1,296 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaNetworkAccessFilteringProfile -MockWith{} + Mock -CommandName Remove-MgBetaNetworkAccessFilteringProfile -MockWith{} + Mock -CommandName Get-MgBetaNetworkAccessFilteringPolicy -MockWith{ + return @( + @{ + id = '12345-12345-12345-12345-12346' + name = 'MyTopPolicy' + } + ) + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + id = '12345-12345-12345-12345-12345' + name = 'MyTopPolicy' + } + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + State = 'enabled' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 120; + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "Description of profile"; + Name = "My Profile"; + Policies = @( + (New-CimInstance -ClassName MSFT_AADFilteringProfilePolicyLink -Property @{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } -ClientOnly) + ); + Priority = 122; # Drift + State = "enabled"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessFilteringProfile -Exactly 1 + Should -Invoke -CommandName New-MgBetaNetworkAccessFilteringProfile -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessFilteringProfile -MockWith { + return @{ + Id = '22222-22222-22222-22222-22222' + Name = 'My Profile' + Description = 'Description of profile' + State = 'enabled' + Priority = 120 + Policies = @( + @{ + Id = '11111-22222-33333-44444-55556' + State = 'enabled' + AdditionalProperties = @{ + priority = 200 + loggingState = 'enabled' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 index 7aa3b6429f..06e568b265 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 @@ -81,7 +81,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName New-MgBetaGroupOwnerByRef -MockWith { } - Mock -CommandName New-MgBetaGroupMemberByRef -MockWith { + Mock -CommandName Remove-MgBetaRoleManagementDirectoryRoleAssignment -MockWith { } Mock -CommandName New-MgBetaGroupMember -MockWith { @@ -90,6 +90,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName New-MgBetaDirectoryRoleMemberByRef -MockWith { } + Mock -CommandName New-MgBetaRoleManagementDirectoryRoleAssignment -MockWith { + } + Mock -CommandName Remove-MgGroupOwnerDirectoryObjectByRef -MockWith { } @@ -105,6 +108,18 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Set-MgGroupLicense -MockWith { } + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleAssignment -MockWith { + return @{ + RoleDefinitionId = "12345-12345-12345-12345-12345" + } + } + + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { + return @{ + DisplayName = "AADRole" + } + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -508,6 +523,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ID = '12345-12345-12345-12345' } } + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleAssignment -MockWith { + return $null + } } It 'Should return Values from the Get method' { @@ -522,8 +540,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams Should -Invoke -CommandName 'Get-MgGroup' -Exactly 1 - Should -Invoke -CommandName 'Get-MgBetaDirectoryRole' -Exactly 1 - Should -Invoke -CommandName 'New-MgBetaDirectoryRoleMemberByRef' -Exactly 1 + Should -Invoke -CommandName 'Get-MgBetaRoleManagementDirectoryRoleAssignment' -Exactly 1 + Should -Invoke -CommandName 'New-MgBetaRoleManagementDirectoryRoleAssignment' -Exactly 1 } } @@ -646,8 +664,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams Should -Invoke -CommandName 'Get-MgGroup' -Exactly 1 - Should -Invoke -CommandName 'Get-MgBetaDirectoryRole' -Exactly 1 - Should -Invoke -CommandName 'Remove-MgBetaDirectoryRoleMemberDirectoryObjectByRef' -Exactly 1 + Should -Invoke -CommandName 'Get-MgBetaRoleManagementDirectoryRoleDefinition' -Exactly 2 + Should -Invoke -CommandName 'Remove-MgBetaRoleManagementDirectoryRoleAssignment' -Exactly 1 } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 new file mode 100644 index 0000000000..1f82f559fd --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADHomeRealmDiscoveryPolicy.Tests.ps1 @@ -0,0 +1,242 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADHomeRealmDiscoveryPolicy" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName New-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADHomeRealmDiscoveryPolicy should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + + Context -Name "The AADHomeRealmDiscoveryPolicy exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + Context -Name "The AADHomeRealmDiscoveryPolicy Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + isOrganizationDefault = $True + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADHomeRealmDiscoveryPolicy exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Definition = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinition -Property @{ + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = New-CimInstance -ClassName MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin -Property @{ + Enabled = $True + } -ClientOnly + } -ClientOnly ) + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + IsOrganizationDefault = $True + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue New" + isOrganizationDefault = $False + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyHomeRealmDiscoveryPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaPolicyHomeRealmDiscoveryPolicy -MockWith { + return @{ + id = "randomguid" + definition = @( + '{"HomeRealmDiscoveryPolicy":{"PreferredDomain":"federated.example.edu","AlternateIdLogin":{"Enabled":true},"AccelerateToFederatedDomain":false}}' + ) + displayName = "FakeStringValue" + description = "FakeStringValue" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 new file mode 100644 index 0000000000..d8484eef0b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityAPIConnector.Tests.ps1 @@ -0,0 +1,312 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityAPIConnector" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityAPIConnector -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityAPIConnector should exist but it DOES NOT" -Fixture { + BeforeAll { + + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + Context -Name "The AADIdentityAPIConnector exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + Ensure = 'Absent' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityAPIConnector -Exactly 1 + } + } + Context -Name "The AADIdentityAPIConnector Exists and Values are already in the desired state" -Fixture { + BeforeAll { + + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = $Cred + } + } + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityAPIConnector exists and values are NOT in the desired state" -Fixture { + + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue2' #drift + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Username = 'FakeStringValue' + Password = $Credential + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityAPIConnector -Exactly 1 + } + } + + + Context -Name "The AADIdentityAPIConnector with certificates exists and values are in the desired state" -Fixture { + + BeforeAll { + $testParams = @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + Certificates = @( + New-CimInstance -ClassName 'MSFT_AADIdentityAPIConnectionCertificate' -Property @{ + Thumbprint = 'FakeStringValue' + Pkcs12Value = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + Password = (New-CimInstance -ClassName 'MSFT_Credential' -Property @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } -ClientOnly) + IsActive = $true + } -ClientOnly + ) + Credential = $Credential + Ensure = 'Present' + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + certificateList = @( + @{ + Thumbprint = 'FakeStringValue' + IsActive = $true + } + ) + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityAPIConnector -MockWith { + return @{ + DisplayName = 'FakeStringValue' + TargetUrl = 'FakeStringValue' + Id = 'FakeStringValue' + AuthenticationConfiguration = @{ + AdditionalProperties = @{ + Username = 'FakeStringValue' + Password = 'FakeStringValue' + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 new file mode 100644 index 0000000000..b0dd2cbd56 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityB2XUserFlow.Tests.ps1 @@ -0,0 +1,502 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityB2XUserFlow" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -MockWith { + } + + Mock -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityB2XUserFlow should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlow -Exactly 1 + Should -Invoke -CommandName Get-MgBetaIdentityApiConnector -Exactly 2 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 2 + Should -Invoke -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name "The AADIdentityB2XUserFlow exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlow -Exactly 1 + } + } + Context -Name "The AADIdentityB2XUserFlow Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider1" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityB2XUserFlow exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApiConnectorConfiguration = (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration -Property @{ + postAttributeCollectionConnectorName = 'FakeConnector1' + postFederationSignupConnectorName = 'FakeConnector2' + } -ClientOnly) + Id = "FakeStringValue" + IdentityProviders = @("Provider1", "Provider2") + UserAttributeAssignments = @((New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'Z' + Value = '2' + } -ClientOnly + ) + } -ClientOnly), + (New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Surname' + Id = 'surname' + UserAttributeValues = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphuserFlowUserAttributeAssignment -Property @{ + IsDefault = $True + Name = 'S' + Value = '2' + } -ClientOnly + ) + } -ClientOnly)) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef -Exactly 1 + Should -Invoke -CommandName Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef -Exactly 1 + Should -Invoke -CommandName New-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlow -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityApiConnector -MockWith { + return @{ + id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowIdentityProvider -MockWith { + return @( + @{ + id = "Provider3" + }, + @{ + id = "Provider2" + } + ) + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration -MockWith { + return @{ + PostFederationSignup = [PSCustomObject]@{ + DisplayName = "FakeConnector2" + } + PostAttributeCollection = [PSCustomObject]@{ + DisplayName = "FakeConnector1" + } + } + } + + Mock -CommandName Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment -MockWith { + return @( + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + }, + [PSCustomObject]@{ + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'City' + Id = 'city' + UserAttributeValues = @( + [PSCustomObject]@{ + IsDefault = $True + Name = 'S' + Value = '2' + } + ) + } + ) + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 new file mode 100644 index 0000000000..cf2811f30c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.Tests.ps1 @@ -0,0 +1,373 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + } + Mock -CommandName Get-MgApplication -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + DisplayName = 'M365DSC' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Absent"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CallbackConfiguration = (New-CIMInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration -Property @{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + } -ClientOnly) + ClientConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration -Property @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } -ClientOnly) + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = (New-CimInstance -ClassName MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration -Property @{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } -ClientOnly) + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 2 #drift + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + authenticationConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication" + } + } + CallbackConfiguration = @{ + TimeoutDuration = @{ + Minutes = '34' + } + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration" + authorizedApps = @( + @{ + id = '12345-12345-12345-12345-12345' + } + ) + } + } + ClientConfiguration = @{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + } + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration" + subscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceProgram.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceProgram.Tests.ps1 new file mode 100644 index 0000000000..c32c53e829 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceProgram.Tests.ps1 @@ -0,0 +1,199 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADIdentityGovernanceProgram" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaProgram -MockWith { + return $null + } + + Mock -CommandName New-MgBetaProgram -MockWith { + return $null + } + + Mock -CommandName Remove-MgBetaProgram -MockWith { + return $null + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADIdentityGovernanceProgram should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaProgram -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaProgram -Exactly 1 + } + } + + Context -Name "The AADIdentityGovernanceProgram exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaProgram -MockWith { + return @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaProgram -Exactly 1 + } + } + Context -Name "The AADIdentityGovernanceProgram Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaProgram -MockWith { + return @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADIdentityGovernanceProgram exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValueDrift" #drift + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaProgram -MockWith { + return @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaProgram -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaProgram -MockWith { + return @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 new file mode 100644 index 0000000000..0b1586f83f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityProtectionPolicySettings.Tests.ps1 @@ -0,0 +1,116 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsUserRiskClearedOnPasswordReset = $True; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $False; + Credential = $Credential; + } + } + + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 -ParameterFilter { $Method -eq 'PATCH' } + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + IsUserRiskClearedOnPasswordReset = $False; + Credential = $Credential; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 index ba63fc5762..dbd6467749 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNamedLocationPolicy.Tests.ps1 @@ -193,6 +193,52 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } + Context -Name 'Policies with duplicate names exist' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Company Network' + Ensure = 'Present' + IpRanges = @('2.1.1.1/32', '1.2.2.2/32') + IsTrusted = $True + OdataType = '#microsoft.graph.ipNamedLocation' + Credential = $Credscredential + } + + Mock -CommandName Get-MgBetaIdentityConditionalAccessNamedLocation -MockWith { + return @( + @{ + DisplayName = 'Company Network' + Id = '046956df-2367-4dd4-b7fd-c6175ec11cd5' + AdditionalProperties = @{ + ipRanges = @(@{cidrAddress = '2.1.1.1/32' }, @{cidrAddress = '1.2.2.2/32' }) + isTrusted = $False + '@odata.type' = '#microsoft.graph.ipNamedLocation' + } + } + @{ + DisplayName = 'Company Network' + Id = '046956df-2367-4dd4-b7fd-c6175ec11cd6' + AdditionalProperties = @{ + ipRanges = @(@{cidrAddress = '2.1.1.1/32' }, @{cidrAddress = '1.2.2.2/32' }) + isTrusted = $False + '@odata.type' = '#microsoft.graph.ipNamedLocation' + } + } + ) + } + } + + It 'Should return values from the get method' { + $result = Get-TargetResource @testParams + $result.Ensure | Should -Be 'Absent' + Should -Invoke -CommandName 'Get-MgBetaIdentityConditionalAccessNamedLocation' -Exactly 1 + } + + It 'Should call the set method' { + { Set-TargetResource @testParams } | Should -Throw "More than one instance of a Named Location Policy with name {Company Network} was found. Please provide the ID parameter." + } + } + Context -Name 'ReverseDSC Tests' -Fixture { BeforeAll { $Global:CurrentModeIsExport = $true diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 new file mode 100644 index 0000000000..45562b9072 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingPolicy.Tests.ps1 @@ -0,0 +1,253 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + } + + Mock -CommandName New-MgBetaNetworkAccessForwardingPolicyrule -MockWith { + } + + Mock -CommandName Remove-MgBetaNetworkAccessForwardingPolicyRule -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Name = "Custom Bypass"; + PolicyRules = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.google.com') + } -ClientOnly + + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } -ClientOnly + ) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/24" + } + ) + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Name = "Custom Bypass"; + PolicyRules = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.google.com') + } -ClientOnly + + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule -Property @{ + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } -ClientOnly + ) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/28" # created drift here + } + ) + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Name | Should -Be "Custom Bypass" + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessForwardingPolicyRule + Should -Invoke -CommandName New-MgBetaNetworkAccessForwardingPolicyRule + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + ##TODO - Mock the Get-MgBetaNetworkAccessForwardingPolicy to return an instance + Mock -CommandName Get-MgBetaNetworkAccessForwardingPolicy -MockWith { + return @{ + Name = "Custom Bypass" + PolicyRules = @( + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "fqdn" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "www.google.com" + } + ) + } + }, + @{ + Name = "Custom policy internet rule" + AdditionalProperties = @{ + ruleType = "ipSubnet" + action = "bypass" + ports = @(80,443) + protocol = "tcp" + destinations = @( + @{ + value = "192.164.0.0/28" # created drift here + } + ) + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 new file mode 100644 index 0000000000..45026a3cb0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessForwardingProfile.Tests.ps1 @@ -0,0 +1,222 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'AADNetworkAccessForwardingProfile' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaNetworkAccessForwardingProfile -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + } + + Mock -CommandName Update-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances = $null + $Script:ExportMode = $false + } + # Test contexts + Context -Name 'The AADNetworkAccessForwardingProfile Exists and Values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + Policies = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Custom Bypass' + PolicyLinkId = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } -ClientOnly + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Default Bypass' + PolicyLinkId = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } -ClientOnly + ) + Credential = $Credential + + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'The AADNetworkAccessForwardingProfile exists and values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + Policies = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Custom Bypass' + PolicyLinkId = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'enabled' + } -ClientOnly + New-CimInstance -ClassName MSFT_MicrosoftGraphNetworkaccessPolicyLink -Property @{ + Name = 'Default Bypass' + PolicyLinkId = '12345678-1234-1234-1234-123456789012' + State = 'disabled' + } -ClientOnly + ) + Credential = $Credential + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set Update-MgBetaNetworkAccessForwardingProfile method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessForwardingProfile -Exactly 1 + } + + It 'Should call the Set Update-MgBetaNetworkAccessForwardingProfilePolicy method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessForwardingProfilePolicy -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @{ + Name = 'Microsoft 365 traffic forwarding profile' + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfilePolicy -MockWith { + return @( + @{ + Policy = @{ + Name = 'Custom Bypass' + } + Id = '58847306-0ae2-4f65-91ee-d6587e9bebda' + State = 'disabled' + }, + @{ + Policy = @{ + Name = 'Default Bypass' + } + Id = '12345678-1234-1234-1234-123456789012' + State = 'enabled' + } + ) + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 new file mode 100644 index 0000000000..364aac36fe --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingConditionalAccess.Tests.ps1 @@ -0,0 +1,102 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessSettingConditionalAccess -MockWith { + } + Mock -CommandName Get-MgBetaNetworkAccessSettingConditionalAccess -MockWith { + return @{ + SignalingStatus = 'enabled' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SignalingStatus = "enabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; #Drift + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessSettingConditionalAccess -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 new file mode 100644 index 0000000000..edf6656b00 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADNetworkAccessSettingCrossTenantAccess.Tests.ps1 @@ -0,0 +1,102 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaNetworkAccessSettingCrossTenantAccess -MockWith { + } + Mock -CommandName Get-MgBetaNetworkAccessSettingCrossTenantAccess -MockWith { + return @{ + NetworkPacketTaggingStatus = 'enabled' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "disabled"; #Drift + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaNetworkAccessSettingCrossTenantAccess -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOnPremisesPublishingProfilesSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOnPremisesPublishingProfilesSettings.Tests.ps1 new file mode 100644 index 0000000000..a8552503e0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOnPremisesPublishingProfilesSettings.Tests.ps1 @@ -0,0 +1,113 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsEnabled = $False; + IsSingleInstance = "Yes"; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + isEnabled = $false + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsEnabled = $True; #Drift + IsSingleInstance = "Yes"; + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + isEnabled = $false + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + isEnabled = $false + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 new file mode 100644 index 0000000000..0f0800c5a8 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADOrganizationCertificateBasedAuthConfiguration.Tests.ps1 @@ -0,0 +1,271 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADOrganizationCertificateBasedAuthConfiguration" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + } + } + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADOrganizationCertificateBasedAuthConfiguration exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + CertificateAuthorities = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphcertificateAuthority -Property @{ + DeltaCertificateRevocationListUrl = "FakeStringValue" + IsRootAuthority = $True + CertificateRevocationListUrl = "FakeStringValue" + Certificate = "VGVzdA==" # "Test" + } -ClientOnly) + ) + OrganizationId = "FakeStringValue" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaOrganizationCertificateBasedAuthConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.CertificateBasedAuthConfiguration" + } + CertificateAuthorities = @( + @{ + IssuerSki = "FakeStringValue" + DeltaCertificateRevocationListUrl = "NewFakeStringValue" + IsRootAuthority = $False + CertificateRevocationListUrl = "FakeStringValue" + Issuer = "FakeStringValue" + Certificate = [byte[]] @(84, 101, 115, 116) # "Test" + } + ) + Id = "FakeStringValue" + + } + } + + Mock -CommandName Get-MgBetaOrganization -MockWith { + return @{ + Id = "00000000-0000-0000-0000-000000000000" + DisplayName = "Fakegroup" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRemoteNetwork.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRemoteNetwork.Tests.ps1 new file mode 100644 index 0000000000..80f13f2dcd --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRemoteNetwork.Tests.ps1 @@ -0,0 +1,411 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + } + + Mock -CommandName Remove-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + } + + Mock -CommandName New-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + } + + Mock -CommandName New-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -MockWith { + } + + Mock -CommandName Remove-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DeviceLinks = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLink -Property @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration -Property @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } -ClientOnly + RedundancyConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration -Property @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } -ClientOnly + TunnelConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration -Property @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } -ClientOnly + } -ClientOnly + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + Ensure = "Present"; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @() + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessConnectivityRemoteNetwork -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DeviceLinks = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLink -Property @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration -Property @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } -ClientOnly + RedundancyConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration -Property @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } -ClientOnly + TunnelConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration -Property @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } -ClientOnly + } -ClientOnly + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + return @{ + DeviceLinks = @( + @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } + RedundancyConfiguration = @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + AdditionalProperties = @{ + "@odata.type" = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } + } + } + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @() + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaNetworkAccessConnectivityRemoteNetwork -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DeviceLinks = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLink -Property @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration -Property @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } -ClientOnly + RedundancyConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration -Property @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } -ClientOnly + TunnelConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration -Property @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } -ClientOnly + } -ClientOnly + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + return @{ + DeviceLinks = @( + @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } + RedundancyConfiguration = @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + AdditionalProperties = @{ + "@odata.type" = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } + } + } + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @() + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DeviceLinks = [CimInstance[]]@( + New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLink -Property @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration -Property @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } -ClientOnly + RedundancyConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration -Property @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } -ClientOnly + TunnelConfiguration = New-CimInstance -ClassName MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration -Property @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } -ClientOnly + } -ClientOnly + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + return @{ + DeviceLinks = @( + @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } + RedundancyConfiguration = @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = @{ + PreSharedKey = 'some new value' #created drift here + ZoneRedundancyPreSharedKey = 'asdf' + AdditionalProperties = @{ + "@odata.type" = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } + } + } + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + } + } + + Mock -CommandName Get-MgBetaNetworkAccessForwardingProfile -MockWith { + return @() + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink + Should -Invoke -CommandName Remove-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaNetworkAccessConnectivityRemoteNetwork -MockWith { + return @{ + DeviceLinks = @( + @{ + Name = 'PiyushTestadf' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoMeraki' + BgpConfiguration = @{ + Asn = 123 + LocalIPAddress = '1.1.1.2' + PeerIPAddress = '1.1.1.3' + } + RedundancyConfiguration = @{ + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = @{ + PreSharedKey = 'sdf' + ZoneRedundancyPreSharedKey = 'asdf' + AdditionalProperties = @{ + "@odata.type" = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default' + } + } + } + ); + ForwardingProfiles = @(); + Id = "fd5ada38-fb52-4f3d-b8db-ef31f0ba27e5"; + Name = "jkjk"; + Region = "australiaSouthEast"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleManagementPolicyRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleManagementPolicyRule.Tests.ps1 new file mode 100644 index 0000000000..6c4f07a824 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleManagementPolicyRule.Tests.ps1 @@ -0,0 +1,216 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADRoleManagementPolicyRule" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaPolicyRoleManagementPolicyRule -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + Context -Name "The AADRoleManagementPolicyRule Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + roleDisplayName = "FakeStringValue" + policyId = "FakeStringValue" + ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule" + expirationRule = (New-CimInstance -ClassName MSFT_AADRoleManagementPolicyExpirationRule -Property @{ + isExpirationRequired = $true + maximumDuration = "FakeStringValue" + } -ClientOnly) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { + return @{ + Id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyAssignment -MockWith { + return @{ + PolicyId = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyRule -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule" + isExpirationRequired = $true + maximumDuration = "FakeStringValue" + } + id = "FakeStringValue" + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADRoleManagementPolicyRule exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + roleDisplayName = "FakeStringValue" + policyId = "FakeStringValue" + ruleType = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule" + approvalRule = (New-CimInstance -ClassName MSFT_AADRoleManagementPolicyApprovalRule -Property @{ + setting = (New-CimInstance -ClassName MSFT_AADRoleManagementPolicyApprovalSettings -Property @{ + approvalMode = "FakeStringValue" + isApprovalRequired = $false #drift + isApprovalRequiredForExtension = $true + isRequestorJustificationRequired = $true + approvalStages = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADRoleManagementPolicyApprovalStage -Property @{ + approvalStageTimeOutInDays = 1 + escalationTimeInMinutes = 1 + isApproverJustificationRequired = $true + isEscalationEnabled = $true + escalationApprovers = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADRoleManagementPolicySubjectSet -Property @{ + odataType = "FakeStringValue" + } -ClientOnly) + ) + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { + return @{ + Id = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyAssignment -MockWith { + return @{ + PolicyId = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyRule -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule" + setting = @{ + approvalStages = @( + @{ + approvalStageTimeOutInDays = 1 + escalationApprovers = @( + @{ + '@odata.type' = "FakeStringValue" + } + ) + isEscalationEnabled = $True + isApproverJustificationRequired = $True + escalationTimeInMinutes = 1 + } + ) + isApprovalRequired = $True + isApprovalRequiredForExtension = $True + approvalMode = "FakeStringValue" + isRequestorJustificationRequired = $True + } + } + id = "FakeStringValue" + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaPolicyRoleManagementPolicyRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { + return @{ + Id = "FakeStringValue" + DisplayName = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyAssignment -MockWith { + return @{ + PolicyId = "FakeStringValue" + } + } + + Mock -CommandName Get-MgBetaPolicyRoleManagementPolicyRule -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule" + isExpirationRequired = $true + maximumDuration = "FakeStringValue" + } + id = "FakeStringValue" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 index e10fba3f5d..b2f735572e 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADServicePrincipal.Tests.ps1 @@ -43,6 +43,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } + Mock -CommandName Get-MgApplication -MockWith { + return @{ + AppId = "12345-12345-12345-12345-12345" + DisplayName = "App1" + } + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -68,6 +75,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Present' Credential = $Credscredential } @@ -107,6 +133,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Absent' Credential = $Credscredential } @@ -132,6 +177,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -153,7 +213,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'The app exists and values are already in the desired state' -Fixture { BeforeAll { $testParams = @{ - AppId = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834' + AppId = 'App1' DisplayName = 'App1' AlternativeNames = 'AlternativeName1', 'AlternativeName2' AccountEnabled = $true @@ -167,6 +227,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphpasswordCredential -Property @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } -ClientOnly + ) + KeyCredentials = @( + New-CimInstance -ClassName MSFT_MicrosoftGraphkeyCredential -Property @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } -ClientOnly + ) Ensure = 'Present' Credential = $Credscredential } @@ -192,6 +271,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -223,6 +317,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ServicePrincipalNames = 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' ServicePrincipalType = 'Application' Tags = '{WindowsAzureActiveDirectoryIntegratedApp}' + PasswordCredentials = @() + KeyCredentials = @() Ensure = 'Present' Credential = $Credscredential } @@ -247,6 +343,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } @@ -295,6 +406,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalNames -Value 'b4f08c68-7276-4cb8-b9ae-e75fca5ff834', 'https://app1.contoso.com' $AADSP | Add-Member -MemberType NoteProperty -Name ServicePrincipalType -Value 'Application' $AADSP | Add-Member -MemberType NoteProperty -Name Tags -Value '{WindowsAzureActiveDirectoryIntegratedApp}' + $AADSP | Add-Member -MemberType NoteProperty -Name KeyCredentials -Value @{ + Usage = 'Verify' + StartDateTime = '2024-09-25T09:13:11.0000000+00:00' + Type = 'AsymmetricX509Cert' + KeyId = 'Key ID' + EndDateTime = '2025-09-25T09:33:11.0000000+00:00' + DisplayName = 'anexas_test_2' + } + $AADSP | Add-Member -MemberType NoteProperty -Name PasswordCredentials -Value @{ + KeyId = 'keyid' + EndDateTime = '2025-03-15T19:50:29.0310000+00:00' + Hint = 'VsO' + DisplayName = 'Super Secret' + StartDateTime = '2024-09-16T19:50:29.0310000+00:00' + } return $AADSP } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 new file mode 100644 index 0000000000..d7340ffcb1 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADUserFlowAttribute.Tests.ps1 @@ -0,0 +1,231 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'AADUserFlowAttribute' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + $Global:PartialExportFileName = 'c:\TestPath' + + Mock -CommandName Save-M365DSCPartialExport -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName New-MgBetaIdentityUserFlowAttribute -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name 'The user flow attribute should exist but it does not' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + return $null + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 2 + } + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should create the role definition from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + + Context -Name 'The user flow attribute exists but it should not' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return values from the get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the app from the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Remove-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + Context -Name 'The user flow attribute exists and values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return Values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return true from the test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'Values are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description changed' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should return values from the get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + + It 'Should return false from the test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaIdentityUserFlowAttribute' -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaIdentityUserFlowAttribute -MockWith { + $userFlowAttribute = New-Object PSCustomObject + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Id -Value 'testIdSai' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'saitest' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name Description -Value 'sai test description changed' + $userFlowAttribute | Add-Member -MemberType NoteProperty -Name DataType -Value 'string' + return $userFlowAttribute + } + } + + It 'Should reverse engineer resource from the export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 new file mode 100644 index 0000000000..95be94a0da --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthority.Tests.ps1 @@ -0,0 +1,250 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADVerifiedIdAuthority" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-WebRequest -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADVerifiedIdAuthority should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @() + } + + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams -Verbose).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the id from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + + Context -Name "The AADVerifiedIdAuthority exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Absent' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + } + ) + } + } + + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + Context -Name "The AADVerifiedIdAuthority Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + } + ) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADVerifiedIdAuthority exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue2" + LinkedDomainUrl = "FakeStringValue" + DidMethod = "FakeStringValue" + KeyVaultMetadata = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityKeyVaultMetadata -Property @{ + SubscriptionId = "FakeStringValue" + ResourceGroup = "FakeStringValue" + ResourceName = "FakeStringValue" + ResourceUrl = "FakeStringValue" + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 new file mode 100644 index 0000000000..4fc725b180 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADVerifiedIdAuthorityContract.Tests.ps1 @@ -0,0 +1,934 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADVerifiedIdAuthorityContract" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-WebRequest -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADVerifiedIdAuthorityContract should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @() + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("FakeStringValue") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + required = $True + } -ClientOnly) + + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @() + } + } + } + } + + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the id from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 4 + } + } + + Context -Name "The AADVerifiedIdAuthorityContract exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Absent' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 2 + } + } + Context -Name "The AADVerifiedIdAuthorityContract Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADVerifiedIdAuthorityContract exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayModel -Property @{ + consent = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayConsent -Property @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you want to accept the verified employee credential from Contoso." #drift + } -ClientOnly) + card = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCard -Property @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo -Property @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } -ClientOnly) + title = "Verified Employee" + } -ClientOnly) + locale = "en-US" + claims = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractDisplayClaims -Property @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } -ClientOnly) + ) + } -ClientOnly) + ) + rules = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractRulesModel -Property @{ + validityInterval = 15552000 + vc = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractVcType -Property @{ + type = @("VerifiedEmployee") + } -ClientOnly) + attestations = (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestations -Property @{ + accessTokens = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractAttestationValues -Property @{ + mapping = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_AADVerifiedIdAuthorityContractClaimMapping -Property @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } -ClientOnly) + ) + required = $True + } -ClientOnly) + ) + } -ClientOnly) + } -ClientOnly) + Ensure = 'Present' + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCVerifiedIdWebRequest -Exactly 3 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Invoke-M365DSCVerifiedIdWebRequest -MockWith { + param ($Uri) + switch ($Uri) { + "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities" { + return @{ + value = @( + @{ + id = "FakeStringValue" + name = "FakeStringValue" + didModel = @{ + linkedDomainUrls = @("FakeStringValue") + did = "did:FakeStringValue" + } + keyVaultMetadata = @{ + subscriptionId = "FakeStringValue" + resourceGroup = "FakeStringValue" + resourceName = "FakeStringValue" + resourceUrl = "FakeStringValue" + } + + } + ) + } + } + default { + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + } + } + return @{ + value = @( + @{ + id = "FakeStringValue" + authorityId = "FakeStringValue" + name = "FakeStringValue" + linkedDomainUrl = "FakeStringValue" + displays = @( + @{ + consent = @{ + instructions = "Verify your identity and workplace the easy way. Add this ID for online and in-person use." + title = "Do you really want to accept the verified employee credential from Contoso." + } + card = @{ + description = "This verifiable credential is issued to all members of the Contoso org." + issuedBy = "Contoso" + backgroundColor = "#000000" + textColor = "#FFFFFA" + logo = @{ + uri = "https://proddideussg1.z13.web.core.windows.net/systemgeneratedcontractlogo.png" + description = "Default verified employee logo" + } + title = "Verified Employee" + } + locale = "en-US" + claims = @( + @{ + label = "Revocation id" + claim = "vc.credentialSubject.revocationId" + type = "String" + } + ) + } + ) + rules = @{ + validityInterval = 15552000 + vc = @{ + type = @("VerifiedEmployee") + } + attestations = @{ + accessTokens = @( + @{ + mapping = @( + @{ + inputClaim = "photo" + indexed = $False + outputClaim = "photo" + required = $False + } + ) + required = $True + } + ) + } + } + Ensure = 'Present' + } + ) + } + + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 new file mode 100644 index 0000000000..22fc20623c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsAssociatedTenant.Tests.ps1 @@ -0,0 +1,240 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + } + + Mock -CommandName Remove-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + + } + + Mock -CommandName Get-M365DSCAzureBillingAccount -MockWith { + return @{ + value = @( + @{ + name = "12345-12345-12345-12345-12345" + properties = @{ + displayName = 'MyBillingAccount' + } + } + ) + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Active"; + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "MyBillingAccount"; + BillingManagementState = "Not Allowed"; #Drift + DisplayName = "Test Tenant"; + ProvisioningManagementState = "Pending"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsAssociatedTenant -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsAssociatedTenant -MockWith { + return @{ + value = @( + @{ + properties = @{ + billingManagementState = 'Active' + tenantId = '7a575036-2dac-4713-8e23-2963cc2c5f37' + displayName = 'Test Tenant' + provisioningManagementState = 'Pending' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 new file mode 100644 index 0000000000..c0bfb0630a --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureBillingAccountsRoleAssignment.Tests.ps1 @@ -0,0 +1,261 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + } + + Mock -CommandName Remove-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleDefinition -MockWith { + return @{ + properties = @{ + roleName = 'Billing account owner' + } + } + } + + Mock -CommandName Get-M365DSCAzureBillingAccount -MockWith { + return @{ + value = @( + @{ + name = "12345-12345-12345-12345-12345" + properties = @{ + displayName = 'MyBillingAccount' + } + } + ) + } + } + + Mock -CommandName Get-MgUser -MockWith { + return @( + @{ + id = '12345-12345-12345-12345-12345' + UserPrincipalName = 'John.Smith@Contoso.com' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BillingAccount = "MyBillingAccount"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; #drift + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCAzureBillingAccountsRoleAssignment -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCAzureBillingAccountsRoleAssignment -MockWith { + return @{ + value = @( + @{ + id = '/assignment/22222-22222-22222-22222-22222' + properties = @{ + principalId = '12345-12345-12345-12345-12345' + principalType = 'User' + RoleDefinitionId = '/providers/Microsoft.Billing/billingAccounts/1e5b9e50-a1ea-581e-fb3a-778b93a06854:6487d5cf-0a7b-42e6-9549-23ca416fb8bf_2019-05-31/billingRoleDefinitions/22222-22222-22222-22222-22222' + principalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + } + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettings.Tests.ps1 new file mode 100644 index 0000000000..973a3ab79e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettings.Tests.ps1 @@ -0,0 +1,320 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Absent"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $false #drift + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettingsCustomSecurityAttribute.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettingsCustomSecurityAttribute.Tests.ps1 new file mode 100644 index 0000000000..973a3ab79e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureDiagnosticSettingsCustomSecurityAttribute.Tests.ps1 @@ -0,0 +1,320 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Absent"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Categories = @( + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'AuditLogs' + enabled = $True + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AzureDiagnosticSettingsCategory -Property @{ + category = 'SignInLogs' + enabled = $True + } -ClientOnly) + ); + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $false #drift + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = (ConvertTo-Json @{ + value = @( + @{ + name = 'TestDiag' + id = 'providers/microsoft.aadiam/diagnosticSettings/TestDiag' + type = 'Microsoft.Insights/diagnosticSettings' + location = 'global' + properties = @{ + storageAccountId= "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + workspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + eventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + eventhubName = $null + logs = @( + @{ + category = 'AuditLogs' + enabled = $true + }, + @{ + category = 'SignInLogs' + enabled = $true + } + ) + } + } + ) + } -Depth 10 -Compress) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 index 4bde1dd612..8f94d01f58 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureSubscription.Tests.ps1 @@ -48,48 +48,91 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Script:ExportMode = $false } # Test contexts + Context -Name "The instance doesn't exists and it should" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = "{}" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + Context -Name "The instance exists and values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + Status = "Active" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $true - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should return true from the Test method' { Test-TargetResource @testParams | Should -Be $true } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 1 + } } Context -Name "The instance exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ - Name = "Test" - Enabled = $true + DisplayName = "Test" + Status = "Active" + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" Ensure = 'Present' Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Disabled' # Drift + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } @@ -115,14 +158,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential; } - Mock -CommandName Get-AzSubscription -MockWith { - return @( - @{ - Id = (New-Guid).ToString() - Name = 'Test' - Enabled = $false #drift - } - ) + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = ConvertTo-Json (@{ + value = @( + @{ + name = (New-Guid).ToString() + properties = @{ + displayName = 'Test' + status = 'Active' + invoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB" + } + } + ) + }) -Depth 10 + } } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 new file mode 100644 index 0000000000..cde4d69eaf --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AzureVerifiedIdFaceCheck.Tests.ps1 @@ -0,0 +1,145 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResourceGroup -MockWith { + return @( + @{ + id = '12345-12345-12345-12345-12345' + resourceId = '/subscriptions/2dbaf4c4-78f8-4ac9-8188-536d921cf690/providers' + ResourceGroupName = 'testrg' + } + ) + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + FaceCheckEnabled = $True; + ResourceGroupName = "testrg"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + Ensure = 'Present' + Credential = $Credential; + } + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + FaceCheckEnabled = $False; + ResourceGroupName = "testrg"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + Ensure = 'Present' + Credential = $Credential; + } + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-AzRest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-AzRest -MockWith { + return @{ + Content = '{"location":"westus2","id" : "12345-12345-12345-12345-12345"}' + } + } + + Mock -CommandName Invoke-WebRequest -MockWith { + return @{ + content = ConvertTo-Json (@{ + value = @( + @{ + id = '12345-12345-12345-12345-12345' + name = 'MyAuthority' + } + )}) -Depth 10 -Compress + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 new file mode 100644 index 0000000000..979d3621bc --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.DefenderDeviceAuthenticatedScanDefinition.Tests.ps1 @@ -0,0 +1,291 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1 + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IntervalInHours = 1; + IsActive = $True; + Name = "MyScan"; + ScanAuthenticationParams = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionAuthenticationParams -Property @{ + Type = 'NoAuthNoPriv' + DataType = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } -ClientOnly) + ScannerAgent = (New-CimInstance -ClassName MSFT_DefenderDeviceAuthenticatedScanDefinitionScanAgent -Property @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } -ClientOnly) + ScanType = "Network"; + Target = "172.1.12.1"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 24; #Drift + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-M365DSCDefenderREST -Exactly 2 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCDefenderREST -MockWith { + return @{ + value = @( + @{ + id = "12345-12345-12345-12345-12345" + scannerAgent = @{ + machineId = '55c636a37ff1a21a3241437eb6ce15881xxxxxx' + machineName = 'WIN-XXXXXXXXXX' + id = 'c819dc6d-f9fe-4d05-8022-88a34766442d_55c636a37ff1a21a3241437eb6ce15881xxxxxxx' + } + scanAuthenticationParams = @{ + Type = 'NoAuthNoPriv' + "@odata.type" = '#microsoft.windowsDefenderATP.api.SnmpAuthParams' + } + IntervalInHours = 1; + IsActive = $True; + scanName = "MyScan"; + ScanType = "Network"; + Target = "172.1.12.1"; + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 new file mode 100644 index 0000000000..a938cb468b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOActiveSyncMailboxPolicy.Tests.ps1 @@ -0,0 +1,201 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Set-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + Mock -CommandName Remove-ActiveSyncMailboxPolicy -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Absent' + Identity = 'FakeStringValue' + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1') #drift + DevicePasswordHistory = 5 + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ActiveSyncMailboxPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ActiveSyncMailboxPolicy -MockWith { + return @{ + Identity = 'FakeStringValue' + Name = 'FakeStringValue' + AllowHTMLEmail = $true + ApprovedApplicationList = @('FakeStringValue1', 'FakeStringValue2') + DevicePasswordHistory = 5 + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 new file mode 100644 index 0000000000..8e71aa877c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxAuditBypassAssociation.Tests.ps1 @@ -0,0 +1,123 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-MailboxAuditBypassAssociation -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name 'Settings are not in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $True; #Drift + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MailboxAuditBypassAssociation -Exactly 1 + } + } + + Context -Name 'Settings are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MailboxAuditBypassAssociation -MockWith { + return @{ + AuditBypassEnabled = $False; + Credential = $Credscredential; + Identity = "TestMailbox109"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxSettings.Tests.ps1 index 3c540d7213..876160de22 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMailboxSettings.Tests.ps1 @@ -31,6 +31,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } + Mock -CommandName Set-Mailbox -MockWith {} + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 new file mode 100644 index 0000000000..fbca14f676 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOServicePrincipal.Tests.ps1 @@ -0,0 +1,255 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Remove-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Set-ServicePrincipal -MockWith { + return $null + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return $null + } + + Mock -CommandName Get-MgServicePrincipal -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ServicePrincipal -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "Portfolios"; + DisplayName = "Portfolios"; + Id = "003e4f9a-3bd6-46a2-ac8f-2fc6b87c56c7" + AppId = "f53895d3-095d-408f-8e93-8f94b391404e" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ServicePrincipal -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "ISV Portal"; + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Aditya"; #Drift + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ServicePrincipal -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ServicePrincipal -MockWith { + return @{ + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + Ensure = "Present" + Credential = $Credential; + } + } + Mock -CommandName Get-MgServicePrincipal -MockWith { + return @{ + AppDisplayName = "ISV Portal"; + DisplayName = "ISV Portal"; + Id = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7" + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06" + SignInAudience = "AzureADMultipleOrgs" + ServicePrincipalType = "Application" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOTenantAllowBlockListSpoofItems.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOTenantAllowBlockListSpoofItems.Tests.ps1 new file mode 100644 index 0000000000..9cc0edce91 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOTenantAllowBlockListSpoofItems.Tests.ps1 @@ -0,0 +1,200 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-TenantAllowBlockListSpoofItems -MockWith{} + Mock -CommandName Set-TenantAllowBlockListSpoofItems -MockWith{} + Mock -CommandName Remove-TenantAllowBlockListSpoofItems -MockWith{} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-TenantAllowBlockListSpoofItems -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-TenantAllowBlockListSpoofItems -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-TenantAllowBlockListSpoofItems -MockWith { + return @{ + Identity = (New-GUID).TOString() + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-TenantAllowBlockListSpoofItems -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-TenantAllowBlockListSpoofItems -MockWith { + return @{ + Identity = (New-GUID).TOString() + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Action = "Allow"; # Drift + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-TenantAllowBlockListSpoofItems -MockWith { + return @{ + Identity = (New-GUID).TOString() + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-TenantAllowBlockListSpoofItems -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-TenantAllowBlockListSpoofItems -MockWith { + return @{ + Identity = (New-GUID).TOString() + Action = "Block"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 index 791f56e8c4..16a96f1d0b 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 @@ -45,6 +45,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + TemplateReference = @{ + TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' + } + } } Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { @@ -54,7 +62,33 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return ,@() + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_laps_policies_backupdirectory' + Name = 'BackupDirectory' + OffsetUri = '/Policies/BackupDirectory' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" + } + } + } + AdditionalProperties = $null + } } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { @@ -135,43 +169,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - BackupDirectory = '0' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_laps_policies_backupdirectory' - Name = 'BackupDirectory' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } - } - } - AdditionalProperties = $null - } + BackupDirectory = '0' # Drift } } @@ -206,42 +204,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) BackupDirectory = '1' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_laps_policies_backupdirectory' - Name = 'BackupDirectory' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } - } - } - AdditionalProperties = $null - } - } } It 'Should return true from the Test method' { @@ -264,42 +226,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_laps_policies_backupdirectory' - Name = 'BackupDirectory' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } - } - } - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -323,45 +249,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' - } - } - } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_laps_policies_backupdirectory' - Name = 'BackupDirectory' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } - } - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 index 3b8962f91a..50196c8309 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalUserGroupMembershipPolicy.Tests.ps1 @@ -55,6 +55,88 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } }) } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Settings = @{ + Id = 0 + SettingDefinitions = $null + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' + 'groupSettingCollectionValue' = @( + @{ + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' + 'children' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' + 'simpleSettingCollectionValue' = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' + } + ) + } + ) + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' + 'choiceSettingValue' = @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' + 'children' = @() + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' + 'choiceSettingCollectionValue' = @( + @{ + 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' + 'children' = @() + } + ) + } + ) + } + ) + } + ) + } + ) + } + } + AdditionalProperties = $null + } + TemplateReference = @{ + TemplateId = '22968f54-45fa-486c-848e-f8224aa69772_1' + } + } + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -130,90 +212,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { (New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalUserGroupCollection -Property @{ LocalGroups = @('administrators') Members = @('S-1-12-1-1167842105-1150511762-402702254-1917434032') - Action = 'add_update' + Action = 'add_restrict' # Drift UserSelectionType = 'users' } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'Non-existant value' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_remove_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } - - - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { - } } It 'Should return Present from the Get method' { @@ -226,7 +229,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -254,81 +257,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return true from the Test method' { @@ -360,81 +288,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should return Present from the Get method' { @@ -458,92 +311,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' - } - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_localusersandgroups_configure' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'de06bec1-4852-48a0-9799-cf7b85992d45' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup' - 'groupSettingCollectionValue' = @( - @{ - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_userselectiontype_users' - 'children' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_users' - 'simpleSettingCollectionValue' = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - 'value' = 'S-1-12-1-1167842105-1150511762-402702254-1917434032' - } - ) - } - ) - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action' - 'choiceSettingValue' = @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_action_add_update' - 'children' = @() - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - 'settingDefinitionId' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc' - 'choiceSettingCollectionValue' = @( - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_administrators' - 'children' = @() - }, - @{ - 'value' = 'device_vendor_msft_policy_config_localusersandgroups_configure_groupconfiguration_accessgroup_desc_users' - 'children' = @() - } - ) - } - ) - } - ) - } - ) - } - ) - } - } - AdditionalProperties = $null - } - } - } } It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 index d3d8323968..2f1b585b8f 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 @@ -71,6 +71,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' Name = 'History' + OffsetUri = '/{0}/Policies/PINComplexity/History' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -84,6 +85,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_passportforwork_{tenantid}' Name = '{TenantId}' + OffsetUri = '/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -124,6 +126,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'user_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' Name = 'History' + OffsetUri = '/{0}/Policies/PINComplexity/History' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -137,6 +140,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'user_vendor_msft_passportforwork_{tenantid}' Name = '{TenantId}' + OffsetUri = '/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyLinux.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyLinux.Tests.ps1 new file mode 100644 index 0000000000..7a1c5db2da --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyLinux.Tests.ps1 @@ -0,0 +1,683 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAntivirusPolicyLinux" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '4cfd164c-5e8a-4ea9-b15d-9aa71e4ffff4_1' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_cloudservice_enabled' + Name = 'enabled' + OffsetUri = 'enabled' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'linux_mdatp_managed_cloudservice_enabled' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'ad8554ce-16d5-44a5-9686-d286844755b0' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'linux_mdatp_managed_cloudservice_enabled_true' + } + } + } + }, + @{ + Id = 1 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_disallowedthreatactions' + Name = 'disallowedThreatActions' + OffsetUri = 'disallowedThreatActions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'linux_mdatp_managed_antivirusengine_disallowedthreatactions' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'd1673a55-f037-4eca-b037-89392341d1b8' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + simpleSettingCollectionValue = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'disallowed action 1' + } + ) + } + } + }, + @{ + Id = 2 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions' + Name = 'exclusions' + OffsetUri = 'exclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + childIds = @( + 'linux_mdatp_managed_antivirusengine_exclusions_item_$type', + 'linux_mdatp_managed_antivirusengine_exclusions_item_extension' + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type' + Name = 'exclusions_item_$type' + OffsetUri = 'exclusions_item_$type' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type_1' + name = 'Path' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_exclusions' + parentSettingId = 'linux_mdatp_managed_antivirusengine_exclusions' + } + ) + } + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions_item_extension' + Name = 'exclusions_item_extension' + OffsetUri = 'exclusions/[{0}]/extension' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type_1' + parentSettingId = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'linux_mdatp_managed_antivirusengine_exclusions' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'e2d557ab-357e-4727-978e-0d655facbb23' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'linux_mdatp_managed_antivirusengine_exclusions_item_extension' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '.exe' + } + } + ) + value = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type_1' + } + } + ) + } + ) + } + } + }, + @{ + Id = 3 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings' + Name = 'threatTypeSettings' + OffsetUri = 'threatTypeSettings' + AdditionalProperties = @{ + maximumCount = 2147483647 + minimumCount = 0 + childIds = @( + 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key' + 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value' + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key' + Name = 'threatTypeSettings_item_key' + OffsetUri = 'threatTypeSettings/[{0}]/key' + AdditionalProperties = @{ + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key_0' + name = 'potentially_unwanted_application' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_threattypesettings' + parentSettingId = 'linux_mdatp_managed_antivirusengine_threattypesettings' + } + ) + } + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value' + Name = 'threatTypeSettings_item_value' + OffsetUri = 'threatTypeSettings/[{0}]/value' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value_0' + name = 'audit' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_threattypesettings' + parentSettingId = 'linux_mdatp_managed_antivirusengine_threattypesettings' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'linux_mdatp_managed_antivirusengine_threattypesettings' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '2e407734-2d3a-4cc2-9a81-4d1c54718096' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key' + choiceSettingValue = @{ + children = @() + value = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value' + choiceSettingValue = @{ + children = @() + value = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value_0' + } + } + ) + } + ) + } + } + } + ) + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_cloudservice_enabled' + Name = 'enabled' + OffsetUri = 'enabled' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + # Not necessary + } + }, + @{ + Id = 1 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_disallowedthreatactions' + Name = 'disallowedThreatActions' + OffsetUri = 'disallowedThreatActions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + } + } + ) + SettingInstance = @{ + # Not necessary + } + }, + @{ + Id = 2 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions' + Name = 'exclusions' + OffsetUri = 'exclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + childIds = @( + 'linux_mdatp_managed_antivirusengine_exclusions_item_$type', + 'linux_mdatp_managed_antivirusengine_exclusions_item_extension' + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type' + Name = 'exclusions_item_$type' + OffsetUri = 'exclusions_item_$type' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type_1' + name = 'Path' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_exclusions' + parentSettingId = 'linux_mdatp_managed_antivirusengine_exclusions' + } + ) + } + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_exclusions_item_extension' + Name = 'exclusions_item_extension' + OffsetUri = 'exclusions/[{0}]/extension' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type_1' + parentSettingId = 'linux_mdatp_managed_antivirusengine_exclusions_item_$type' + } + ) + } + } + ) + SettingInstance = @{ + # Not necessary + } + }, + @{ + Id = 3 + SettingDefinitions = @( + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings' + Name = 'threatTypeSettings' + OffsetUri = 'threatTypeSettings' + AdditionalProperties = @{ + maximumCount = 2147483647 + minimumCount = 0 + childIds = @( + 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key' + 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value' + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key' + Name = 'threatTypeSettings_item_key' + OffsetUri = 'threatTypeSettings/[{0}]/key' + AdditionalProperties = @{ + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_key_0' + name = 'potentially_unwanted_application' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_threattypesettings' + parentSettingId = 'linux_mdatp_managed_antivirusengine_threattypesettings' + } + ) + } + ) + } + }, + @{ + Id = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value' + Name = 'threatTypeSettings_item_value' + OffsetUri = 'threatTypeSettings/[{0}]/value' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'linux_mdatp_managed_antivirusengine_threattypesettings_item_value_0' + name = 'audit' + dependentOn = @( + @{ + dependentOn = 'linux_mdatp_managed_antivirusengine_threattypesettings' + parentSettingId = 'linux_mdatp_managed_antivirusengine_threattypesettings' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + # Not necessary + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneAntivirusPolicyLinux should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + disallowedThreatActions = @("disallowed action 1") + enabled = "true"; + exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + threatTypeSettings = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings -Property @{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } -ClientOnly) + ); + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAntivirusPolicyLinux exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + disallowedThreatActions = @("disallowed action 1") + enabled = "true"; + exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + threatTypeSettings = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings -Property @{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } -ClientOnly) + ); + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAntivirusPolicyLinux Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + disallowedThreatActions = @("disallowed action 1") + enabled = "true"; + exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + threatTypeSettings = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings -Property @{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } -ClientOnly) + ); + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAntivirusPolicyLinux exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + disallowedThreatActions = @("disallowed action 1") + enabled = "true"; + exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.pdf' # Drift + Exclusions_item_type = '1' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + threatTypeSettings = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings -Property @{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } -ClientOnly) + ); + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 index c1ab851ec4..36c563e9cd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusPolicyWindows10SettingCatalog.Tests.ps1 @@ -52,6 +52,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_defender_allowarchivescanning' Name = 'AllowArchiveScanning' + OffsetUri = '/Config/Defender/AllowArchiveScanning' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -162,7 +163,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the instance already exists and is NOT in the Desired State' -Fixture { BeforeAll { $testParams = @{ - allowarchivescanning = '1' + allowarchivescanning = '0' # Drift Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' @@ -177,39 +178,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { templateId = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - Name = 'AllowArchiveScanning' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' - AdditionalProperties = $null - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_0' #drift - settingValueTemplateReference = @{ - settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' - useTemplateDefault = $false - } - children = $null - } - } - } - } - } } It 'Should return Present from the Get method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 index c72f26f30e..081fc88e60 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 @@ -68,6 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' Name = 'InstallWindowsDefenderApplicationGuard' + OffsetUri = '/InstallWindowsDefenderApplicationGuard' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -75,6 +76,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' Name = 'AllowWindowsDefenderApplicationGuard' + OffsetUri = '/Settings/AllowWindowsDefenderApplicationGuard' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -82,6 +84,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' Name = 'AllowPersistence' + OffsetUri = '/Settings/AllowPersistence' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -89,6 +92,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' Name = 'AllowVirtualGPU' + OffsetUri = '/Settings/AllowVirtualGPU' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -96,6 +100,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' Name = 'AllowCameraMicrophoneRedirection' + OffsetUri = '/Settings/AllowCameraMicrophoneRedirection' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.Tests.ps1 new file mode 100644 index 0000000000..3f91a6caf3 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.Tests.ps1 @@ -0,0 +1,346 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = 'e373ebb7-c1c5-4ffb-9ce0-698f1834fd9d_1' + } + } + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + Name = 'InstallWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + Name = 'AllowWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + Name = 'AllowPersistence' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + Name = 'AllowVirtualGPU' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + Name = 'AllowCameraMicrophoneRedirection' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + Settinginstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '1f2529c7-4b06-4ae6-bebc-210f7135676f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard_install' + } + } + ) + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard_1' + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Absent' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 index 58a7cc4997..7b0a983390 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 @@ -50,6 +50,19 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Update-IntuneAppProtectionPolicyiOSApp -MockWith { } + Mock -CommandName Get-MgGroup -MockWith { + return @( + @{ + id = '3eacc231-d77b-4efb-bb5f-310f68bd6198' + DisplayName = 'MyExcludedGroup' + }, + @{ + id = '6ee86c9f-2b3c-471d-ad38-ff4673ed723e' + DisplayName = 'MyAssignedGroup' + } + ) + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -276,14 +289,12 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowedOutboundDataTransferDestinations = 'managedApps' AppDataEncryptionType = 'whenDeviceLocked' Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') ContactSyncBlocked = $False DataBackupBlocked = $False Description = '' DeviceComplianceRequired = $True DisplayName = 'DSC Policy' Ensure = 'Present' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') FaceIdBlocked = $False FingerprintBlocked = $False Credential = $Credential diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 new file mode 100644 index 0000000000..ed85027560 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppleMDMPushNotificationCertificate.Tests.ps1 @@ -0,0 +1,237 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + #Test contexts + + Context -Name '1. The instance should exist but it DOES NOT' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present'; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return $null + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return $null + } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '2. The instance exists but it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Patched cert"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '2.1 Should return values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '3. The instance exists and values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name '4. The instance exists and values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + DataSharingConsetGranted = $True; + + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; #drift + Certificate = "Patched cert base64 string"; #drift + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It '4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementApplePushNotificationCertificate -Exactly 1 + } + } + + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementApplePushNotificationCertificate -MockWith { + return @{ + AppleIdentifier = "Apple ID"; + Certificate = "Test cert"; + Id = "66f4ec83-754f-4a59-a73d-e3182cc636a5"; + } + } + + Mock -CommandName Get-MgBetaDeviceManagementDataSharingConsent -MockWith { + return @{ + DataSharingConsentId = "appleMDMPushCertificate" + Granted = $True; + } + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 index dccfff73ef..39c8c9f38f 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 @@ -60,6 +60,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware' Name = 'UseAdvancedProtectionAgainstRansomware' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -67,6 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' Name = 'AttackSurfaceReductionRules' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' 'childIds' = @( diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 index efe2f33002..b15984720e 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 @@ -68,6 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_bluetooth_servicesallowedlist' Name = 'ServicesAllowedList' + OffsetUri = '/Config/Bluetooth/ServicesAllowedList' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' } @@ -78,17 +79,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { SettingInstanceTemplateReference = @{ SettingInstanceTemplateId = '47d9b9c4-e714-4a51-a099-33f548e4ea49' } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - simpleSettingCollectionValue = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'abcd' - } - ) - } - ) + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + simpleSettingCollectionValue = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'abcd' + } + ) + } } }, @{ @@ -97,26 +96,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_connectivity_allowusbconnection' Name = 'AllowUSBConnection' + OffsetUri = '/Config/Connectivity/AllowUSBConnection' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } } ) - SettingInstance = @( - @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_connectivity_allowusbconnection' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'bc92aa99-0993-4c65-a005-d5e5e6701486' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = '1' - } + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_connectivity_allowusbconnection' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'bc92aa99-0993-4c65-a005-d5e5e6701486' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = '1' } } - ) + } }, @{ Id = '2' @@ -124,6 +122,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' Name = 'Entry' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -147,6 +146,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options' Name = 'Options' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' options = @( @@ -171,6 +171,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type' Name = 'Type' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' options = @( @@ -191,6 +192,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist_groupid' Name = 'GroupId' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -204,6 +206,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_name' Name = 'Name' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -217,6 +220,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}' Name = 'ruleid' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -229,6 +233,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist' Name = 'ExcludedIdList' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -247,6 +252,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_sid' Name = 'Sid' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -274,6 +280,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist' Name = 'IncludedIdList' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' dependentOn = @( @@ -287,6 +294,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' Name = 'PolicyRule' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -309,6 +317,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist_groupid' Name = 'GroupId' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -322,6 +331,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask' Name = 'AccessMask' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingCollectionDefinition' maximumCount = 100 @@ -368,6 +378,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_computersid' Name = 'ComputerSid' + OffsetUri = '/configuration/devicecontrol/policyrules/{0}/ruledata' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' dependentOn = @( @@ -658,7 +669,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } - It 'Should return true from the Test method' { Test-TargetResource @testParams | Should -Be $true } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 new file mode 100644 index 0000000000..3b34d8d51e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementEnrollmentAndroidGooglePlay.Tests.ps1 @@ -0,0 +1,206 @@ +[CmdletBinding()] +param() +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Unit' -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder -ChildPath '\Stubs\Microsoft365.psm1' -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder -ChildPath '\Stubs\Generic.psm1' -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder -ChildPath '\UnitTestHelper.psm1' -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith {} + Mock -CommandName New-M365DSCConnection -MockWith { return "Credentials" } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith {} + Mock -CommandName Invoke-MgGraphRequest -MockWith {} + Mock -CommandName Remove-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith {} + Mock -CommandName Invoke-MgGraphRequest -MockWith { + @{ status = "Success" } + } + # Hide Write-Host output during the tests + Mock -CommandName Write-Host -MockWith {} + + $Script:exportedInstances = $null + $Script:ExportMode = $false + } + + # Context 1: Instance should exist but does not + Context -Name "1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "notBound" + # OwnerUserPrincipalName = "testuser@domain.com" + # OwnerOrganizationName = "Test Organization" + # EnrollmentTarget = "targetedAsEnrollmentRestrictions" + # DeviceOwnerManagementEnabled = $False + # AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $False + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { return $null } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + # Context 2: Instance exists but should not + Context -Name "2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = 'Absent' + Credential = $Credential + } + + # Mock to simulate a "boundAndValidated" state as a prerequisite for unbinding + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + @( + @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "boundAndValidated" # Required for unbinding + LastAppSyncDateTime = "2024-10-28T01:24:41.5529479Z" + LastAppSyncStatus = "success" + OwnerUserPrincipalName = "admin@m365x22684512.onmicrosoft.com" + OwnerOrganizationName = "Contoso" + LastModifiedDateTime = "2024-10-28T01:24:39.1855089Z" + EnrollmentTarget = "targetedAsEnrollmentRestrictions" + DeviceOwnerManagementEnabled = $true + AndroidDeviceOwnerFullyManagedEnrollmentEnabled = $false + Ensure = 'Present' + } + ) + } + + # Retrieve current instance to verify bindStatus and ensure values + $currentInstance = Get-TargetResource @testParams + + # Mock to simulate the unbind action with Invoke-MgGraphRequest + Mock -CommandName Invoke-MgGraphRequest -MockWith { + @{ status = "Success" } + } + } + + It '2.1 Should confirm testParams Ensure is Absent' { + # Verify that Ensure is set to 'Absent' in the test parameters + $testParams.Ensure | Should -Be 'Absent' + } + + It '2.2 Should confirm CurrentInstance Ensure is Present' { + # Verify that Ensure is set to 'Present' in the current instance + $currentInstance.Ensure | Should -Be 'Present' + } + + It '2.3 Should confirm CurrentInstance BindStatus is boundAndValidated' { + # Verify that bindStatus is 'boundAndValidated' in the current instance + $currentInstance.BindStatus | Should -Be 'boundAndValidated' + } + + It '2.4 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It '2.5 Should call Invoke-MgGraphRequest to remove the instance from Set method' { + Set-TargetResource @testParams + + # Verify if unbind was called + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + # Context 3: Instance exists and values are already in the desired state + Context -Name "3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + # OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + # OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + } + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + # Context 4: Instance exists, but values are not in the desired state + Context -Name "4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "notBound" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + OwnerUserPrincipalName = "existingUser@domain.com" + Ensure = 'Present' + } + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + # Context 5: ReverseDSC Tests + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting -MockWith { + return @{ + Id = "androidManagedStoreAccountEnterpriseSettings" + BindStatus = "bound" + OwnerUserPrincipalName = "existingUser@domain.com" + } + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 new file mode 100644 index 0000000000..d8ff6fcab9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 @@ -0,0 +1,259 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $userName = "Whatever" + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" # Drift + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDiskEncryptionWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDiskEncryptionWindows10.Tests.ps1 index ad519f9c47..78a4588d0e 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDiskEncryptionWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDiskEncryptionWindows10.Tests.ps1 @@ -43,6 +43,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Description = "FakeStringValue" + Id = "FakeStringValue" + Name = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '46ddfc50-d10f-4867-b852-9434254b3bff_1' + } + } } Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { @@ -52,7 +61,70 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return ,@() + return @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' + Name = 'IdentificationField' + OffsetUri = '/IdentificationField' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_bitlocker_identificationfield' + Name = 'IdentificationField_Name' + OffsetUri = '/IdentificationField' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' + Name = 'SecIdentificationField' + OffsetUri = '/IdentificationField' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '3aeb9145-2c02-4086-8886-44dbe09c2f62' + } + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'Field' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'SecField' + } + } + ) + value = 'device_vendor_msft_bitlocker_identificationfield_1' + } + ) + } + ) + } + AdditionalProperties = @{} + } } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { @@ -142,82 +214,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' Credential = $Credential; } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Description = "FakeStringValue" - Id = "FakeStringValue" - Name = "FakeStringValue" - RoleScopeTagIds = @("FakeStringValue") - TemplateReference = @{ - TemplateId = '46ddfc50-d10f-4867-b852-9434254b3bff_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = '0' - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - Name = 'IdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield' - Name = 'IdentificationField_Name' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - Name = 'SecIdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '3aeb9145-2c02-4086-8886-44dbe09c2f62' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'Field' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'SecField' - } - } - ) - value = 'device_vendor_msft_bitlocker_identificationfield_1' - } - ) - } - ) - } - AdditionalProperties = @{} - } - } } It 'Should return Values from the Get method' { @@ -252,82 +248,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' Credential = $Credential; } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Description = "FakeStringValue" - Id = "FakeStringValue" - Name = "FakeStringValue" - RoleScopeTagIds = @("FakeStringValue") - TemplateReference = @{ - TemplateId = '46ddfc50-d10f-4867-b852-9434254b3bff_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = '0' - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - Name = 'IdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield' - Name = 'IdentificationField_Name' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - Name = 'SecIdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '3aeb9145-2c02-4086-8886-44dbe09c2f62' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'Field' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'SecField' - } - } - ) - value = 'device_vendor_msft_bitlocker_identificationfield_1' - } - ) - } - ) - } - AdditionalProperties = @{} - } - } } It 'Should return true from the Test method' { @@ -348,88 +268,12 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = "FakeStringValue" IdentificationField_Name = "1" IdentificationField = "Field" - SecIdentificationField = "SecField" + SecIdentificationField = "No - SecField" # Updated property DisplayName = "FakeStringValue" RoleScopeTagIds = @("FakeStringValue") Ensure = 'Present' Credential = $Credential; } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Description = "FakeStringValue" - Id = "FakeStringValue" - Name = "FakeStringValue" - RoleScopeTagIds = @("FakeStringValue") - TemplateReference = @{ - TemplateId = '46ddfc50-d10f-4867-b852-9434254b3bff_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = '0' - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - Name = 'IdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield' - Name = 'IdentificationField_Name' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - Name = 'SecIdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '3aeb9145-2c02-4086-8886-44dbe09c2f62' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'ChangedValue' #drift - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'SecField' - } - } - ) - value = 'device_vendor_msft_bitlocker_identificationfield_1' - } - ) - } - ) - } - AdditionalProperties = @{} - } - } } It 'Should return Values from the Get method' { @@ -453,83 +297,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Description = "FakeStringValue" - Id = "FakeStringValue" - Name = "FakeStringValue" - RoleScopeTagIds = @("FakeStringValue") - TemplateReference = @{ - TemplateId = '46ddfc50-d10f-4867-b852-9434254b3bff_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = '0' - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - Name = 'IdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield' - Name = 'IdentificationField_Name' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - Name = 'SecIdentificationField' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '3aeb9145-2c02-4086-8886-44dbe09c2f62' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_identificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'Field' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - settingDefinitionId = 'device_vendor_msft_bitlocker_identificationfield_secidentificationfield' - simpleSettingValue = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' - value = 'SecField' - } - } - ) - value = 'device_vendor_msft_bitlocker_identificationfield_1' - } - ) - } - ) - } - AdditionalProperties = @{} - } - } } + It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams $result | Should -Not -BeNullOrEmpty diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyLinux.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyLinux.Tests.ps1 index 2a2d99ef56..fcd8f5ebf6 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyLinux.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyLinux.Tests.ps1 @@ -55,6 +55,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'linux_mdatp_managed_edr_tags' Name = 'tags' + OffsetUri = 'tags' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -68,6 +69,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'linux_mdatp_managed_edr_tags_item_value' Name = 'tags_item_value' + OffsetUri = 'tags/[{0}]/value' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' } @@ -75,6 +77,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'linux_mdatp_managed_edr_tags_item_key' Name = 'tags_item_key' + OffsetUri = 'tags/[{0}]/key' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyMacOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyMacOS.Tests.ps1 index 9b51196991..8f490b9735 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyMacOS.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyMacOS.Tests.ps1 @@ -55,6 +55,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'com.apple.managedclient.preferences_tags' Name = 'tags' + OffsetUri = 'tags' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -68,6 +69,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'com.apple.managedclient.preferences_tags_item_value' Name = 'tags_item_value' + OffsetUri = 'tags/[{0}]/value' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' } @@ -75,6 +77,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'com.apple.managedclient.preferences_tags_item_key' Name = 'tags_item_key' + OffsetUri = 'tags/[{0}]/key' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index e9801b6c53..85bdc2b60a 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -71,6 +71,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' Name = 'Onboarding' + OffsetUri = '/Onboarding' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' valueDefinition = @{ @@ -81,6 +82,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' Name = 'ClientConfigurationPackageType' + OffsetUri = '/' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -117,6 +119,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' Name = 'SampleSharing' + OffsetUri = '/Configuration/SampleSharing' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneExploitProtectionPolicyWindows10SettingCatalog.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneExploitProtectionPolicyWindows10SettingCatalog.Tests.ps1 index a5a3f74ae2..a5dbf07f70 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneExploitProtectionPolicyWindows10SettingCatalog.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneExploitProtectionPolicyWindows10SettingCatalog.Tests.ps1 @@ -33,6 +33,16 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @( + @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'Test Exploit Protection' + TemplateReference = @{ + TemplateId = 'd02f2162-fcac-48db-9b7b-b0a3f160d2c2_1' + } + } + ) } Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { @@ -69,7 +79,37 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return ,@() + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' + Name = 'DisallowExploitProtectionOverride' + OffsetUri = '/Config/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @( + @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'e4be83c7-691b-488d-b068-2d82a1cced8e' + } + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride_1' + children = @() + } + } + ) + } + ) + AdditionalProperties = $null + } } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { @@ -125,7 +165,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential Description = 'My Test' - disallowexploitprotectionoverride = '1' + disallowexploitprotectionoverride = '0' # Updated property DisplayName = 'Test Exploit Protection' Ensure = 'Present' Identity = '36002266-8153-48e3-9716-d4546ae34ff7' @@ -138,47 +178,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'Test Exploit Protection' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - Name = 'DisallowExploitProtectionOverride' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @( - @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'e4be83c7-691b-488d-b068-2d82a1cced8e' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride_0' #drift - children = @() - } - } - ) - } - ) - AdditionalProperties = $null - } - } } It 'Should return Present from the Get method' { @@ -213,61 +212,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'Test Exploit Protection' - } - } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { - return @( - @{ - Target = @{ - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' - groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - } - DeviceAndAppManagementAssignmentFilterType = 'none' - DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' - } - } - ) - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - Name = 'DisallowExploitProtectionOverride' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @( - @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'e4be83c7-691b-488d-b068-2d82a1cced8e' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride_1' - children = @() - } - } - ) - } - ) - AdditionalProperties = @{} - } - } } It 'Should return true from the Test method' { @@ -293,47 +237,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) ) } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'Test Exploit Protection' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - Name = 'DisallowExploitProtectionOverride' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @( - @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'e4be83c7-691b-488d-b068-2d82a1cced8e' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride_1' - children = @() - } - } - ) - } - ) - AdditionalProperties = @{} - } - } } It 'Should return Present from the Get method' { @@ -357,52 +260,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @( - @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'Test Exploit Protection' - TemplateReference = @{ - TemplateId = 'd02f2162-fcac-48db-9b7b-b0a3f160d2c2_1' - } - } - ) - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - Name = 'DisallowExploitProtectionOverride' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - ) - SettingInstance = @( - @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'e4be83c7-691b-488d-b068-2d82a1cced8e' - } - AdditionalProperties = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - value = 'device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride_1' - children = @() - } - } - ) - } - ) - AdditionalProperties = @{} - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneFirewallPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneFirewallPolicyWindows10.Tests.ps1 index 1c18557eb3..9dae7098d7 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneFirewallPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneFirewallPolicyWindows10.Tests.ps1 @@ -73,6 +73,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'vendor_msft_firewall_mdmstore_global_disablestatefulftp' Name = 'DisableStatefulFtp' + OffsetUri = '/MdmStore/Global/DisableStatefulFtp' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -117,6 +118,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) } }, + @{ + Id = 'vendor_msft_firewall_mdmstore_publicprofile_enablefirewall' + Name = 'EnableFirewall' + OffsetUri = '/MdmStore/PublicProfile/EnableFirewall' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, @{ Id = 'vendor_msft_firewall_mdmstore_publicprofile_logfilepath' Name = 'LogFilePath' @@ -175,7 +184,27 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { parentSettingId = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}_target' } ) - + } + ) + } + }, + @{ + Id = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}_publicprofile_enablefirewall' + Name = 'EnableFirewall' + OffsetUri = '/MdmStore/HyperVVMSettings/{0}/PublicProfile/EnableFirewall' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + # Only option used in the tests is defined here + @{ + name = 'Enable Firewall' + itemId = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}_publicprofile_enablefirewall_true' + dependentOn = @( + @{ + dependentOn = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}_target_wsl' + parentSettingId = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}_target' + } + ) } ) } @@ -203,6 +232,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'vendor_msft_firewall_mdmstore_hypervvmsettings_{vmcreatorid}' Name = '{VMCreatorId}' + OffsetUri = '/MdmStore/HyperVVMSettings/{0}' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' childIds = @( @@ -348,7 +378,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { (Get-TargetResource @testParams).Ensure | Should -Be 'Present' } - It 'Should return true from the Test method' { + It 'Should return false from the Test method' { Test-TargetResource @testParams | Should -Be $false } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 index abfda47b65..0e5552d5fd 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 @@ -138,7 +138,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() IgnoreVersionDetection = $True AdditionalProperties = @{ @@ -204,7 +203,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' @@ -260,7 +258,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' minimumSupportedOperatingSystem = @{ @@ -307,7 +304,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Owner = "" PrivacyInformationUrl = "" Publisher = "Contoso" - PublishingState = "published" RoleScopeTagIds = @() AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.macOSLobApp' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 new file mode 100644 index 0000000000..a86d42c03d --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 @@ -0,0 +1,293 @@ +[CmdletBinding()] +param( +) + +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + + Context -Name " 1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return $null + } + } + + It ' 1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It ' 1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It ' 2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name " 4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; #drift + PartnerUnresponsivenessThresholdInDays = 1; #drift + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It ' 4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It ' 4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name ' 5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + } + } + } + It ' 5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 new file mode 100644 index 0000000000..101a834113 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineDefenderForEndpoint.Tests.ps1 @@ -0,0 +1,432 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineDefenderForEndpoint" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '49b8320f-e179-472e-8e2c-2fde00289ca2_1' + } + } + } + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + Name = 'BlockExecutionOfPotentiallyObfuscatedScripts' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='off' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + } + ) + itemId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_off' + } + ) + + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + Name = 'BlockWin32APICallsFromOfficeMacros' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Warn' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + } + ) + itemId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_warn' + } + ) + } + } + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + Name = 'AttackSurfaceReductionRules' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 1 + minimumCount = 0 + childIds = @( + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts', + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'c1d89476-ce60-45a3-bdd7-eb378e54f826' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_off" + } + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + } + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_warn" + } + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + } + ) + } + ) + } + } + + }, + + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring' + Name = 'AllowRealtimeMonitoring' + OffsetUri = '/Config/Defender/AllowRealtimeMonitoring' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Allowed. Turns on and runs the real-time monitoring service.' + itemId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1' + } + ) + + } + } + ) + SettingInstance = @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1" + } + } + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '775f8729-9ce5-4b6f-8afd-1ab61891d195' + } + } + }, + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles' + Name = 'DisableSafetyFilterOverrideForAppRepUnknown' + OffsetUri = '/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Enabled' + itemId = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles_1' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'f935a3e0-81d6-4546-98b7-c1f653531d9c' + } + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "user_vendor_msft_policy_config_internetexplorer_disablebypassofsmartscreenwarningsaboutuncommonfiles_1" + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineDefenderForEndpoint exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + BlockWin32APICallsFromOfficeMacros = 'warn' + AllowRealtimeMonitoring = '1' + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint -Property @{ + DisableSafetyFilterOverrideForAppRepUnknown= '0' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 index a232790964..9da29d6d2c 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 @@ -212,6 +212,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' Name = 'L_Word2003BinaryDocumentsAndTemplates' + OffsetUri = '/Config/word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~L_Security~L_TrustCenter~L_FileBlockSettings/L_Word2003BinaryDocumentsAndTemplates' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' options = @( @@ -225,6 +226,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid' Name = 'L_Word2003BinaryDocumentsAndTemplatesDropID' + OffsetUri = '/Config/word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~L_Security~L_TrustCenter~L_FileBlockSettings/L_Word2003BinaryDocumentsAndTemplates' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' options = @( diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 index c5f003a76e..b69a4786ab 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 @@ -71,6 +71,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed' Name = 'InsecurePrivateNetworkRequestsAllowed' + OffsetUri = '/Config/microsoft_edgev92~Policy~microsoft_edge~PrivateNetworkRequestSettings/InsecurePrivateNetworkRequestsAllowed' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -96,6 +97,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed' Name = 'InternetExplorerIntegrationReloadInIEModeAllowed' + OffsetUri = '/Config/microsoft_edgev92~Policy~microsoft_edge/InternetExplorerIntegrationReloadInIEModeAllowed' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -121,6 +123,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed' Name = 'InternetExplorerIntegrationZoneIdentifierMhtFileAllowed' + OffsetUri = '/Config/microsoft_edgev117~Policy~microsoft_edge/InternetExplorerIntegrationZoneIdentifierMhtFileAllowed' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } @@ -146,6 +149,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { @{ Id = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled' Name = 'InternetExplorerModeToolbarButtonEnabled' + OffsetUri = '/Config/microsoft_edgev96~Policy~microsoft_edge/InternetExplorerModeToolbarButtonEnabled' AdditionalProperties = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSettingCatalogASRRulesPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSettingCatalogASRRulesPolicyWindows10.Tests.ps1 index d4af8433c9..62fc74e810 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSettingCatalogASRRulesPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSettingCatalogASRRulesPolicyWindows10.Tests.ps1 @@ -47,6 +47,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'asdfads' + TemplateReference = @{ + TemplateId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' + } + } } Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { @@ -59,104 +67,165 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = '0' - SettingDefinitions = @( - @{ - Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' - Name = 'AttackSurfaceReductionRules' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' - childIds = @( - 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses', - 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros', - 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem', - 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' - ) - maximumCount = 1 - minimumCount = 0 - } - }, - @{ - Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' - Name = 'BlockAdobeReaderFromCreatingChildProcesses' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' - Name = 'BlockWin32APICallsFromOfficeMacros' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' - Name = 'BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - }, - @{ - Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' - Name = 'BlockAllOfficeApplicationsFromCreatingChildProcesses' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + Name = 'AttackSurfaceReductionRules' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses', + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros', + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem', + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' + ) + maximumCount = 1 + minimumCount = 0 + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' + Name = 'BlockAdobeReaderFromCreatingChildProcesses' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_perruleexclusions' + Name = 'ASROnlyPerRuleExclusions' + OffsetUri = '/Configuration/ASROnlyPerRuleExclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + Name = 'BlockWin32APICallsFromOfficeMacros' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_perruleexclusions' + Name = 'ASROnlyPerRuleExclusions' + OffsetUri = '/Configuration/ASROnlyPerRuleExclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + } + ) + } } - } - ) - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '19600663-e264-4c02-8f55-f2983216d6d7' - } - AdditionalProperties = @( @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - groupSettingCollectionValue = @( - @{ - children = @( - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' - choiceSettingValue = @{ - children = @() - value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_audit' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' - choiceSettingValue = @{ - children = @() - value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' - choiceSettingValue = @{ - children = @() - value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_warn' - } - }, - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' - choiceSettingValue = @{ - children = @() - value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_warn' - } - } - ) - } - ) + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' + Name = 'BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' + Name = 'BlockAllOfficeApplicationsFromCreatingChildProcesses' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } } ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '19600663-e264-4c02-8f55-f2983216d6d7' + } + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_perruleexclusions' + simpleSettingCollectionValue = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'Adobe Reader Exclusion' + } + ) + } + ) + value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_audit' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_perruleexclusions' + simpleSettingCollectionValue = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'Win32 API Calls Exclusion' + } + ) + } + ) + value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_warn' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_warn' + } + } + ) + } + ) + } + ) + } + AdditionalProperties = @{} } - AdditionalProperties = @{} - } + ) } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { @@ -194,15 +263,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { deviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - BlockAdobeReaderFromCreatingChildProcesses = 'audit' - BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' - BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' - BlockWin32APICallsFromOfficeMacros = 'block' - Credential = $Credential - Description = 'My Test' - DisplayName = 'asdfads' - Ensure = 'Present' - Identity = 'a90ca9bc-8a68-4901-a991-dafaa633b034' + BlockAdobeReaderFromCreatingChildProcesses = 'audit' + BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions = @('Adobe Reader Exclusion') + BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' + BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' + BlockWin32APICallsFromOfficeMacros = 'block' + BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions = @('Win32 API Calls Exclusion') + Credential = $Credential + Description = 'My Test' + DisplayName = 'asdfads' + Ensure = 'Present' + Identity = '12345-12345-12345-12345-12345' } Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { @@ -234,23 +305,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { deviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - BlockAdobeReaderFromCreatingChildProcesses = 'audit' - BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' - BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' - BlockWin32APICallsFromOfficeMacros = 'block' #drift - Credential = $Credential - Description = 'test' - DisplayName = 'asdfads' - Ensure = 'Present' - Identity = '12345-12345-12345-12345-12345' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'asdfads' - } + BlockAdobeReaderFromCreatingChildProcesses = 'audit' + BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions = @('Adobe Reader Exclusion') + BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' + BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'block' # Drift + BlockWin32APICallsFromOfficeMacros = 'block' + BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions = @('Win32 API Calls Exclusion') + Credential = $Credential + Description = 'My Test' + DisplayName = 'asdfads' + Ensure = 'Present' + Identity = '12345-12345-12345-12345-12345' } } @@ -278,23 +343,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { deviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - BlockAdobeReaderFromCreatingChildProcesses = 'audit' - BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' - BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' - BlockWin32APICallsFromOfficeMacros = 'block' - Credential = $Credential - Description = 'My Test' - DisplayName = 'asdfads' - Ensure = 'Present' - Identity = '12345-12345-12345-12345-12345' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'asdfads' - } + BlockAdobeReaderFromCreatingChildProcesses = 'audit' + BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions = @('Adobe Reader Exclusion') + BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' + BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' + BlockWin32APICallsFromOfficeMacros = 'block' + BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions = @('Win32 API Calls Exclusion') + Credential = $Credential + Description = 'My Test' + DisplayName = 'asdfads' + Ensure = 'Present' + Identity = '12345-12345-12345-12345-12345' } } @@ -313,23 +372,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { deviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - BlockAdobeReaderFromCreatingChildProcesses = 'audit' - BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' - BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' - BlockWin32APICallsFromOfficeMacros = 'block' - Credential = $Credential - Description = 'test' - DisplayName = 'asdfads' - Ensure = 'Absent' - Identity = '12345-12345-12345-12345-12345' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'asdfads' - } + BlockAdobeReaderFromCreatingChildProcesses = 'audit' + BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions = @('Adobe Reader Exclusion') + BlockAllOfficeApplicationsFromCreatingChildProcesses = 'warn' + BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = 'warn' + BlockWin32APICallsFromOfficeMacros = 'block' + BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions = @('Win32 API Calls Exclusion') + Credential = $Credential + Description = 'My Test' + DisplayName = 'asdfads' + Ensure = 'Absent' + Identity = '12345-12345-12345-12345-12345' } } @@ -354,17 +407,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - Description = 'My Test' - Name = 'asdfads' - TemplateReference = @{ - TemplateId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' - } - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.M365DSCRuleEvaluation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.M365DSCRuleEvaluation.Tests.ps1 index 4d9bba720b..415fd5f4c3 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.M365DSCRuleEvaluation.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.M365DSCRuleEvaluation.Tests.ps1 @@ -46,7 +46,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'The Rules are successfully evaluated.' -Fixture { BeforeAll { $testParams = @{ - ResourceName = 'AADConditionalAccessPolicy' + ResourceTypeName = 'AADConditionalAccessPolicy' RuleDefinition = "`$_.State -eq 'Enabled'" AfterRuleCountQuery = '-eq 1' Credential = $Credential @@ -61,7 +61,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'The Rules are NOT successfully evaluated.' -Fixture { BeforeAll { $testParams = @{ - ResourceName = 'AADConditionalAccessPolicy' + ResourceTypeName = 'AADConditionalAccessPolicy' RuleDefinition = "`$_.State -eq 'Enabled'" Credential = $Credential } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPTenantSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPTenantSettings.Tests.ps1 index f2b77657ff..9454ac6b15 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPTenantSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPTenantSettings.Tests.ps1 @@ -143,6 +143,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'ReverseDSC Tests' -Fixture { BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" $testParams = @{ Credential = $Credential } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 new file mode 100644 index 0000000000..203c4883f0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SCPolicyConfig.Tests.ps1 @@ -0,0 +1,426 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-PolicyConfig -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AdvancedClassificationEnabled = $True; + AuditFileActivity = $True; + BandwidthLimitEnabled = $False; + BusinessJustificationList = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } -ClientOnly) + ); + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPAppGroups -Property @{ + Name = 'Maracas' + Description = 'Lacucaracha' + Apps = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigDLPApp -Property @{ + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPNetworkShareGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPNetworkShareGroups -Property @{ + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } -ClientOnly) + ); + DLPPrinterGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPPrinterGroups -Property @{ + groupName = 'MyGroup' + printers = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigPrinter -Property @{ + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = (New-CiMInstance -ClassName MSFT_PolicyConfigIPRange -Property @{ + fromAddress = '' + toAddress = '' + } -ClientOnly) + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPRemovableMediaGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPRemovableMediaGroups -Property @{ + groupName = 'My Removable USB device group' + removableMedia = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigRemovableMedia -Property @{ + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } -ClientOnly) + } -ClientOnly) + ); + EvidenceStoreSettings = (New-CiMInstance -ClassName MSFT_PolicyConfigEvidenceStoreSettings -Property @{ + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigStorageAccount -Property @{ + Name = 'My storage' + BlobUri = 'https://contoso.com' + } -ClientOnly) + ) + Store = 'CustomerManaged' + } -ClientOnly); + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = (New-CiMInstance -ClassName MSFT_PolicyConfigQuarantineParameters -Property @{ + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } -ClientOnly) + serverDlpEnabled = $True; + SiteGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPSiteGroups -Property @{ + Name = 'Whatever' + Addresses = (New-CiMInstance -ClassName MSFT_PolicyConfigSiteGroupAddress -Property @{ + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } -ClientOnly) + } -ClientOnly) + ); + TenantId = $OrganizationName; + UnallowedApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'Caramel' + Executable = 'cara.exe' + } -ClientOnly) + ); + UnallowedBluetoothApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'bluetooth' + Executable = 'micase.exe' + } -ClientOnly) + ); + UnallowedBrowser = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } -ClientOnly) + ); + UnallowedCloudSyncApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'ikochou' + Executable = 'gillex.msi' + } -ClientOnly) + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"contoso.net","Setting":"CloudAppRestrictionList"},{"Value":"contoso.com","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\"]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AdvancedClassificationEnabled = $True; + AuditFileActivity = $True; #Drift + BandwidthLimitEnabled = $False; + BusinessJustificationList = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } -ClientOnly) + (New-CiMInstance -ClassName MSFT_PolicyConfigBusinessJustificationList -Property @{ + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } -ClientOnly) + ); + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPAppGroups -Property @{ + Name = 'Maracas' + Description = 'Lacucaracha' + Apps = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigDLPApp -Property @{ + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPNetworkShareGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPNetworkShareGroups -Property @{ + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } -ClientOnly) + ); + DLPPrinterGroups = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPPrinterGroups -Property @{ + groupName = 'MyGroup' + printers = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigPrinter -Property @{ + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = (New-CiMInstance -ClassName MSFT_PolicyConfigIPRange -Property @{ + fromAddress = '' + toAddress = '' + } -ClientOnly) + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } -ClientOnly) + } -ClientOnly) + ); + DLPRemovableMediaGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPRemovableMediaGroups -Property @{ + groupName = 'My Removable USB device group' + removableMedia = [CimInstance[]](New-CiMInstance -ClassName MSFT_PolicyConfigRemovableMedia -Property @{ + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } -ClientOnly) + } -ClientOnly) + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = (New-CiMInstance -ClassName MSFT_PolicyConfigEvidenceStoreSettings -Property @{ + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = [CimInstance[]]@( + (New-CiMInstance -ClassName MSFT_PolicyConfigStorageAccount -Property @{ + Name = 'My storage' + BlobUri = 'https://contoso.com' + } -ClientOnly) + ) + Store = 'CustomerManaged' + } -ClientOnly); + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = (New-CiMInstance -ClassName MSFT_PolicyConfigQuarantineParameters -Property @{ + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } -ClientOnly) + serverDlpEnabled = $True; + SiteGroups = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigDLPSiteGroups -Property @{ + Name = 'Whatever' + Addresses = (New-CiMInstance -ClassName MSFT_PolicyConfigSiteGroupAddress -Property @{ + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } -ClientOnly) + } -ClientOnly) + ); + TenantId = $OrganizationName; + UnallowedApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'Caramel' + Executable = 'cara.exe' + } -ClientOnly) + ); + UnallowedBluetoothApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'bluetooth' + Executable = 'micase.exe' + } -ClientOnly) + ); + UnallowedBrowser = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } -ClientOnly) + ); + UnallowedCloudSyncApp = @( + (New-CiMInstance -ClassName MSFT_PolicyConfigApp -Property @{ + Value = 'ikochou' + Executable = 'gillex.msi' + } -ClientOnly) + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"fidouda","Executable":"nik.exe","Setting":"UnallowedApp"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"Fudge","Executable":"chocolate.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"PatateWeb","Executable":"patate.exe","Setting":"UnallowedBrowser"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"CapitainOS","Executable":"captn.exe","Setting":"UnallowedBrowser"},{"Value":"contosodigritti.net","Setting":"CloudAppRestrictionList"},{"Value":"contosodidlidou.com","Setting":"CloudAppRestrictionList"},{"Value":"samibou.org","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\",\u000d\u000a \"DevineQui\"\u000d\u000a ]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-PolicyConfig -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-PolicyConfig -MockWith { + return @{ + EndpointDlpGlobalSettings = '[{"Value":"true","Setting":"AdvancedClassificationEnabled"},{"Value":"false","Setting":"BandwidthLimitEnabled"},{"Value":"{\"FileEvidenceIsEnabled\":true,\"NumberOfDaysToRetain\":7,\"Store\":\"CustomerManaged\",\"StorageAccounts\":[{\"BlobUri\":\"https:\/\/contoso.com\",\"Name\":\"My storage\"}]}","Setting":"EvidenceStoreSettings"},{"Value":"true","Setting":"MacDefaultPathExclusionsEnabled"},{"Value":"\\\\includemenot","Setting":"PathExclusion"},{"Value":"\\\\excludemeWindows","Setting":"PathExclusion"},{"Value":"\\\\excludeme3","Setting":"PathExclusion"},{"Value":"\/pear","Setting":"MacPathExclusion"},{"Value":"\/apple","Setting":"MacPathExclusion"},{"Value":"\/orange","Setting":"MacPathExclusion"},{"Value":"fidouda","Executable":"nik.exe","Setting":"UnallowedApp"},{"Value":"Caramel","Executable":"cara.exe","Setting":"UnallowedApp"},{"Value":"Fudge","Executable":"chocolate.exe","Setting":"UnallowedApp"},{"Value":"ikochou","Executable":"gillex.msi","Setting":"UnallowedCloudSyncApp"},{"Value":"true","Setting":"NetworkPathEnforcementEnabled"},{"Value":"\\\\MyFirstPath:\\\\MySecondPath:\\\\MythirdPAth","Setting":"NetworkPathExclusion"},{"Value":"{\"FileReplacementText\":\"Gargamel\",\"MacQuarantinePath\":\"\/System\/Applications\/Microsoft DLP\/QuarantineMA\",\"QuarantinePath\":\"%homedrive%%homepath%\\\\Microsoft DLP\\\\Quarantine\",\"EnableQuarantineForCloudSyncApps\":false,\"ShouldReplaceFile\":true}","Setting":"QuarantineParameters"},{"Value":"True","Setting":"IncludePredefinedUnallowedBluetoothApps"},{"Value":"bluetooth","Executable":"micase.exe","Setting":"UnallowedBluetoothApp"},{"Value":"PatateWeb","Executable":"patate.exe","Setting":"UnallowedBrowser"},{"Value":"UC Browser","Executable":"ucbrowser.exe","Setting":"UnallowedBrowser"},{"Value":"CapitainOS","Executable":"captn.exe","Setting":"UnallowedBrowser"},{"Value":"contosodigritti.net","Setting":"CloudAppRestrictionList"},{"Value":"contosodidlidou.com","Setting":"CloudAppRestrictionList"},{"Value":"samibou.org","Setting":"CloudAppRestrictionList"},{"Value":"Block","Setting":"CloudAppMode"},{"Value":"3","Setting":"CustomBusinessJustificationNotification"},{"Value":"[{\"Enable\":true,\"justificationText\":[\"default:Were\"],\"Id\":\"businessJustification1\"},{\"Enable\":true,\"justificationText\":[\"default:Not\"],\"Id\":\"businessJustification2\"},{\"Enable\":true,\"justificationText\":[\"default:Going\"],\"Id\":\"businessJustification3\"},{\"Enable\":true,\"justificationText\":[\"default:To\"],\"Id\":\"businessJustification4\"},{\"Enable\":true,\"justificationText\":[\"default:Take It\"],\"Id\":\"businessJustification5\"}]","Setting":"BusinessJustificationList"},{"Value":"{\u000d\u000a \"serverAddress\": [\u000d\u000a \"MyVPNAddress\",\u000d\u000a \"MySecondVPNAddress\",\u000d\u000a \"DevineQui\"\u000d\u000a ]\u000d\u000a}","Setting":"VPNSettings"},{"Value":"true","Setting":"serverDlpEnabled"},{"Value":"false","Setting":"AuditFileActivity"}]' + DlpAppGroups = '[{"Apps":[{"ExecutableName":"toc.exe","Name":"toctoctoc","Quarantine":false}],"Description":"Lacucaracha","Id":"22a9399b-d306-49c6-987d-0504316ee1c1","Name":"Maracas"}]' + SiteGroups = '[{"Id":"495844da-c2ab-4511-a996-0b9a58917920","Name":"Whatever","Description":"","Addresses":[{"Url":"Karakette.com","AddressLower":"","AddressUpper":"","MatchType":"UrlMatch"}]}]' + DlpPrinterGroups = '{"groups":[{"groupName":"MyGroup","groupId":"99a4cdac-cc9c-46f4-af2f-bb7201743c2a","printers":[{"name":"asdf","usbPrinter":"true","alias":"aasdf"}]}]}' + DlpNetworkShareGroups = '{"groups":[{"groupName":"Network Share Group","groupId":"edd675bb-3b5c-482e-9b17-1fcd1af36e2d","networkPaths":["\\\\share2","\\\\share"]}]}' + DlpRemovableMediaGroups = '{"groups":[{"groupName":"My Removable USB device group","removableMedia":[{"deviceId":"Nik","removableMediaVID":"bob","name":"MaCles","alias":"My Device","removableMediaPID":"asdfsd","instancePathId":"instance path","serialNumberId":"asdf","hardwareId":"hardware"}],"groupId":"0883ccc3-75c1-4ab0-adb3-d4a846313618"}]}' + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 index 30eb96c585..de2f686924 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1 @@ -36,6 +36,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return $null } + Mock -CommandName Invoke-PnPSPRestMethod -MockWith { + return $null + } + # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 new file mode 100644 index 0000000000..90786e49f9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelAlertRule.Tests.ps1 @@ -0,0 +1,459 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName New-M365DSCSentinelAlertRule -MockWith { + + } + + Mock -CommandName Remove-M365DSCSentinelAlertRule -MockWith { + + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Absent"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = + [PSCustomObject]@{ + Color = 'TenantId' + } + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AlertDetailsOverride = (New-CimInstance -ClassName MSFT_SentinelAlertRuleAlertDetailsOverride -Property @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } -ClientOnly) + CustomDetails = @( + (New-CimInstance -ClassName MSFT_SentinelAlertRuleCustomDetails -Property @{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } -ClientOnly) + ) + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $False; #Drift + Ensure = "Present"; + EventGroupingSettings = (New-CimInstance -ClassName MSFT_SentinelAlertRuleEventGroupingSettings -Property @{ + aggregationKind = 'AlertPerResult' + } -ClientOnly) + IncidentConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfiguration -Property @{ + groupingConfiguration = (New-CimInstance -ClassName MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration -Property @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } -ClientOnly) + createIncident = $True + } -ClientOnly) + Kind = "NRT"; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "TBDSentinel"; + Severity = "Medium"; + SubscriptionId = "42136a41-5030-4140-aba0-7e6211115d3a"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + WorkspaceName = "SentinelWorkspace"; + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelAlertRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelAlertRule -MockWith { + return @{ + Kind = 'NRT' + name = '12345-12345-12345-12345-12345' + properties = @{ + Query = "ThreatIntelIndicators"; + Severity = "Medium"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + Description = "Test"; + DisplayName = "TestDSC1"; + Enabled = $True; + AlertDetailsOverride = @{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + } + CustomDetails = @( + @{ + Color = 'TenantId' + } + ) + EventGroupingSettings = @{ + aggregationKind = 'AlertPerResult' + } + IncidentConfiguration = @{ + groupingConfiguration = @{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + } + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 0000000000..24bc9959c9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,264 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + ResourceId = "name/part/resourceId/" + } + } + + Mock -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + Mock -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-21T19:03:57.24Z"; + validUntil = "2024-10-21T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "MyIndicator"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; #Drift + validUntil = "2024-10-23T19:03:57.24Z"; #Drift + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-M365DSCSentinelThreatIntelligenceIndicator -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-M365DSCSentinelThreatIntelligenceIndicator -MockWith { + return @{ + name = '12345-12345-12345-12345-12345' + properties = @{ + displayName = 'MyIndicator' + labels = @("Tag1", "Tag2") + pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + patternType = "ipv6-addr"; + threatIntelligenceTags = @(); + validFrom = "2024-10-22T19:03:57.24Z"; + validUntil = "2024-10-23T19:03:57.24Z"; + source = 'Microsoft Sentinel' + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 index 7942363114..25a45d76f9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsGroupPolicyAssignment.Tests.ps1 @@ -38,7 +38,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Find-CsGroup -MockWith { return @( @{ - Id= '00000000-0000-0000-0000-000000000000' Displayname = 'TestGroup' } ) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 index 613623021b..2f1cf7b21f 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.TeamsMeetingPolicy.Tests.ps1 @@ -104,6 +104,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -114,10 +115,22 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowSharedNotes = $True AllowTranscription = $False AllowWhiteboard = $True + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True Description = $null + ExternalMeetingJoin = 'EnabledForAnyone' MediaBitRateKb = 50000 + ParticipantNameChange = 'Disabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Enabled' WhoCanRegister = 'EveryoneInCompany' Ensure = 'Present' Credential = $Credential @@ -129,6 +142,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -138,12 +152,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' - WhoCanRegister = 'EveryoneInCompany' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' + WhoCanRegister = 'EveryoneInCompany' } } } @@ -195,6 +221,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -205,10 +232,22 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowSharedNotes = $True AllowTranscription = $False AllowWhiteboard = $True + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } @@ -255,6 +294,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -264,11 +304,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } @@ -302,6 +354,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowAnonymousUsersToStartMeeting = $False AllowChannelMeetingScheduling = $True AllowCloudRecording = $True + AllowExternalNonTrustedMeetingChat = $True AllowExternalParticipantGiveRequestControl = $False AllowIPVideo = $True AllowMeetNow = $True @@ -311,11 +364,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowPrivateMeetingScheduling = $True AllowSharedNotes = $True AllowTranscription = $False - AllowWhiteboard = $False; #Variant + AllowWhiteboard = $False + AttendeeIdentityMasking = 'DisabledUserOverride' AutoAdmittedUsers = 'Everyone' + AutomaticallyStartCopilot = 'Disabled' + AutoRecording = 'Enabled' + ChannelRecordingDownload = 'Allow' + ConnectToMeetingControls = 'Enabled' + ContentSharingInExternalMeetings = 'EnabledForAnyone' + Copilot = 'EnabledWithTranscript' + CopyRestriction = $True + DetectSensitiveContentDuringScreenSharing = $True + ExternalMeetingJoin = 'EnabledForAnyone' Description = $null MediaBitRateKb = 50000 + ParticipantNameChange = 'Enabled' ScreenSharingMode = 'EntireScreen' + VoiceIsolation = 'Disabled' WhoCanRegister = 'EveryoneInCompany' } } diff --git a/Tests/Unit/Stubs/Generic.psm1 b/Tests/Unit/Stubs/Generic.psm1 index 6ebc93dda5..6ad5a76fa7 100644 --- a/Tests/Unit/Stubs/Generic.psm1 +++ b/Tests/Unit/Stubs/Generic.psm1 @@ -115,7 +115,15 @@ function Update-MgServicePrincipal [Parameter()] [System.String[]] - $Tags + $Tags, + + [Parameter()] + [PSObject] + $PasswordCredentials, + + [Parameter()] + [PSObject] + $KeyCredentials ) } @@ -187,7 +195,15 @@ function New-MGServicePrincipal [Parameter()] [System.String[]] - $Tags + $Tags, + + [Parameter()] + [PSObject] + $PasswordCredentials, + + [Parameter()] + [PSObject] + $KeyCredentials ) } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 816dc46565..de5299fac1 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -30,6 +30,7 @@ function Get-MgBetaPolicyAdminConsentRequestPolicy param() } + #region Microsoft.Graph.Beta.Applications function Get-MgBetaApplication { @@ -1147,6 +1148,31 @@ function Get-SweepRule $ResultSize ) } +function New-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $ObjectId, + + [Parameter()] + [System.String] + $ServiceId, + + [Parameter()] + [System.String] + $AppId + ) +} function New-SweepRule { [CmdletBinding()] @@ -1196,6 +1222,19 @@ function New-SweepRule $Enabled ) } +function Remove-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity + ) +} function Remove-SweepRule { [CmdletBinding()] @@ -1213,6 +1252,23 @@ function Remove-SweepRule $Identity ) } +function Set-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity + ) +} function Set-SweepRule { [CmdletBinding()] @@ -1647,6 +1703,17 @@ function Get-ActiveSyncDevice $ResultSize ) } + +function Get-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity + ) +} + function Get-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -2768,6 +2835,19 @@ function Get-Mailbox $IncludeEmailAddressDisplayNames ) } +function Get-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $ResultSize + ) +} function Get-MailboxAutoReplyConfiguration { [CmdletBinding()] @@ -4229,6 +4309,19 @@ function Get-ServicePrincipal $Organization ) } +function Get-ServicePrincipal +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Organization + ) +} function Get-SharingPolicy { [CmdletBinding()] @@ -4414,6 +4507,233 @@ function New-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function New-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function New-AddressBookPolicy { [CmdletBinding()] @@ -8551,6 +8871,25 @@ function Remove-ActiveSyncDevice $Identity ) } + +function Remove-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + function Remove-ActiveSyncDeviceAccessRule { [CmdletBinding()] @@ -9486,6 +9825,237 @@ function Set-ActiveSyncDeviceAccessRule $AccessLevel ) } + +function Set-ActiveSyncMailboxPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AllowUnsignedApplications, + + [Parameter()] + [System.Boolean] + $AllowUnsignedInstallationPackages, + + [Parameter()] + [System.Boolean] + $AllowExternalDeviceManagement, + + [Parameter()] + [System.Boolean] + $AllowIrDA, + + [Parameter()] + [System.Boolean] + $AllowStorageCard, + + [Parameter()] + [System.Boolean] + $AllowNonProvisionableDevices, + + [Parameter()] + [System.Boolean] + $AllowRemoteDesktop, + + [Parameter()] + [System.Object] + $UnapprovedInROMApplicationList, + + [Parameter()] + [System.Boolean] + $DevicePasswordEnabled, + + [Parameter()] + [System.Boolean] + $RequireEncryptedSMIMEMessages, + + [Parameter()] + [System.Int32] + $DevicePasswordHistory, + + [Parameter()] + [System.Boolean] + $RequireDeviceEncryption, + + [Parameter()] + [System.Boolean] + $AllowInternetSharing, + + [Parameter()] + [System.Int32] + $MinDevicePasswordComplexCharacters, + + [Parameter()] + [System.Object] + $RequireSignedSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $MaxEmailHTMLBodyTruncationSize, + + [Parameter()] + [System.Object] + $DevicePasswordExpiration, + + [Parameter()] + [System.Boolean] + $UNCAccessEnabled, + + [Parameter()] + [System.Boolean] + $AllowCamera, + + [Parameter()] + [System.Object] + $MaxDevicePasswordFailedAttempts, + + [Parameter()] + [System.Boolean] + $AllowBrowser, + + [Parameter()] + [System.Boolean] + $RequireManualSyncWhenRoaming, + + [Parameter()] + [System.Object] + $AllowSMIMEEncryptionAlgorithmNegotiation, + + [Parameter()] + [System.Boolean] + $DeviceEncryptionEnabled, + + [Parameter()] + [System.Object] + $MaxEmailBodyTruncationSize, + + [Parameter()] + [System.Object] + $AllowBluetooth, + + [Parameter()] + [System.Object] + $RequireEncryptionSMIMEAlgorithm, + + [Parameter()] + [System.Object] + $DevicePolicyRefreshInterval, + + [Parameter()] + [System.Boolean] + $AllowMobileOTAUpdate, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $MaxAttachmentSize, + + [Parameter()] + [System.Boolean] + $AllowConsumerEmail, + + [Parameter()] + [System.Boolean] + $AllowDesktopSync, + + [Parameter()] + [System.Object] + $MaxInactivityTimeDeviceLock, + + [Parameter()] + [System.Boolean] + $AlphanumericDevicePasswordRequired, + + [Parameter()] + [System.Boolean] + $RequireStorageCardEncryption, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Boolean] + $AttachmentsEnabled, + + [Parameter()] + [System.Boolean] + $AllowSMIMESoftCerts, + + [Parameter()] + [System.Object] + $MaxEmailAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowSimpleDevicePassword, + + [Parameter()] + [System.Boolean] + $PasswordRecoveryEnabled, + + [Parameter()] + [System.Object] + $MaxCalendarAgeFilter, + + [Parameter()] + [System.Boolean] + $AllowWiFi, + + [Parameter()] + [System.Boolean] + $AllowApplePushNotifications, + + [Parameter()] + [System.Boolean] + $AllowPOPIMAPEmail, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsDefaultPolicy, + + [Parameter()] + [System.Object] + $ApprovedApplicationList, + + [Parameter()] + [System.Boolean] + $AllowTextMessaging, + + [Parameter()] + [System.Boolean] + $WSSAccessEnabled, + + [Parameter()] + [System.Boolean] + $RequireSignedSMIMEMessages, + + [Parameter()] + [System.Boolean] + $AllowHTMLEmail, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $MinDevicePasswordLength, + + [Parameter()] + [System.Boolean] + $IrmEnabled + ) +} + function Set-AddressBookPolicy { [CmdletBinding()] @@ -12123,6 +12693,19 @@ function Set-Mailbox $MessageTrackingReadStatusEnabled ) } +function Set-MailboxAuditBypassAssociation +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $AuditBypassEnabled, + + [Parameter()] + [System.Object] + $Identity + ) +} function Set-MailboxAutoReplyConfiguration { [CmdletBinding()] @@ -17378,6 +17961,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -18023,6 +18610,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -18283,12 +18874,39 @@ function Invoke-MgGraphRequest $Headers ) } -#endregion -#region Microsoft.Graph.Beta.DeviceManagement -function Get-MgBetaDeviceManagement + +function New-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $ClientConfiguration, + [Parameter()] [PSObject] $HttpPipelinePrepend, @@ -18298,85 +18916,97 @@ function Get-MgBetaDeviceManagement $Proxy, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Collections.Hashtable] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $Id, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [System.String[]] - $Property, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementAssignmentFilter +function Update-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, + [PSObject] + $ClientConfiguration, [Parameter()] [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - [Parameter()] [System.String] - $CountVariable, + $CustomAuthenticationExtensionId, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [System.Collections.Hashtable] + $BodyParameter, [Parameter()] [System.String] - $DeviceAndAppManagementAssignmentFilterId, + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, + $Confirm, [Parameter()] [System.Management.Automation.PSCredential] @@ -18384,22 +19014,22 @@ function Get-MgBetaDeviceManagementAssignmentFilter [Parameter()] [System.String] - $Search, + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicy +function Get-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( @@ -18427,6 +19057,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicy [System.Int32] $Skip, + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + [Parameter()] [System.Int32] $Top, @@ -18459,6 +19093,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicy [System.String] $Search, + [Parameter()] + [System.String] + $ResponseHeadersVariable, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18468,30 +19106,162 @@ function Get-MgBetaDeviceManagementConfigurationPolicy $ExpandProperty, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyAssignment +function Remove-MgBetaIdentityCustomAuthenticationExtension { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $CustomAuthenticationExtensionId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +#region Microsoft.Graph.Beta.DeviceManagement +function Get-MgBetaDeviceManagement +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + [Parameter()] [System.String[]] $ExpandProperty, + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} + +function Get-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $AndroidManagedStoreAccountEnterpriseSettingsId, + + [Parameter()] + [System.String] + $BindStatus, + + [Parameter()] + [System.String] + $OwnerUserPrincipalName, + + [Parameter()] + [System.String] + $OwnerOrganizationName, + + [Parameter()] + [System.String] + $EnrollmentTarget, + + [Parameter()] + [System.Boolean] + $DeviceOwnerManagementEnabled, + + [Parameter()] + [System.Boolean] + $AndroidDeviceOwnerFullyManagedEnrollmentEnabled, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present' + ) +} + +function Get-MgBetaDeviceManagementAssignmentFilter +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, @@ -18524,6 +19294,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyAssignment [System.String[]] $Sort, + [Parameter()] + [System.String] + $DeviceAndAppManagementAssignmentFilterId, + [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -18536,28 +19310,24 @@ function Get-MgBetaDeviceManagementConfigurationPolicyAssignment [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - [Parameter()] [System.String] $Search, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyAssignmentId, + [System.String[]] + $ExpandProperty, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicySetting +function Get-MgBetaDeviceManagementConfigurationPolicy { [CmdletBinding()] param( @@ -18573,10 +19343,6 @@ function Get-MgBetaDeviceManagementConfigurationPolicySetting [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, - [Parameter()] - [System.String] - $DeviceManagementConfigurationSettingId, - [Parameter()] [System.Int32] $PageSize, @@ -18617,28 +19383,28 @@ function Get-MgBetaDeviceManagementConfigurationPolicySetting [System.Management.Automation.PSCredential] $ProxyCredential, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - [Parameter()] [System.String] $Search, [Parameter()] - [System.String] - $DeviceManagementConfigurationPolicyId, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String[]] $ExpandProperty, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyId, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyTemplate +function Get-MgBetaDeviceManagementConfigurationPolicyAssignment { [CmdletBinding()] param( @@ -18650,6 +19416,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplate [PSObject] $InputObject, + [Parameter()] + [System.String[]] + $ExpandProperty, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, @@ -18695,34 +19465,30 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplate $ProxyCredential, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String] - $DeviceManagementConfigurationPolicyTemplateId, + $Search, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $DeviceManagementConfigurationPolicyId, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.String] + $DeviceManagementConfigurationPolicyAssignmentId, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate +function Get-MgBetaDeviceManagementConfigurationPolicySetting { [CmdletBinding()] param( - [Parameter()] - [System.String] - $DeviceManagementConfigurationSettingTemplateId, - [Parameter()] [System.String[]] $Property, @@ -18735,6 +19501,10 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.String] + $DeviceManagementConfigurationSettingId, + [Parameter()] [System.Int32] $PageSize, @@ -18776,16 +19546,16 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate $ProxyCredential, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.String] - $DeviceManagementConfigurationPolicyTemplateId, + $Search, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $DeviceManagementConfigurationPolicyId, [Parameter()] [System.String[]] @@ -18796,7 +19566,7 @@ function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCategory +function Get-MgBetaDeviceManagementConfigurationPolicyTemplate { [CmdletBinding()] param( @@ -18804,10 +19574,6 @@ function Get-MgBetaDeviceManagementDeviceCategory [System.String[]] $Property, - [Parameter()] - [System.String] - $DeviceCategoryId, - [Parameter()] [PSObject] $InputObject, @@ -18860,6 +19626,10 @@ function Get-MgBetaDeviceManagementDeviceCategory [System.String] $Search, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyTemplateId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18873,10 +19643,14 @@ function Get-MgBetaDeviceManagementDeviceCategory $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceCompliancePolicy +function Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate { [CmdletBinding()] param( + [Parameter()] + [System.String] + $DeviceManagementConfigurationSettingTemplateId, + [Parameter()] [System.String[]] $Property, @@ -18933,6 +19707,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicy [System.String] $Search, + [Parameter()] + [System.String] + $DeviceManagementConfigurationPolicyTemplateId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -18943,14 +19721,22 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicy [Parameter()] [PSObject] - $HttpPipelineAppend, - + $HttpPipelineAppend + ) +} +function Get-MgBetaDeviceManagementDataSharingConsent { + [CmdletBinding()] + param ( [Parameter()] [System.String] - $DeviceCompliancePolicyId + $DataSharingConsentId, + + [Parameter()] + [System.Boolean] + $Granted ) } -function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment +function Get-MgBetaDeviceManagementDeviceCategory { [CmdletBinding()] param( @@ -18958,6 +19744,10 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment [System.String[]] $Property, + [Parameter()] + [System.String] + $DeviceCategoryId, + [Parameter()] [PSObject] $InputObject, @@ -18987,17 +19777,13 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment $CountVariable, [Parameter()] - [System.String] - $DeviceCompliancePolicyAssignmentId, + [System.Uri] + $Proxy, [Parameter()] [System.String[]] $Sort, - [Parameter()] - [System.Uri] - $Proxy, - [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -19024,14 +19810,168 @@ function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment [Parameter()] [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyId + $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementDeviceConfiguration +function Get-MgBetaDeviceManagementDeviceCompliancePolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId + ) +} +function Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyAssignmentId, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyId + ) +} +function Get-MgBetaDeviceManagementDeviceConfiguration { [CmdletBinding()] param( @@ -19403,6 +20343,19 @@ function Get-MgBetaDeviceManagementDerivedCredential { ) } +function Remove-MgBetaDeviceManagementAndroidManagedStoreAccountEnterpriseSetting { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [System.String] + $AndroidManagedStoreAccountEnterpriseSettingsId, + + [Parameter()] + [System.Boolean] + $Confirm = $true + ) +} + function Remove-MgBetaDeviceManagementDerivedCredential { [CmdletBinding()] @@ -27277,133 +28230,371 @@ function Update-MgBetaRoleManagement $DeviceManagement ) } -#endregion -#region Microsoft.Graph.Beta.Identity.DirectoryManagement -function Get-MgBetaDevice + +function Get-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $MobileThreatDefenseConnectorId, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $DisplayName, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, [Parameter()] [System.String] - $DeviceId, + $PartnerState, [Parameter()] [System.Int32] - $PageSize, + $PartnerUnresponsivenessThresholdInDays, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, [Parameter()] - [System.Int32] - $Skip, + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.Int32] - $Top, + [System.Boolean] + $WindowsEnabled + ) +} +function New-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $CountVariable, + $MobileThreatDefenseConnectorId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DisplayName, [Parameter()] - [System.String[]] - $Sort, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, [Parameter()] - [System.String] - $ConsistencyLevel, + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.String] - $Filter, + [System.Boolean] + $AndroidEnabled, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, [Parameter()] [System.String] - $Search, + $PartnerState, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled ) } -function Get-MgBetaDirectory + +function Update-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $MobileThreatDefenseConnectorId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DisplayName, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, [Parameter()] - [System.String[]] - $Property, + [System.Boolean] + $AndroidEnabled, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled ) } -function Get-MgBetaDirectoryAdministrativeUnit + +function Remove-MgBetaDeviceManagementMobileThreatDefenseConnector { [CmdletBinding()] param( [Parameter()] [System.String] - $AdministrativeUnitId, + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region Microsoft.Graph.Beta.Identity.DirectoryManagement +function Get-MgBetaDevice +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String] + $DeviceId, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $ConsistencyLevel, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaDirectory +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDirectoryAdministrativeUnit +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $AdministrativeUnitId, [Parameter()] [System.String[]] @@ -30131,64 +31322,83 @@ function Get-MgBetaDirectoryDeletedApplication } #endregion #region Microsoft.Graph.Beta.Identity.Governance -function Get-MgBetaAgreement +function Get-MgBetaProgram { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $ProgramId, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $DisplayName, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $Description, [Parameter()] - [System.Uri] - $Proxy, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $Filter + ) +} +function Remove-MgBetaProgram +{ + [CmdletBinding()] + param( [Parameter()] - [System.Int32] - $PageSize, + [System.String] + $ProgramId + ) +} +function Update-MgBetaProgram +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $AgreementId, + $ProgramId, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $DisplayName, [Parameter()] [System.String] - $CountVariable, + $Description, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [PSObject] + $BodyParameter + ) +} +function New-MgBetaProgram +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $Search, + $DisplayName, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $Description, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [PSObject] + $BodyParameter ) } -function Get-MgBetaEntitlementManagementAccessPackage + +function Get-MgBetaAgreement { [CmdletBinding()] param( @@ -30196,88 +31406,56 @@ function Get-MgBetaEntitlementManagementAccessPackage [System.String[]] $Property, - [Parameter()] - [System.String] - $CatalogId, - [Parameter()] [PSObject] $InputObject, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, + [System.Uri] + $Proxy, [Parameter()] - [System.String] - $CountVariable, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.String] - $DisplayNameContains, + [System.Int32] + $PageSize, [Parameter()] [System.String] - $AccessPackageId, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Uri] - $Proxy, + $AgreementId, [Parameter()] [System.Management.Automation.SwitchParameter] - $All, + $ProxyUseDefaultCredentials, [Parameter()] [System.String] - $Filter, + $CountVariable, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] [System.String] $Search, [Parameter()] - [System.String] - $DisplayNameEq, + [PSObject] + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend + $Break ) } -function Get-MgBetaEntitlementManagementAccessPackageAssignment +function Get-MgBetaEntitlementManagementAccessPackage { [CmdletBinding()] param( @@ -30285,6 +31463,10 @@ function Get-MgBetaEntitlementManagementAccessPackageAssignment [System.String[]] $Property, + [Parameter()] + [System.String] + $CatalogId, + [Parameter()] [PSObject] $InputObject, @@ -30301,10 +31483,6 @@ function Get-MgBetaEntitlementManagementAccessPackageAssignment [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $AccessPackageAssignmentId, - [Parameter()] [System.Int32] $Skip, @@ -30318,13 +31496,17 @@ function Get-MgBetaEntitlementManagementAccessPackageAssignment $CountVariable, [Parameter()] - [System.String[]] - $Sort, + [System.String] + $DisplayNameContains, [Parameter()] [System.String] $AccessPackageId, + [Parameter()] + [System.String[]] + $Sort, + [Parameter()] [System.Uri] $Proxy, @@ -30345,6 +31527,10 @@ function Get-MgBetaEntitlementManagementAccessPackageAssignment [System.String] $Search, + [Parameter()] + [System.String] + $DisplayNameEq, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -30358,7 +31544,88 @@ function Get-MgBetaEntitlementManagementAccessPackageAssignment $HttpPipelineAppend ) } -function Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy +function Get-MgBetaEntitlementManagementAccessPackageAssignment +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $AccessPackageAssignmentId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $AccessPackageId, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy { [CmdletBinding()] param( @@ -34621,6 +35888,80 @@ function Update-MgBetaRoleManagementDirectoryRoleDefinition } #endregion #region Microsoft.Graph.Beta.Identity.SignIns + +#region Microsoft.Graph.Authentication +function Get-MgBetaIdentityUserFlowAttribute +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $IdentityUserFlowAttributeId, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Sort + ) +} +function New-MgBetaIdentityUserFlowAttribute +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName + ) +} +function Update-MgBetaIdentityUserFlowAttribute +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DataType, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeId, + + [Parameter()] + [System.String] + $Id + ) +} +function Remove-MgBetaIdentityUserFlowAttribute +{ + [CmdletBinding()] + param( + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeId + ) +} +#endregion + + function Get-MgBetaIdentityConditionalAccess { [CmdletBinding()] @@ -34889,94 +36230,62 @@ function Get-MgBetaIdentityConditionalAccessPolicy $HttpPipelineAppend ) } -function Get-MgBetaIdentityProvider +function Get-MgBetaPolicyAccessReviewPolicy { [CmdletBinding()] param( - [Parameter()] - [System.String] - $IdentityProviderBaseId, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - [Parameter()] [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String[]] + $ExpandProperty, [Parameter()] [System.String] - $Filter, + $ResponseHeadersVariable, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $HttpPipelineAppend, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.Collections.IDictionary] + $Headers, [Parameter()] [System.String[]] - $ExpandProperty, + $Property, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.Management.Automation.SwitchParameter] + $Break ) } -function Get-MgBetaOauth2PermissionGrant +function Get-MgBetaIdentityProvider { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $IdentityProviderBaseId, [Parameter()] - [System.String] - $OAuth2PermissionGrantId, + [System.String[]] + $Property, [Parameter()] [PSObject] @@ -35043,50 +36352,17 @@ function Get-MgBetaOauth2PermissionGrant $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthenticationMethodPolicy +function Get-MgBetaOauth2PermissionGrant { [CmdletBinding()] param( - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - [Parameter()] [System.String[]] $Property, [Parameter()] - [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, + [System.String] + $OAuth2PermissionGrantId, [Parameter()] [PSObject] @@ -35124,10 +36400,120 @@ function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfigura [System.String[]] $Sort, - [Parameter()] - [System.String] - $AuthenticationMethodConfigurationId, - + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyAuthenticationMethodPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $AuthenticationMethodConfigurationId, + [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -37390,6 +38776,71 @@ function Update-MgBetaPolicyAuthenticationStrengthPolicyAllowedCombination $Break ) } +function Update-MgBetaPolicyAccessReviewPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsGroupOwnerManagementEnabled, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} function Update-MgBetaPolicyAuthorizationPolicy { [CmdletBinding()] @@ -38104,9 +39555,8 @@ function Update-MgBetaPolicyTokenLifetimePolicy ) } #endregion - -#region Microsoft.Graph.Beta.Teams -function Get-MgBetaTeam +#region Microsoft.Graph.Beta.NetworkAccess.Connectivity.RemoteNetwork +function Get-MgBetaNetworkAccessConnectivityRemoteNetwork { [CmdletBinding()] param( @@ -38130,95 +39580,474 @@ function Get-MgBetaTeam [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.Int32] - $Skip, - [Parameter()] [System.String] - $TeamId, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.String] - $Search, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend - ) -} -function Get-MgBetaTeamChannel -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [System.String] - $ChannelId, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, + $RemoteNetworkId, [Parameter()] [System.Int32] $Skip, - [Parameter()] - [System.String] - $TeamId, - + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessConnectivityRemoteNetwork +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $RemoteNetworkId + ) +} +function Remove-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $DeviceLinkId, + + [Parameter()] + [System.String] + $RemoteNetworkId + ) +} +function New-MgBetaNetworkAccessConnectivityRemoteNetwork +{ + [CmdletBinding()] + param( + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [PSObject] + $ConnectivityConfiguration, + + [Parameter()] + [PSObject] + $DeviceLinks, + + [Parameter()] + [PSObject] + $ForwardingProfiles, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink +{ + [CmdletBinding()] + param( + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $RedundancyConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $BgpConfiguration, + + [Parameter()] + [System.String] + $RemoteNetworkId, + + [Parameter()] + [System.String] + $IPAddress, + + [Parameter()] + [PSObject] + $TunnelConfiguration, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String] + $BandwidthCapacityInMbps, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $DeviceVendor, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Beta.Teams +function Get-MgBetaTeam +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $TeamId, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaTeamChannel +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.String] + $ChannelId, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $TeamId, + [Parameter()] [System.Int32] $Top, @@ -50034,6 +51863,10 @@ function New-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -50679,6 +52512,10 @@ function Update-MgServicePrincipal [PSObject] $DelegatedPermissionClassifications, + [Parameter()] + [System.Collections.Hashtable] + $CustomSecurityAttributes, + [Parameter()] [PSObject] $PasswordCredentials, @@ -97099,3 +98936,4971 @@ function Get-PowerAppDlpPolicyConnectorConfigurations $ApiVersion ) } +#region MgBetaIdentityGovernanceAccessReviewDefinition +function Get-MgBetaIdentityGovernanceAccessReviewDefinition +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $AccessReviewScheduleDefinitionId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityGovernanceAccessReviewDefinition +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject[]] + $AdditionalNotificationRecipients, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $BackupReviewers, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DescriptionForAdmins, + + [Parameter()] + [System.String] + $DescriptionForReviewers, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [PSObject[]] + $FallbackReviewers, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $InstanceEnumerationScope, + + [Parameter()] + [PSObject[]] + $Instances, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [PSObject[]] + $Reviewers, + + [Parameter()] + [System.Collections.Hashtable] + $Scope, + + [Parameter()] + [PSObject] + $Settings, + + [Parameter()] + [PSObject[]] + $StageSettings, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityGovernanceAccessReviewDefinition +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $AccessReviewScheduleDefinitionId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Set-MgBetaIdentityGovernanceAccessReviewDefinition +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $AccessReviewScheduleDefinitionId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject[]] + $AdditionalNotificationRecipients, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $BackupReviewers, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DescriptionForAdmins, + + [Parameter()] + [System.String] + $DescriptionForReviewers, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [PSObject[]] + $FallbackReviewers, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Collections.Hashtable] + $InstanceEnumerationScope, + + [Parameter()] + [PSObject[]] + $Instances, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [PSObject[]] + $Reviewers, + + [Parameter()] + [System.Collections.Hashtable] + $Scope, + + [Parameter()] + [PSObject] + $Settings, + + [Parameter()] + [PSObject[]] + $StageSettings, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Stop-MgBetaIdentityGovernanceAccessReviewDefinition +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $AccessReviewScheduleDefinitionId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +function Invoke-PnPSPRestMethod +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Method, + + [Parameter()] + [System.String] + $Url, + + [Parameter()] + [System.Object] + $Content + ) +} +#region MgBetaNetworkAccessForwardingProfile +function Get-MgBetaNetworkAccessForwardingProfile +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function Update-MgBetaNetworkAccessForwardingProfile +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Associations, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [PSObject[]] + $Policies, + + [Parameter()] + [System.Int32] + $Priority, + + [Parameter()] + [PSObject] + $ServicePrincipal, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.String] + $TrafficForwardingType, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaNetworkAccessForwardingPolicy +function Get-MgBetaNetworkAccessForwardingPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ForwardingPolicyId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessForwardingPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ForwardingPolicyId, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessForwardingPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $ForwardingPolicyId, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +#region MgBetaNetworkAccessForwardingProfilePolicy +function Get-MgBetaNetworkAccessForwardingProfilePolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function Update-MgBetaNetworkAccessForwardingProfilePolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ForwardingProfileId, + + [Parameter()] + [System.String] + $PolicyLinkId , + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaIdentityB2XUserFlow +function Get-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityB2XUserFlow +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject] + $ApiConnectorConfiguration, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject[]] + $IdentityProviders, + + [Parameter()] + [PSObject[]] + $Languages, + + [Parameter()] + [PSObject[]] + $UserAttributeAssignments, + + [Parameter()] + [PSObject[]] + $UserFlowIdentityProviders, + + [Parameter()] + [System.String] + $UserFlowType, + + [Parameter()] + [System.Single] + $UserFlowTypeVersion, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowApiConnectorConfiguration +function Get-MgBetaIdentityB2XUserFlowApiConnectorConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostFederationSignupByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Set-MgBetaIdentityB2XUserFlowPostAttributeCollectionByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} +#endregion + +#region MgBetaIdentityB2XUserFlowUserAttributeAssignment +function Get-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Update-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowUserAttributeAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityUserFlowAttributeAssignmentId + ) +} + +#endregion + +#region MgBetaIdentityB2XUserFlowIdentityProvider +function Get-MgBetaIdentityB2XUserFlowIdentityProvider +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String[]] + $ExpandProperty + ) +} + +function New-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [PSObject] + $BodyParameter + ) +} + +function Remove-MgBetaIdentityB2XUserFlowIdentityProviderByRef +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $B2XIdentityUserFlowId, + + [Parameter()] + [System.String] + $IdentityProviderBaseId + ) +} +#endregion + +function Get-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} +#region MgBetaOrganizationCertificateBasedAuthConfiguration +function Get-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $CertificateAuthorities, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaOrganizationCertificateBasedAuthConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $CertificateBasedAuthConfigurationId, + + [Parameter()] + [System.String] + $OrganizationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function New-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $TargetUrl, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function Remove-MgBetaIdentityApiConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} + +function Invoke-MgBetaUploadIdentityApiConnectorClientCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Password, + + [Parameter()] + [System.String] + $IdentityApiConnectorId, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Pkcs12Value, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +#endregion +#region MgBetaPolicyHomeRealmDiscoveryPolicy +function Get-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaPolicyHomeRealmDiscoveryPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $HomeRealmDiscoveryPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region Microsoft.Graph.Authentication +function Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $WifiSecurityType, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ConfigureWifi, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.DateTime] + $TokenCreationDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $WifiHidden, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $WifiPassword, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $EnrollmentMode, + + [Parameter()] + [PSObject] + $QrCodeImage, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.DateTime] + $TokenExpirationDateTime, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [PSObject] + $EnrollmentTokenType, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +function Get-AzResourceGroup +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id + ) +} + +#region Microsoft.Graph.Authentication +function Set-PolicyConfig +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object[]] + $DlpAppGroups, + + [Parameter()] + [System.Object] + $OnPremisesWorkload, + + [Parameter()] + [System.Boolean] + $EnableAdvancedRuleBuilder, + + [Parameter()] + [System.Object[]] + $DlpAppGroupsPsws, + + [Parameter()] + [System.Boolean] + $ReservedForFutureUse, + + [Parameter()] + [System.Boolean] + $EnableSpoAipMigration, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $ComplianceUrl, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $MigrateLabelScheme, + + [Parameter()] + [System.Boolean] + $IsDlpSimulationOptedIn, + + [Parameter()] + [System.Object] + $InformationBarrierPeopleSearchRestriction, + + [Parameter()] + [System.String] + $TextExtractionConfig, + + [Parameter()] + [System.Object] + $DocumentIsUnsupportedSeverity, + + [Parameter()] + [System.Object[]] + $EndpointDlpGlobalSettingsPsws, + + [Parameter()] + [System.Object] + $ProcessingLimitExceededSeverity, + + [Parameter()] + [System.Boolean] + $ExtendTeamsDlpPoliciesToSharePointOneDrive, + + [Parameter()] + [System.Object[]] + $EndpointDlpGlobalSettings, + + [Parameter()] + [System.Boolean] + $IsEventFoldingOnDlpAlertsOptedOut, + + [Parameter()] + [System.Object] + $DlpRemovableMediaGroups, + + [Parameter()] + [System.Boolean] + $RetentionForwardCrawl, + + [Parameter()] + [System.String] + $JitEnforcementSettings, + + [Parameter()] + [System.Boolean] + $EnableLabelCoauth, + + [Parameter()] + [System.Object] + $SenderAddressLocation, + + [Parameter()] + [System.Object[]] + $SiteGroupsPsws, + + [Parameter()] + [System.Object] + $RuleErrorAction, + + [Parameter()] + [System.Boolean] + $IsDefaultMlDlpPoliciesOptedOut, + + [Parameter()] + [System.Object] + $DlpNetworkShareGroups, + + [Parameter()] + [System.Object] + $DlpExtensionGroups, + + [Parameter()] + [System.Boolean] + $PurviewLabelConsent, + + [Parameter()] + [System.Object] + $DlpPrinterGroups, + + [Parameter()] + [System.Object] + $InformationBarrierMode, + + [Parameter()] + [System.Object[]] + $SiteGroups, + + [Parameter()] + [System.Object] + $ClassificationScheme, + + [Parameter()] + [System.Boolean] + $EnableSensitivityLabelingForPdf, + + [Parameter()] + [System.String[]] + $MessageHeadersToRetainInOutlook + ) +} +function Get-PolicyConfig +{ + [CmdletBinding()] + param( + + ) +} +#endregion + +#region Microsoft.Graph.Authentication +function Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $CallbackConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [PSObject] + $LastModifiedBy, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $CallbackConfiguration, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Collections.Hashtable] + $AuthenticationConfiguration, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.Hashtable] + $EndpointConfiguration, + + [Parameter()] + [PSObject] + $ClientConfiguration, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $CreatedBy, + + [Parameter()] + [PSObject] + $LastModifiedBy, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CustomTaskExtensionId, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessSettingEnrichedAuditLog +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessSettingCrossTenantAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Update-MgBetaNetworkAccessSettingCrossTenantAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $NetworkPacketTaggingStatus, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaDeviceManagementApplePushNotificationCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDeviceManagementDataSharingConsent +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $DataSharingConsentId, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Update-MgBetaDeviceManagementApplePushNotificationCertificate +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $AppleIdentifier, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $CertificateUploadFailureReason, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String] + $Certificate, + + [Parameter()] + [System.String] + $TopicIdentifier, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.DateTime] + $ExpirationDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $CertificateUploadStatus, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringPolicyRule +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $PolicyRuleId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $PolicyRules, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $PolicyRules, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $FilteringPolicyId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function New-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $Policies, + + [Parameter()] + [System.Int64] + $Priority, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.String] + $State, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $ConditionalAccessPolicies, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaNetworkAccessFilteringProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaNetworkAccessFilteringProfilePolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $FilteringProfileId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $PolicyLinkId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +#endregion +#region Microsoft.Graph.Authentication +function Update-MgBetaNetworkAccessSettingConditionalAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String] + $SignalingStatus, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties + ) +} +function Get-MgBetaNetworkAccessSettingConditionalAccess +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion + +#region MgBetaPolicyClaimMappingPolicy +function Get-MgBetaPolicyClaimMappingPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ClaimsMappingPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaPolicyClaimMappingPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaPolicyClaimMappingPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ClaimsMappingPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaPolicyClaimMappingPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ClaimsMappingPolicyId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $AppliesTo, + + [Parameter()] + [System.String[]] + $Definition, + + [Parameter()] + [System.DateTime] + $DeletedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsOrganizationDefault, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} +#endregion +#region Microsoft.Graph.Authentication +function New-TenantAllowBlockListSpoofItems +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $SendingInfrastructure, + + [Parameter()] + [System.String] + $SpoofType, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.String] + $SpoofedUser + ) +} +function Remove-TenantAllowBlockListSpoofItems +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.String[]] + $Ids + ) +} +function Get-TenantAllowBlockListSpoofItems +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.String] + $SpoofType, + + [Parameter()] + [System.Object] + $Identity + ) +} +function Set-TenantAllowBlockListSpoofItems +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Action, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.String[]] + $Ids + ) +} + +#endregion diff --git a/docs/docs/resources/azure-ad/AADAccessReviewDefinition.md b/docs/docs/resources/azure-ad/AADAccessReviewDefinition.md new file mode 100644 index 0000000000..610ff50d6a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAccessReviewDefinition.md @@ -0,0 +1,436 @@ +# AADAccessReviewDefinition + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **DisplayName** | Required | String | Name of the access review series. Supports $select and $orderby. Required on create. | | +| **DescriptionForAdmins** | Write | String | Description provided by review creators to provide more context of the review to admins. Supports $select. | | +| **DescriptionForReviewers** | Write | String | Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select. | | +| **ScopeValue** | Write | MSFT_MicrosoftGraphaccessReviewScope | Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API. | | +| **SettingsValue** | Write | MSFT_MicrosoftGraphaccessReviewScheduleSettings | The settings for an access review series, see type definition below. Supports $select. Required on create. | | +| **StageSettings** | Write | MSFT_MicrosoftGraphaccessReviewStageSettings[] | Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphAccessReviewScope + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Query** | Write | String | The query representing what will be reviewed in an access review. | | +| **QueryRoot** | Write | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager. | | +| **QueryType** | Write | String | Indicates the type of query. Types include MicrosoftGraph and ARM. | | +| **PrincipalScopes** | Write | MSFT_MicrosoftGraphAccessReviewScope[] | Defines the scopes of the principals for which access to resources are reviewed in the access review. | | +| **ResourceScopes** | Write | MSFT_MicrosoftGraphAccessReviewScope[] | Defines the scopes of the resources for which access is reviewed. | | +| **odataType** | Write | String | The type of the entity. | `#microsoft.graph.accessReviewQueryScope`, `#microsoft.graph.accessReviewReviewerScope`, `#microsoft.graph.principalResourceMembershipsScope` | + +### MSFT_MicrosoftGraphAccessReviewScheduleSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ApplyActions** | Write | MSFT_MicrosoftGraphAccessReviewApplyAction[] | Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction. | | +| **AutoApplyDecisionsEnabled** | Write | Boolean | Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond. | | +| **DecisionHistoriesForReviewersEnabled** | Write | Boolean | Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false). | | +| **DefaultDecision** | Write | String | Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation. | | +| **DefaultDecisionEnabled** | Write | Boolean | Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond. | | +| **InstanceDurationInDays** | Write | UInt32 | Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property. | | +| **JustificationRequiredOnApproval** | Write | Boolean | Indicates whether reviewers are required to provide justification with their decision. Default value is false. | | +| **MailNotificationsEnabled** | Write | Boolean | Indicates whether emails are enabled or disabled. Default value is false. | | +| **RecommendationInsightSettings** | Write | MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[] | Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property. | | +| **RecommendationLookBackDuration** | Write | String | Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property. | | +| **RecommendationsEnabled** | Write | Boolean | Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property. | | +| **Recurrence** | Write | MSFT_MicrosoftGraphPatternedRecurrence | Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type (weekly, absoluteMonthly) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts. | | +| **ReminderNotificationsEnabled** | Write | Boolean | Indicates whether reminders are enabled or disabled. Default value is false. | | + +### MSFT_MicrosoftGraphAccessReviewApplyAction + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **odataType** | Write | String | The type of the entity. | `#microsoft.graph.disableAndDeleteUserApplyAction`, `#microsoft.graph.removeAccessApplyAction` | + +### MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **RecommendationLookBackDuration** | Write | String | Optional. Indicates the time period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. | | +| **SignInScope** | Write | String | Indicates whether inactivity is calculated based on the user's inactivity in the tenant or in the application. The possible values are tenant, application, unknownFutureValue. application is only relevant when the access review is a review of an assignment to an application. | `tenant`, `application`, `unknownFutureValue` | +| **odataType** | Write | String | The type of the entity. | `#microsoft.graph.groupPeerOutlierRecommendationInsightSettings`, `#microsoft.graph.userLastSignInRecommendationInsightSetting` | + +### MSFT_MicrosoftGraphPatternedRecurrence + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pattern** | Write | MSFT_MicrosoftGraphRecurrencePattern | The frequency of an event. Do not specify for a one-time access review. For access reviews: Do not specify this property for a one-time access review. Only interval, dayOfMonth, and type (weekly, absoluteMonthly) properties of recurrencePattern are supported. | | +| **Range** | Write | MSFT_MicrosoftGraphRecurrenceRange | The duration of an event. | | + +### MSFT_MicrosoftGraphRecurrencePattern + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DayOfMonth** | Write | UInt32 | The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly. | | +| **DaysOfWeek** | Write | StringArray[] | A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly. | | +| **FirstDayOfWeek** | Write | String | The first day of the week. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. Default is sunday. Required if type is weekly. | | +| **Index** | Write | String | Specifies on which instance of the allowed days specified in daysOfWeek the event occurs, counted from the first instance in the month. The possible values are: first, second, third, fourth, last. Default is first. Optional and used if type is relativeMonthly or relativeYearly. | `first`, `second`, `third`, `fourth`, `last` | +| **Interval** | Write | UInt32 | The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required. | | +| **Month** | Write | UInt32 | The month in which the event occurs. This is a number from 1 to 12. | | +| **Type** | Write | String | The recurrence pattern type: daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly. Required. For more information, see values of type property. | `daily`, `weekly`, `absoluteMonthly`, `relativeMonthly`, `absoluteYearly`, `relativeYearly` | + +### MSFT_MicrosoftGraphRecurrenceRange + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EndDate** | Write | String | The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate. | | +| **NumberOfOccurrences** | Write | UInt32 | The number of times to repeat the event. Required and must be positive if type is numbered. | | +| **RecurrenceTimeZone** | Write | String | Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used. | | +| **StartDate** | Write | String | The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required. | | +| **Type** | Write | String | The recurrence range. Possible values are: endDate, noEnd, numbered. Required. | `endDate`, `noEnd`, `numbered` | + +### MSFT_MicrosoftGraphAccessReviewStageSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DecisionsThatWillMoveToNextStage** | Write | StringArray[] | Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional. | | +| **DependsOnValue** | Write | StringArray[] | Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1. | | +| **DurationInDays** | Write | UInt32 | The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7. | | +| **RecommendationInsightSettings** | Write | MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[] | Recommendation Insights Settings | | +| **RecommendationLookBackDuration** | Write | String | Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured. The recommendation is to deny if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object. | | +| **RecommendationsEnabled** | Write | Boolean | Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object. | | +| **StageId** | Write | String | Unique identifier of the accessReviewStageSettings. The stageId is used in dependsOn property to indicate the stage relationship. Required. | | + + +## Description + +Azure AD Access Review Definition + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - AccessReview.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - AccessReview.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers updated"; # drifted properties + DisplayName = "Test Access Review Definition"; + Ensure = "Present"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{ + PrincipalScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/users?$filter=userType eq ''Guest''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + ResourceScopes = @( + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + MSFT_MicrosoftGraphAccessReviewScope{ + Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared''' + odataType = '#microsoft.graph.accessReviewQueryScope' + QueryType = 'MicrosoftGraph' + } + ) + odataType = '#microsoft.graph.principalResourceMembershipsScope' + }; + SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{ + ApplyActions = @( + MSFT_MicrosoftGraphAccessReviewApplyAction{ + odataType = '#microsoft.graph.removeAccessApplyAction' + } + ) + InstanceDurationInDays = 4 + RecommendationsEnabled = $False + DecisionHistoriesForReviewersEnabled = $False + DefaultDecisionEnabled = $False + JustificationRequiredOnApproval = $True + RecommendationInsightSettings = @( + MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{ + SignInScope = 'tenant' + RecommendationLookBackDuration = 'P15D' + odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting' + } + ) + AutoApplyDecisionsEnabled = $False + ReminderNotificationsEnabled = $True + Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{ + Range = MSFT_MicrosoftGraphRecurrenceRange{ + NumberOfOccurrences = 0 + Type = 'noEnd' + StartDate = '10/18/2024 12:00:00 AM' + EndDate = '12/31/9999 12:00:00 AM' + } + Pattern = MSFT_MicrosoftGraphRecurrencePattern{ + DaysOfWeek = @() + Type = 'weekly' + Interval = 1 + Month = 0 + Index = 'first' + FirstDayOfWeek = 'sunday' + DayOfMonth = 0 + } + + } + DefaultDecision = 'None' + RecommendationLookBackDuration = '15.00:00:00' + MailNotificationsEnabled = $False + }; + StageSettings = @( + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '1' + RecommendationsEnabled = $True + DependsOnValue = @() + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + MSFT_MicrosoftGraphaccessReviewStageSettings{ + StageId = '2' + RecommendationsEnabled = $True + DependsOnValue = @('1') + DecisionsThatWillMoveToNextStage = @('Approve') + DurationInDays = 3 + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewDefinition "AADAccessReviewDefinition-Example" + { + DescriptionForAdmins = "description for admins"; + DescriptionForReviewers = "description for reviewers"; + DisplayName = "Test Access Review Definition"; + Ensure = "Absent"; + Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md b/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md new file mode 100644 index 0000000000..4e177d7a41 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAccessReviewPolicy.md @@ -0,0 +1,85 @@ +# AADAccessReviewPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsGroupOwnerManagementEnabled** | Write | Boolean | If true, group owners can create and manage access reviews on groups they own. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to monitor the access review policy object. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AccessReview + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAccessReviewPolicy "AADAccessReviewPolicy" + { + IsGroupOwnerManagementEnabled = $False; + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md b/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md index c87b4f13da..22e249c7d5 100644 --- a/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md +++ b/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md @@ -12,6 +12,7 @@ | **Reviewers** | Write | MSFT_AADAdminConsentRequestPolicyReviewer[] | The list of reviewers for the admin consent. | | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | diff --git a/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md new file mode 100644 index 0000000000..275115ee02 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAuthenticationMethodPolicyExternal.md @@ -0,0 +1,228 @@ +# AADAuthenticationMethodPolicyExternal + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ExcludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget[] | Displayname of the groups of users that are excluded from a policy. | | +| **IncludeTargets** | Write | MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget[] | Displayname of the groups of users that are included from a policy. | | +| **OpenIdConnectSetting** | Write | MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting | Open ID Connection settings used by this external authentication method. | | +| **State** | Write | String | The state of the policy. Possible values are: enabled, disabled. | `enabled`, `disabled` | +| **AppId** | Write | String | The appId for the app registration in Microsoft Entra ID representing the integration with the external provider. | | +| **DisplayName** | Key | String | The displayName of the authentication policy configuration. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of an Azure AD group. | | +| **TargetType** | Write | String | The type of the authentication method target. Possible values are: group and unknownFutureValue. | `user`, `group`, `unknownFutureValue` | + +### MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClientId** | Write | String | The Microsoft Entra ID's client ID as generated by the provider or admin to identify Microsoft Entra ID. | | +| **DiscoveryUrl** | Write | String | The host URL of the external identity provider's OIDC discovery endpoint. | | + + +## Description + +Azure AD Authentication Method Policy External + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +#### Application permissions + +- **Read** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +- **Update** + + - Policy.ReadWrite.AuthenticationMethod, Policy.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AppId = "e35c54ff-bd24-4c52-921a-4b90a35808eb"; + DisplayName = "Cisco Duo"; + Ensure = "Present"; + ExcludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalExcludeTarget{ + Id = 'Design' + TargetType = 'group' + } + ); + IncludeTargets = @( + MSFT_AADAuthenticationMethodPolicyExternalIncludeTarget{ + Id = 'Contoso' + TargetType = 'group' + } + ); + OpenIdConnectSetting = MSFT_AADAuthenticationMethodPolicyExternalOpenIdConnectSetting{ + discoveryUrl = 'https://graph.microsoft.com/' + clientId = '7698a352-4939-486e-9974-4ea5aff93f74' + }; + State = "disabled"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationMethodPolicyExternal "AADAuthenticationMethodPolicyExternal-Cisco Duo" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Cisco Duo"; + Ensure = "Absent"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADClaimsMappingPolicy.md b/docs/docs/resources/azure-ad/AADClaimsMappingPolicy.md new file mode 100644 index 0000000000..37fc28210e --- /dev/null +++ b/docs/docs/resources/azure-ad/AADClaimsMappingPolicy.md @@ -0,0 +1,337 @@ +# AADClaimsMappingPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Definition** | Write | MSFT_AADClaimsMappingPolicyDefinition[] | A string collection containing a JSON string that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required. | | +| **IsOrganizationDefault** | Write | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. | | +| **Description** | Write | String | Description for this policy. Required. | | +| **DisplayName** | Key | String | Display name for this policy. Required. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Value** | Write | String | The value of the input parameters of the claims transformation in the claims mapping policy. | | +| **Id** | Write | String | The object identifier of the input parameters of the claims transformation in the claims mapping policy. | | +| **DataType** | Write | String | The data type of the input parameters of the claims transformation in the claims mapping policy. | | + +### MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClaimTypeReferenceId** | Write | String | The claim type reference ID of the output claims of the claims transformation in the claims mapping policy. | | +| **TransformationClaimType** | Write | String | The transformation type of the output claims of the claims transformation in the claims mapping policy. | | + +### MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The object identifier of the claims transformation in the claims mapping policy. | | +| **TransformationMethod** | Write | String | The transformation method of the claims transformation in the claims mapping policy. | | +| **InputParameters** | Write | MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter[] | The list of input parameters of the claims transformation in the claims mapping policy. | | +| **OutputClaims** | Write | MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims[] | The list of output claims of the claims transformation in the claims mapping policy. | | + +### MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Source** | Write | String | The source name of the claims schema in the claims mapping policy. | | +| **Id** | Write | String | The object identifier of the claims schema in the claims mapping policy. | | +| **SamlClaimType** | Write | String | The SAML claims type of the claims schema in the claims mapping policy. | | + +### MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Version** | Write | UInt32 | Set value of 1. Required. | | +| **IncludeBasicClaimSet** | Write | Boolean | If set to true, all claims in the basic claim set are emitted in tokens affected by the policy. If set to false, claims in the basic claim set are not in the tokens, unless they are individually added in the ClaimsSchema property of the same policy. | | +| **ClaimsSchema** | Write | MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema[] | Defines which claims are present in the tokens affected by the policy, in addition to the basic claim set and the core claim set. | | +| **ClaimsTransformation** | Write | MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation[] | Defines common transformations that can be applied to source data, to generate the output data for claims specified in the ClaimsSchema. | | + +### MSFT_AADClaimsMappingPolicyDefinition + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClaimsMappingPolicy** | Write | MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy | Rules and settings of the policy. | | + + +## Description + +Azure AD Claims Mapping Policy + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Definition = @( + MSFT_AADClaimsMappingPolicyDefinition{ + ClaimsMappingPolicy = MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy{ + ClaimsSchema = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' + Source = 'user' + Id = 'userprincipalname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' + Source = 'user' + Id = 'givenname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + Source = 'user' + Id = 'displayname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' + Source = 'user' + Id = 'surname' + } + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema{ + SamlClaimType = 'username' + Source = 'user' + Id = 'userprincipalname' + } + ) + ClaimsTransformation = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation{ + OutputClaims = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims{ + ClaimTypeReferenceId = 'TOS' + TransformationClaimType = 'createdClaim' + } + ) + Id = 'CreateTermsOfService' + InputParameters = @( + MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter{ + DataType = 'string' + Id = 'value' + Value = 'sandbox' + } + ) + TransformationMethod = 'CreateStringClaim' + } + ) + IncludeBasicClaimSet = $True + Version = 1 + } + + } + ); + DisplayName = "Test1234"; + Ensure = "Present"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + IsOrganizationDefault = $False; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADClaimsMappingPolicy "AADClaimsMappingPolicy-Test1234" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Test1234"; + Ensure = "Absent"; + Id = "fd0dc3f3-cfdf-4d56-bb03-e18161a5ac93"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 760138f056..6906b3619d 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -24,6 +24,10 @@ | **ExcludeGuestOrExternalUserTypes** | Write | StringArray[] | Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue. | `none`, `internalGuest`, `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue` | | **ExcludeExternalTenantsMembershipKind** | Write | String | Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type. | ``, `all`, `enumerated`, `unknownFutureValue` | | **ExcludeExternalTenantsMembers** | Write | StringArray[] | Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting. | | +| **IncludeServicePrincipals** | Write | StringArray[] | Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed. | | +| **ExcludeServicePrincipals** | Write | StringArray[] | Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed. | | +| **ServicePrincipalFilterMode** | Write | String | Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed. | `include`, `exclude` | +| **ServicePrincipalFilterRule** | Write | String | Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed. | | | **IncludePlatforms** | Write | StringArray[] | Client Device Platforms in scope of the Policy. | | | **ExcludePlatforms** | Write | StringArray[] | Client Device Platforms out of scope of the Policy. | | | **IncludeLocations** | Write | StringArray[] | AAD Named Locations in scope of the Policy. | | @@ -49,6 +53,7 @@ | **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | | | **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. | | | **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | | +| **InsiderRiskLevels** | Write | String | Insider risk levels conditions. | | | **Ensure** | Write | String | Specify if the Azure AD CA Policy should exist or not. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -72,21 +77,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - Agreement.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All - **Update** - - Agreement.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All #### Application permissions - **Read** - - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All - **Update** - - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All + - Agreement.Read.All, Application.Read.All, Group.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.Read.Directory, User.Read.All, CustomSecAttributeDefinition.Read.All ## Examples diff --git a/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md new file mode 100644 index 0000000000..ad3f66cda2 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADCustomAuthenticationExtension.md @@ -0,0 +1,224 @@ +# AADCustomAuthenticationExtension + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive. | | +| **Id** | Write | String | Unique identifier of the Attribute Definition. | | +| **CustomAuthenticationExtensionType** | Write | String | Defines the custom authentication extension type. | | +| **Description** | Write | String | Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. | | +| **AuthenticationConfigurationType** | Write | String | Defines the authentication configuration type | | +| **AuthenticationConfigurationResourceId** | Write | String | Defines the authentication configuration resource id | | +| **ClientConfigurationTimeoutMilliseconds** | Write | UInt32 | Defines the client configuration timeout in milliseconds | | +| **ClientConfigurationMaximumRetries** | Write | UInt32 | Defines the client configuration max retries | | +| **EndpointConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionEndPointConfiguration | Defines the endpoint configuration | | +| **ClaimsForTokenConfiguration** | Write | MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration[] | Defines the list of claims for token configurations | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADCustomAuthenticationExtensionEndPointConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EndpointType** | Write | String | Defines the type of the endpoint configuration | | +| **LogicAppWorkflowName** | Write | String | Defines the workflow name for the logic app | | +| **ResourceGroupName** | Write | String | Defines the resource group name for the logic app | | +| **SubscriptionId** | Write | String | Defines the subscription id for the logic app | | +| **TargetUrl** | Write | String | Defines the target url for the http endpoint | | + +### MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ClaimIdInApiResponse** | Write | String | Defines the claim id in api response. | | + + +## Description + +Custom authentication extensions define interactions with external systems during a user authentication session. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - CustomSecAttributeDefinition.Read.All + +- **Update** + + - CustomSecAttributeDefinition.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + AuthenticationConfigurationResourceId = "api://microsoft365dsc.com/11105949-846e-42a1-a873-f12db8345013" + AuthenticationConfigurationType = "#microsoft.graph.azureAdTokenAuthentication" + ClaimsForTokenConfiguration = @( + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'MyClaim' + } + MSFT_AADCustomAuthenticationExtensionClaimForTokenConfiguration{ + ClaimIdInApiResponse = 'My2ndClaim' + } + ) + ClientConfigurationMaximumRetries = 1 + ClientConfigurationTimeoutMilliseconds = 2000 + CustomAuthenticationExtensionType = "#microsoft.graph.onTokenIssuanceStartCustomExtension" + Description = "DSC Testing 1" + DisplayName = "DSCTestExtension" + EndPointConfiguration = MSFT_AADCustomAuthenticationExtensionEndPointConfiguration{ + EndpointType = '#microsoft.graph.httpRequestEndpoint' + TargetUrl = 'https://Microsoft365DSC.com' + } + Ensure = "Present"; + Id = "11105949-846e-42a1-a873-f12db8345013" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADCustomAuthenticationExtension "AADCustomAuthenticationExtension1" + { + DisplayName = "DSCTestExtension" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md index 0c447db556..6cdf6b96b3 100644 --- a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md +++ b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md @@ -17,6 +17,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | @@ -36,11 +37,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - CustomSecAttributeDefinition.Read.All - **Update** - - None + - CustomSecAttributeDefinition.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/azure-ad/AADDomain.md b/docs/docs/resources/azure-ad/AADDomain.md index 01a98d0d24..1e11b20532 100644 --- a/docs/docs/resources/azure-ad/AADDomain.md +++ b/docs/docs/resources/azure-ad/AADDomain.md @@ -18,6 +18,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | diff --git a/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md b/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md new file mode 100644 index 0000000000..2784ea7750 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADEnrichedAuditLogs.md @@ -0,0 +1,88 @@ +# AADEnrichedAuditLogs + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **Exchange** | Write | String | Accepted values are enabled or disabled. | | +| **SharePoint** | Write | String | Accepted values are enabled or disabled. | | +| **Teams** | Write | String | Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures advanced audit logs for Global Secure Access in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADEnrichedAuditLogs "AADEnrichedAuditLogs" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Exchange = "disabled"; + IsSingleInstance = "Yes"; + SharePoint = "enabled"; + Teams = "disabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFederationConfiguration.md b/docs/docs/resources/azure-ad/AADFederationConfiguration.md new file mode 100644 index 0000000000..8f7e9fcbe4 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFederationConfiguration.md @@ -0,0 +1,180 @@ +# AADFederationConfiguration + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the SAML/WS-Fed based identity provider. Inherited from identityProviderBase. | | +| **IssuerUri** | Write | String | Issuer URI of the federation server. Inherited from samlOrWsFedProvider. | | +| **MetadataExchangeUri** | Write | String | URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider. | | +| **PassiveSignInUri** | Write | String | URI that web-based clients are directed to when signing in to Microsoft Entra services. Inherited from samlOrWsFedProvider. | | +| **PreferredAuthenticationProtocol** | Write | String | Preferred authentication protocol. The possible values are: wsFed, saml. Inherited from samlOrWsFedProvider. | | +| **SigningCertificate** | Write | String | Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. | | +| **Domains** | Write | StringArray[] | List of associated domains. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures federation in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Domain.Read.All + +- **Update** + + - IdentityProvider.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/drift' # drift + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFederationConfiguration "MyFederation" + { + IssuerUri = 'https://contoso.com/issuerUri' + DisplayName = 'contoso display name' + MetadataExchangeUri ='https://contoso.com/metadataExchangeUri' + PassiveSignInUri = 'https://contoso.com/signin' + PreferredAuthenticationProtocol = 'wsFed' + Domains = @('contoso.com') + SigningCertificate = 'MIIDADCCAeigAwIBAgIQEX41y8r6' + Ensure = 'Absent' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringPolicy.md b/docs/docs/resources/azure-ad/AADFilteringPolicy.md new file mode 100644 index 0000000000..af159f9142 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringPolicy.md @@ -0,0 +1,165 @@ +# AADFilteringPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the policy. | | +| **Id** | Write | String | Unique identifier of the policy. | | +| **Description** | Write | String | Description for the policy. | | +| **Action** | Write | String | Action associated with the policy. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures filtering policies in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "allow"; #drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Present"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicy "AADFilteringPolicy-MyPolicy" + { + Action = "block"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "This is a demo policy"; + Ensure = "Absent"; + Name = "MyPolicy"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md b/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md new file mode 100644 index 0000000000..a6016b8f4d --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringPolicyRule.md @@ -0,0 +1,220 @@ +# AADFilteringPolicyRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the rule. | | +| **Policy** | Key | String | Name of the associated policy. | | +| **Id** | Write | String | Unique Id for the rule. | | +| **RuleType** | Write | String | Type of rule. | | +| **Destinations** | Write | MSFT_AADFilteringPolicyRuleDestination[] | List of associated destinations with the rule. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADFilteringPolicyRuleDestination + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **name** | Write | String | Name of the destination. | | +| **value** | Write | String | FQDN value for the destination. | | + + +## Description + +Configures filtering rules in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Present"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'contoso.com' #Drift + } + ); + Ensure = "Present"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringPolicyRule "AADFilteringPolicyRule-FQDN" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + value = 'Microsoft365DSC.com' + } + ); + Ensure = "Absent"; + Name = "MyFQDN"; + Policy = "AMyPolicy"; + RuleType = "fqdn"; + TenantId = $TenantId; + } + AADFilteringPolicyRule "AADFilteringPolicyRule-Web" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Destinations = @( + MSFT_AADFilteringPolicyRuleDestination{ + name = 'ChildAbuseImages' + } + ); + Ensure = "Absent"; + Name = "MyWebContentRule"; + Policy = "MyPolicy"; + RuleType = "webCategory"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADFilteringProfile.md b/docs/docs/resources/azure-ad/AADFilteringProfile.md new file mode 100644 index 0000000000..a01e747043 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADFilteringProfile.md @@ -0,0 +1,223 @@ +# AADFilteringProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Profile name. | | +| **Id** | Write | String | Unique identifier for the profile. | | +| **Description** | Write | String | Description of the profile. | | +| **State** | Write | String | State of the profile. | | +| **Priority** | Write | UInt32 | Priority level for the profile. | | +| **Policies** | Write | MSFT_AADFilteringProfilePolicyLink[] | List of filtering policy names associated with the profile. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADFilteringProfilePolicyLink + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **LoggingState** | Write | String | Logging state for the associated policy. | | +| **Priority** | Write | UInt32 | Priority of the associated policy. | | +| **State** | Write | String | State of the associated policy. | | +| **PolicyName** | Write | String | Name of the associated policy. | | + + +## Description + +Configures filtering profiles in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Present"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 130; #Drift + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADFilteringProfile "AADFilteringProfile-My Profile" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Description of profile"; + Ensure = "Absent"; + Name = "My PRofile"; + Policies = @( + MSFT_AADFilteringProfilePolicyLink{ + Priority = 100 + LoggingState = 'enabled' + PolicyName = 'MyPolicyChoseBine' + State = 'enabled' + } + MSFT_AADFilteringProfilePolicyLink{ + Priority = 200 + LoggingState = 'enabled' + PolicyName = 'MyTopPolicy' + State = 'enabled' + } + ); + Priority = 120; + State = "enabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md b/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md new file mode 100644 index 0000000000..908e738d8a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADHomeRealmDiscoveryPolicy.md @@ -0,0 +1,209 @@ +# AADHomeRealmDiscoveryPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name for this policy. Required. | | +| **Definition** | Write | MSFT_AADHomeRealDiscoveryPolicyDefinition[] | A string collection containing a complex object array that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required. | | +| **IsOrganizationDefault** | Write | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. | | +| **Description** | Write | String | Description for this policy. Required. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADHomeRealDiscoveryPolicyDefinition + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AccelerateToFederatedDomain** | Write | Boolean | Accelerate to Federated Domain. | | +| **AllowCloudPasswordValidation** | Write | Boolean | Allow cloud password validation. | | +| **AlternateIdLogin** | Write | MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin | AlternateIdLogin complex object. | | +| **PreferredDomain** | Write | String | Preffered Domain value. | | + +### MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Enabled** | Write | Boolean | Boolean for whether AlternateIdLogin is enabled. | | + + +## Description + +Azure AD Home Realm Discovery Policy + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ApplicationConfiguration + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $True # updating here + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Present"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADHomeRealmDiscoveryPolicy "AADHomeRealmDiscoveryPolicy-displayName-value" + { + Definition = @( + MSFT_AADHomeRealDiscoveryPolicyDefinition { + PreferredDomain = 'federated.example.edu' + AccelerateToFederatedDomain = $False + AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin { + Enabled = $True + } + } + ); + DisplayName = "displayName-value"; + Ensure = "Absent"; + IsOrganizationDefault = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md new file mode 100644 index 0000000000..914b4b7df6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityAPIConnector.md @@ -0,0 +1,185 @@ +# AADIdentityAPIConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Required | String | The name of the API connector. | | +| **TargetUrl** | Write | String | The URL of the API endpoint to call. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Username** | Write | String | The username of the password | | +| **Password** | Write | PSCredential | The password of certificate/basic auth | | +| **Certificates** | Write | MSFT_AADIdentityAPIConnectionCertificate[] | List of certificates to be used in the API connector | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADIdentityAPIConnectionCertificate + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pkcs12Value** | Write | PSCredential | Pkcs12Value of the certificate as a secure string in Base64 encoding | | +| **Thumbprint** | Write | String | Thumbprint of the certificate in Base64 encoding | | +| **Password** | Write | PSCredential | Password of the certificate as a secure string | | +| **IsActive** | Write | Boolean | Tells if the certificate is in use or not | | + + +## Description + +Azure AD Identity API Connector + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas 1"; #drift + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityAPIConnector 'AADIdentityAPIConnector-TestConnector' + { + DisplayName = "NewTestConnector"; + Id = "RestApi_NewTestConnector"; + Username = "anexas"; + Password = New-Object System.Management.Automation.PSCredential('Password', (ConvertTo-SecureString "anexas" -AsPlainText -Force)); + TargetUrl = "https://graph.microsoft.com"; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md new file mode 100644 index 0000000000..d0b06feda8 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityB2XUserFlow.md @@ -0,0 +1,283 @@ +# AADIdentityB2XUserFlow + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ApiConnectorConfiguration** | Write | MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration | Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **IdentityProviders** | Write | StringArray[] | The identity providers included in the user flow. | | +| **UserAttributeAssignments** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignment[] | The user attribute assignments included in the user flow. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphUserFlowApiConnectorConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **postFederationSignupConnectorName** | Write | String | The name of the connector used for post federation signup step. | | +| **postAttributeCollectionConnectorName** | Write | String | The name of the connector used for post attribute collection step. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | The display name of the property displayed to the end user in the user flow. | | +| **Value** | Write | String | The value that is set when this item is selected. | | +| **IsDefault** | Write | Boolean | Used to set the value as the default. | | + +### MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | The unique identifier of identityUserFlowAttributeAssignment. | | +| **DisplayName** | Write | String | The display name of the identityUserFlowAttribute within a user flow. | | +| **IsOptional** | Write | Boolean | Determines whether the identityUserFlowAttribute is optional. | | +| **UserInputType** | Write | String | User Flow Attribute Input Type. | `textBox`, `dateTimeDropdown`, `radioSingleSelect`, `dropdownSingleSelect`, `emailBox`, `checkboxMultiSelect` | +| **UserAttributeValues** | Write | MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues[] | The list of user attribute values for this assignment. | | + + +## Description + +Azure AD Identity B2 X User Flow + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - IdentityUserFlow.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApiConnectorConfiguration = MSFT_MicrosoftGraphuserFlowApiConnectorConfiguration + { + postAttributeCollectionConnectorName = 'RestApi_f6e8e73d-6b17-433e-948f-f578f12bd57c' + postFederationSignupConnectorName = 'RestApi_beeb7152-673c-48b3-b143-9975949a93ca' + }; + Credential = $Credscredential; + Ensure = "Present"; + Id = "B2X_1_TestFlow"; + IdentityProviders = @("MSASignup-OAUTH","EmailOtpSignup-OAUTH"); + UserAttributeAssignments = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'textBox' + IsOptional = $True + DisplayName = 'Email Address' + Id = 'emailReadonly' + + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment + { + UserInputType = 'dropdownSingleSelect' + IsOptional = $True + DisplayName = 'Random' + Id = 'city' + UserAttributeValues = @( + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'S' + Value = '2' + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignmentUserAttributeValues + { + IsDefault = $True + Name = 'X' + Value = '1' + } + ) + } + MSFT_MicrosoftGraphuserFlowUserAttributeAssignment{ + UserInputType = 'textBox' + IsOptional = $False + DisplayName = 'Piyush1' + Id = 'extension_91d51274096941f786b07b9d723d93f4_Piyush1' + + } + ); + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityB2XUserFlow "AADIdentityB2XUserFlow-B2X_1_TestFlow" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Id = "B2X_1_TestFlow"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md index 14afcf7a7f..4eb16af7ab 100644 --- a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md @@ -15,6 +15,7 @@ | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | | **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md new file mode 100644 index 0000000000..4abd15e6eb --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.md @@ -0,0 +1,235 @@ +# AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name of the custom extension. | | +| **Id** | Write | String | Unique Id of the extension. | | +| **Description** | Write | String | Description of the extension. | | +| **ClientConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration | Client configuration for the extension | | +| **EndpointConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration | Endpoint configuration for the extension | | +| **CallbackConfiguration** | Write | MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration | Callback configuration for the extension | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **timeoutInMilliseconds** | Write | UInt32 | The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between 200 and 2000 milliseconds. Default duration is 1000. | | +| **maximumRetries** | Write | UInt32 | The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If null, the default for the service applies. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **logicAppWorkflowName** | Write | String | The name of the logic app. | | +| **resourceGroupName** | Write | String | The Azure resource group name for the logic app. | | +| **subscriptionId** | Write | String | Identifier of the Azure subscription for the logic app. | | +| **url** | Write | String | Url of the logic app. | | + +### MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **timeoutDuration** | Write | String | Callback time out in ISO 8601 time duration. Accepted time durations are between five minutes to three hours. For example, PT5M for five minutes and PT3H for three hours. Inherited from customExtensionCallbackConfiguration. | | +| **authorizedApps** | Write | StringArray[] | List of apps names that are allowed to resume a task processing result. | | + + +## Description + +Configures custom extensions for Lifecycle workflows in Entra id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - LifecycleWorkflows.Read.All + +- **Update** + + - LifecycleWorkflows.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Drifted Description"; # Drift + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension-My Custom" + { + ApplicationId = $ApplicationId; + CallbackConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration{ + TimeoutDuration = 'PT34M' + AuthorizedApps = @('M365DSC') + }; + CertificateThumbprint = $CertificateThumbprint; + ClientConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration{ + MaximumRetries = 1 + TimeoutInMilliseconds = 1000 + }; + Description = "My Description"; + DisplayName = "My Custom Extension"; + EndpointConfiguration = MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration{ + SubscriptionId = '63e62ab2-fd92-46ce-a393-2cb338039cc7' + logicAppWorkflowName = 'MyTestApp' + resourceGroupName = 'TestRG' + url = 'https://prod-35.eastus.logic.azure.com:443/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-10-01' + }; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceProgram.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceProgram.md new file mode 100644 index 0000000000..55566ce76a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceProgram.md @@ -0,0 +1,164 @@ +# AADIdentityGovernanceProgram + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | A description for this identity governance program. | | +| **DisplayName** | Key | String | The display name for this identity governance program. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +# AADIdentityGovernanceProgram +## Description + +Azure AD Identity Governance Program. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - ProgramControl.Read.All + +- **Update** + + - ProgramControl.ReadWrite.All + +#### Application permissions + +- **Read** + + - ProgramControl.Read.All + +- **Update** + + - ProgramControl.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description"; + DisplayName = "Example"; + Ensure = "Present"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Description = "Example Program Description Updated"; + DisplayName = "Example"; + Ensure = "Present"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADIdentityGovernanceProgram "AADIdentityGovernanceProgram-Example" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DisplayName = "Example"; + Ensure = "Absent"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md b/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md new file mode 100644 index 0000000000..057e20c65d --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityProtectionPolicySettings.md @@ -0,0 +1,85 @@ +# AADIdentityProtectionPolicySettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsUserRiskClearedOnPasswordReset** | Write | Boolean | If true, user risk is cleared on password reset. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to monitor the identity protection policy settings in AAD. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Policy.Read.IdentityProtection + +- **Update** + + - Policy.ReadWrite.IdentityProtection + +#### Application permissions + +- **Read** + + - Policy.Read.IdentityProtection + +- **Update** + + - Policy.ReadWrite.IdentityProtection + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityProtectionPolicySettings "AADIdentityProtectionPolicySettings" + { + IsUserRiskClearedOnPasswordReset = $false; #drift + IsSingleInstance = "Yes"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md new file mode 100644 index 0000000000..a2cc229b9c --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingPolicy.md @@ -0,0 +1,124 @@ +# AADNetworkAccessForwardingPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the forwarding policy | | +| **PolicyRules** | Write | MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule[] | List of rules associated to this forwarding policy. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Policy Rule Name. Required | | +| **ActionValue** | Write | String | Action value. | | +| **RuleType** | Write | String | Type of Rule | | +| **Ports** | Write | UInt32Array[] | List of Ports. | | +| **Protocol** | Write | String | Protocol Value | | +| **Destinations** | Write | StringArray[] | List of destinations. | | + + +## Description + +Use this resource to monitor the forwarding policy rules associated with the forwarding policies. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - NetworkAccessPolicy.Read.All + +- **Update** + + - NetworkAccessPolicy.ReadWrite.All + +#### Application permissions + +- **Read** + + - NetworkAccessPolicy.Read.All + +- **Update** + + - NetworkAccessPolicy.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessForwardingPolicy "AADNetworkAccessForwardingPolicy-Custom Bypass" + { + Name = "Custom Bypass"; + PolicyRules = @( + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'fqdn' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('www.microsoft.com') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipAddress' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.168.1.1') + } + + MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule { + Name = 'Custom policy internet rule' + ActionValue = 'bypass' + RuleType = 'ipSubnet' + Protocol = 'tcp' + Ports = @(80, 443) + Destinations = @('192.164.0.0/24') + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md new file mode 100644 index 0000000000..6f14c1d50b --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessForwardingProfile.md @@ -0,0 +1,115 @@ +# AADNetworkAccessForwardingProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Profile Name. Required. | | +| **Id** | Write | String | Id of the profile. Unique Identifier | | +| **State** | Write | String | status of the profile | | +| **Policies** | Write | MSFT_MicrosoftGraphNetworkaccessPolicyLink[] | Traffic forwarding policies associated with this profile. | | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphNetworkaccessPolicyLink + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Policy Name. Required | | +| **PolicyLinkId** | Write | String | Policy Link Id | | +| **state** | Write | String | status | | + + +## Description + +This resource configure the Azure AD Network Access Forwarding Profile + + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + AADNetworkAccessForwardingProfile "AADNetworkAccessForwardingProfile-Internet traffic forwarding profile" + { + + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Name = "Internet traffic forwarding profile"; + Policies = @(MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'disabled' + PolicyLinkId = 'f8a43f3f-3f44-4738-8025-088bb095a711' + Name = 'Custom Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'b45d1db0-9965-487b-afb1-f4d25174e9db' + Name = 'Default Bypass' + } +MSFT_MicrosoftGraphNetworkaccessPolicyLink { + State = 'enabled' + PolicyLinkId = 'dfd9cd59-90ca-44fc-b997-7cc71f08e438' + Name = 'Default Acquire' + } + ); + State = "disabled"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md b/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md new file mode 100644 index 0000000000..8c7f703bd6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessSettingConditionalAccess.md @@ -0,0 +1,84 @@ +# AADNetworkAccessSettingConditionalAccess + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **SignalingStatus** | Write | String | Enable CA Signaling for Entra ID (covering all cloud apps). Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures the adaptive access settings in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingConditionalAccess "AADNetworkAccessSettingConditionalAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SignalingStatus = "disabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md b/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md new file mode 100644 index 0000000000..1e5670e4df --- /dev/null +++ b/docs/docs/resources/azure-ad/AADNetworkAccessSettingCrossTenantAccess.md @@ -0,0 +1,84 @@ +# AADNetworkAccessSettingCrossTenantAccess + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **NetworkPacketTaggingStatus** | Write | String | Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures the universal tenant restrictions in Entra Id + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADNetworkAccessSettingCrossTenantAccess "AADNetworkAccessSettingCrossTenantAccess" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + NetworkPacketTaggingStatus = "enabled"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADOnPremisesPublishingProfilesSettings.md b/docs/docs/resources/azure-ad/AADOnPremisesPublishingProfilesSettings.md new file mode 100644 index 0000000000..b9bfbf70f8 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADOnPremisesPublishingProfilesSettings.md @@ -0,0 +1,84 @@ +# AADOnPremisesPublishingProfilesSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsEnabled** | Write | Boolean | Enables of disables private net work connectors in Entra Id. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures the settings for the on-premises publishing profiles in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Directory.Read.All + +- **Update** + + - Directory.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADOnPremisesPublishingProfilesSettings "AADOnPremisesPublishingProfilesSettings" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $False; + IsSingleInstance = "Yes"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md new file mode 100644 index 0000000000..7a795004c0 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADOrganizationCertificateBasedAuthConfiguration.md @@ -0,0 +1,148 @@ +# AADOrganizationCertificateBasedAuthConfiguration + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **CertificateAuthorities** | Write | MSFT_MicrosoftGraphcertificateAuthority[] | Collection of certificate authorities which creates a trusted certificate chain. | | +| **OrganizationId** | Key | String | The Organization ID. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_MicrosoftGraphCertificateAuthority + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Certificate** | Write | String | Required. The base64 encoded string representing the public certificate. | | +| **CertificateRevocationListUrl** | Write | String | The URL of the certificate revocation list. | | +| **DeltaCertificateRevocationListUrl** | Write | String | The URL contains the list of all revoked certificates since the last time a full certificate revocaton list was created. | | +| **IsRootAuthority** | Write | Boolean | Required. true if the trusted certificate is a root authority, false if the trusted certificate is an intermediate authority. | | + + +## Description + +Azure AD Organization Certificate Based Auth Configuration + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Organization.Read.All + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + CertificateAuthorities = @( + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + MSFT_MicrosoftGraphcertificateAuthority{ + IsRootAuthority = $True + CertificateRevocationListUrl = 'xyz.com' + DeltaCertificateRevocationListUrl = 'pqr.com' + Certificate = '' + } + ); + Ensure = "Present"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADOrganizationCertificateBasedAuthConfiguration "AADOrganizationCertificateBasedAuthConfiguration-58b6e58e-10d1-4b8c-845d-d6aefaaecba2" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + OrganizationId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADRemoteNetwork.md b/docs/docs/resources/azure-ad/AADRemoteNetwork.md new file mode 100644 index 0000000000..a2409f543a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADRemoteNetwork.md @@ -0,0 +1,306 @@ +# AADRemoteNetwork + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the remote network. | | +| **Id** | Write | String | Id of the remote network | | +| **Region** | Write | String | Region | | +| **ForwardingProfiles** | Write | StringArray[] | List of the forwarding profile names associated to this remote network | | +| **DeviceLinks** | Write | MSFT_AADRemoteNetworkDeviceLink[] | Device Links associated to this remote network | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **LocalIPAddress** | Write | String | LocalIpAddress. | | +| **PeerIPAddress** | Write | String | PeerIpAddress. | | +| **Asn** | Write | UInt32 | Asn. | | + +### MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ZoneLocalIPAddress** | Write | String | ZoneLocalIpAddress. | | +| **RedundancyTier** | Write | String | RedundancyTier. | | + +### MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PreSharedKey** | Write | String | PreSharedKey | | +| **ZoneRedundancyPreSharedKey** | Write | String | ZoneRedundancyPreSharedKey | | +| **SaLifeTimeSeconds** | Write | UInt32 | SaLifeTimeSeconds | | +| **IPSecEncryption** | Write | String | IpSecEncryption | | +| **IPSecIntegrity** | Write | String | IpSecIntegrity | | +| **IKEEncryption** | Write | String | IkeEncryption | | +| **IKEIntegrity** | Write | String | IkeIntegrity | | +| **DHGroup** | Write | String | DhGroup | | +| **PFSGroup** | Write | String | PfsGroup | | +| **ODataType** | Write | String | ODataType | | + +### MSFT_AADRemoteNetworkDeviceLink + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Name of the Device Link | | +| **IPAddress** | Write | String | IP Address | | +| **BandwidthCapacityInMbps** | Write | String | Bandwidth Capacity in Mbps | | +| **DeviceVendor** | Write | String | Device Vendor | | +| **BgpConfiguration** | Write | MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration | BgpConfiguration. | | +| **RedundancyConfiguration** | Write | MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration | redundancyConfiguration. | | +| **TunnelConfiguration** | Write | MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration | tunnelConfiguration | | + + +## Description + +Use this resource to manage the Entra's Network Access Remote Networks, and related Device links. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +#### Application permissions + +- **Read** + + - NetworkAccess.Read.All + +- **Update** + + - NetworkAccess.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Present"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Present"; + ForwardingProfiles = @(); #creating drift here + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link Random' # creating drift here + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADRemoteNetwork "AADRemoteNetwork-Test Remote Network" + { + Ensure = "Absent"; + ForwardingProfiles = @("Microsoft 365 traffic forwarding profile"); + Id = "c60c41bb-e512-48e3-8134-c312439a5343"; + Name = "Test Remote Network"; + Region = "australiaSouthEast"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + DeviceLinks = @( + MSFT_AADRemoteNetworkDeviceLink { + Name = 'Test Link' + IPAddress = '1.1.1.1' + BandwidthCapacityInMbps = 'mbps500' + DeviceVendor = 'ciscoCatalyst' + BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration { + Asn = 82 + LocalIPAddress = '1.1.1.87' + PeerIPAddress = '1.1.1.2' + } + RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration { + RedundancyTier = 'zoneRedundancy' + ZoneLocalIPAddress = '1.1.1.8' + } + TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration { + PreSharedKey = 'blah' + ZoneRedundancyPreSharedKey = 'blah' + SaLifeTimeSeconds = 300 + IPSecEncryption = 'gcmAes192' + IPSecIntegrity = 'gcmAes192' + IKEEncryption = 'aes192' + IKEIntegrity = 'gcmAes128' + DHGroup = 'ecp256' + PFSGroup = 'pfsmm' + ODataType = '#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom' + } + } + ); + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADRoleManagementPolicyRule.md b/docs/docs/resources/azure-ad/AADRoleManagementPolicyRule.md new file mode 100644 index 0000000000..9ef8cea970 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADRoleManagementPolicyRule.md @@ -0,0 +1,178 @@ +# AADRoleManagementPolicyRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **id** | Key | String | The unique identifier for an entity. Read-only. | | +| **roleDisplayName** | Key | String | Role display name. | | +| **ruleType** | Write | String | Rule Type. | | +| **policyId** | Write | String | Policy Id. | | +| **expirationRule** | Write | MSFT_AADRoleManagementPolicyExpirationRule | Expiration Rule. | | +| **notificationRule** | Write | MSFT_AADRoleManagementPolicyNotificationRule | Notification Rule. | | +| **enablementRule** | Write | MSFT_AADRoleManagementPolicyEnablementRule | Enablement Rule. | | +| **approvalRule** | Write | MSFT_AADRoleManagementPolicyApprovalRule | Approval Rule. | | +| **authenticationContextRule** | Write | MSFT_AADRoleManagementPolicyAuthenticationContextRule | Authentication Context Rule. | | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADRoleManagementPolicyExpirationRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **isExpirationRequired** | Write | Boolean | Specifies if expiration is required. | | +| **maximumDuration** | Write | String | The maximum duration for the expiration. | | + +### MSFT_AADRoleManagementPolicyNotificationRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **notificationType** | Write | String | Notification type for the rule. | | +| **recipientType** | Write | String | Type of the recipient for the notification. | | +| **notificationLevel** | Write | String | Level of the notification. | | +| **isDefaultRecipientsEnabled** | Write | Boolean | Indicates if default recipients are enabled. | | +| **notificationRecipients** | Write | StringArray[] | List of notification recipients. | | + +### MSFT_AADRoleManagementPolicyEnablementRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **enabledRules** | Write | StringArray[] | List of enabled rules. | | + +### MSFT_AADRoleManagementPolicySubjectSet + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **odataType** | Write | String | The type of the subject set. | | + +### MSFT_AADRoleManagementPolicyApprovalStage + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **approvalStageTimeOutInDays** | Write | UInt32 | The number of days that a request can be pending a response before it is automatically denied. | | +| **escalationTimeInMinutes** | Write | UInt32 | The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers. | | +| **isApproverJustificationRequired** | Write | Boolean | Indicates whether the approver must provide justification for their reponse. | | +| **isEscalationEnabled** | Write | Boolean | Indicates whether escalation if enabled. | | +| **escalationApprovers** | Write | MSFT_AADRoleManagementPolicySubjectSet[] | The escalation approvers for this stage when the primary approvers don't respond. | | +| **primaryApprovers** | Write | MSFT_AADRoleManagementPolicySubjectSet[] | The primary approvers of this stage. | | + +### MSFT_AADRoleManagementPolicyApprovalSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **approvalMode** | Write | String | One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false. | | +| **approvalStages** | Write | MSFT_AADRoleManagementPolicyApprovalStage[] | If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required. | | +| **isApprovalRequired** | Write | Boolean | Indicates whether approval is required for requests in this policy. | | +| **isApprovalRequiredForExtension** | Write | Boolean | Indicates whether approval is required for a user to extend their assignment. | | +| **isRequestorJustificationRequired** | Write | Boolean | Indicates whether the requestor is required to supply a justification in their request. | | + +### MSFT_AADRoleManagementPolicyApprovalRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **setting** | Write | MSFT_AADRoleManagementPolicyApprovalSettings | Settings for approval requirements. | | + +### MSFT_AADRoleManagementPolicyAuthenticationContextRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **isEnabled** | Write | Boolean | Indicates if the authentication context rule is enabled. | | +| **claimValue** | Write | String | Claim value associated with the rule. | | + + +## Description + +Azure AD Role Management Policy Rule + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All + +- **Update** + + - RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory + +#### Application permissions + +- **Read** + + - RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All + +- **Update** + + - RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + + AADRoleManagementPolicyRule "AADRoleManagementPolicyRule-Expiration_Admin_Eligibility" + { + expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{ + isExpirationRequired = $False + maximumDuration = 'P180D' + }; + id = "Expiration_Admin_Eligibility"; + roleDisplayName = "Global Administrator"; + ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index fc48241314..829bfde1d5 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -14,14 +14,17 @@ | **ErrorUrl** | Write | String | Specifies the error URL of the ServicePrincipal. | | | **Homepage** | Write | String | Specifies the homepage of the ServicePrincipal. | | | **LogoutUrl** | Write | String | Specifies the LogoutURL of the ServicePrincipal. | | +| **Notes** | Write | String | Notes associated with the ServicePrincipal. | | | **PublisherName** | Write | String | Specifies the PublisherName of the ServicePrincipal. | | | **Owners** | Write | StringArray[] | List of the owners of the service principal. | | +| **PreferredSingleSignOnMode** | Write | String | Specifies the signle sign-on mode configured for this application. | | | **ReplyUrls** | Write | StringArray[] | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. | | | **SamlMetadataUrl** | Write | String | The URL for the SAML metadata of the ServicePrincipal. | | | **ServicePrincipalNames** | Write | StringArray[] | Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. | | | **ServicePrincipalType** | Write | String | The type of the service principal. | | | **Tags** | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp} | | | **DelegatedPermissionClassifications** | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | | +| **CustomSecurityAttributes** | Write | MSFT_AADServicePrincipalAttributeSet[] | The list of custom security attributes attached to this SPN | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -30,6 +33,8 @@ | **Credential** | Write | PSCredential | Credentials of the Azure AD Admin | | | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | +| **PasswordCredentials** | Write | MSFT_MicrosoftGraphpasswordCredential[] | The collection of password credentials associated with the service principal. Not nullable. | | +| **KeyCredentials** | Write | MSFT_MicrosoftGraphkeyCredential[] | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le). | | ### MSFT_AADServicePrincipalRoleAssignment @@ -49,6 +54,55 @@ | **Classification** | Write | String | Classification of the delegated permission | `low`, `medium`, `high` | | **PermissionName** | Write | String | Name of the permission | | +### MSFT_AADServicePrincipalAttributeValue + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeName** | Write | String | Name of the Attribute | | +| **StringArrayValue** | Write | StringArray[] | If the attribute has a string array value | | +| **IntArrayValue** | Write | UInt32Array[] | If the attribute has a int array value | | +| **StringValue** | Write | String | If the attribute has a string value | | +| **IntValue** | Write | UInt32 | If the attribute has a int value | | +| **BoolValue** | Write | Boolean | If the attribute has a boolean value | | + +### MSFT_AADServicePrincipalAttributeSet + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AttributeSetName** | Write | String | Attribute Set Name. | | +| **AttributeValues** | Write | MSFT_AADServicePrincipalAttributeValue[] | List of attribute values. | | + +### MSFT_MicrosoftGraphKeyCredential + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **CustomKeyIdentifier** | Write | String | A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate. | | +| **DisplayName** | Write | String | Friendly name for the key. Optional. | | +| **EndDateTime** | Write | String | The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | | +| **KeyId** | Write | String | The unique identifier (GUID) for the key. | | +| **Key** | Write | String | The certificate's raw data in byte array converted to Base64 string. | | +| **StartDateTime** | Write | String | The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | | +| **Type** | Write | String | The type of key credential for example, Symmetric, AsymmetricX509Cert. | | +| **Usage** | Write | String | A string that describes the purpose for which the key can be used for example, Verify. | | + +### MSFT_MicrosoftGraphPasswordCredential + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Friendly name for the password. Optional. | | +| **EndDateTime** | Write | String | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. | | +| **Hint** | Write | String | Contains the first three characters of the password. Read-only. | | +| **KeyId** | Write | String | The unique identifier for the password. | | +| **StartDateTime** | Write | String | The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. diff --git a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md index 2472e76d61..3f219780b6 100644 --- a/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md +++ b/docs/docs/resources/azure-ad/AADSocialIdentityProvider.md @@ -34,11 +34,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - None + - IdentityProvider.Read.All - **Update** - - None + - IdentityProvider.ReadWrite.All #### Application permissions diff --git a/docs/docs/resources/azure-ad/AADUserFlowAttribute.md b/docs/docs/resources/azure-ad/AADUserFlowAttribute.md new file mode 100644 index 0000000000..648be9e29a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADUserFlowAttribute.md @@ -0,0 +1,169 @@ +# AADUserFlowAttribute + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | User flow attribute Id. | | +| **DisplayName** | Key | String | Display name of the user flow attribute. | | +| **Description** | Write | String | Description of the user flow attribute. | | +| **DataType** | Write | String | Defines the user flow attribute data type. | | +| **Ensure** | Write | String | Specify if the Azure AD role setting should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource configure User flow attributes which are custom attributes that you can define and use in your user flows, which are predefined, configurable policies that control the user experience during sign-up, sign-in, and profile editing processes. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - IdentityUserFlow.Read.All, IdentityUserFlow.ReadWrite.All + +- **Update** + + - IdentityUserFlow.ReadWrite.All + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Description = "sai test description" + DataType = "string" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADUserFlowAttribute 'SaiTest' + { + Id = "testIdSai" + DisplayName = "saitest" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md b/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md new file mode 100644 index 0000000000..edd88ff237 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADVerifiedIdAuthority.md @@ -0,0 +1,201 @@ +# AADVerifiedIdAuthority + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Name of the Verified ID Authority. | | +| **Id** | Write | String | Id of the Verified ID Authority. | | +| **LinkedDomainUrl** | Key | String | URL of the linked domain. | | +| **DidMethod** | Write | String | DID method used by the Verified ID Authority. | | +| **KeyVaultMetadata** | Write | MSFT_AADVerifiedIdAuthorityKeyVaultMetadata | Key Vault metadata for the Verified ID Authority. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADVerifiedIdAuthorityKeyVaultMetadata + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **SubscriptionId** | Write | String | Subscription ID of the Key Vault. | | +| **ResourceGroup** | Write | String | Resource group of the Key Vault. | | +| **ResourceName** | Write | String | Resource name of the Key Vault. | | +| **ResourceUrl** | Write | String | Resource URL of the Key Vault. | | + + +## Description + +Azure AD Verified Identity Authority +Use the VerifiableCredential.Authority.ReadWrite permission to read and write the authority. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#authorities + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Present"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso 2"; # drift + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthority 'AADVerifiedIdAuthority-Contoso' + { + DidMethod = "web"; + Ensure = "Absent"; + KeyVaultMetadata = MSFT_AADVerifiedIdAuthorityKeyVaultMetadata{ + SubscriptionId = '2ff65b89-ab22-4489-b84d-e60d1dc30a62' + ResourceName = 'xtakeyvault' + ResourceUrl = 'https://xtakeyvault.vault.azure.net/' + ResourceGroup = 'TBD' + }; + LinkedDomainUrl = "https://nik-charlebois.com/"; + Name = "Contoso"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md b/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md new file mode 100644 index 0000000000..29d4697a49 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADVerifiedIdAuthorityContract.md @@ -0,0 +1,475 @@ +# AADVerifiedIdAuthorityContract + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **id** | Write | String | Id of the Verified ID Authority Contract. | | +| **linkedDomainUrl** | Key | String | URL of the linked domain of the authority. | | +| **authorityId** | Write | String | Id of the Verified ID Authority. | | +| **name** | Key | String | Name of the Verified ID Authority Contract. | | +| **displays** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayModel[] | Display settings of the Authority Contract. | | +| **rules** | Write | MSFT_AADVerifiedIdAuthorityContractRulesModel | Rules settings of the Authority Contract. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **uri** | Write | String | URI of the logo. If this is a URL, it must be reachable over the public internet anonymously. | | +| **description** | Write | String | Description of the logo. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayCard + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **title** | Write | String | Title of the credential. | | +| **issuedBy** | Write | String | The name of the issuer of the credential. | | +| **backgroundColor** | Write | String | Background color of the credential in hex, for example, #FFAABB. | | +| **textColor** | Write | String | Text color of the credential in hex, for example, #FFAABB. | | +| **description** | Write | String | Supplemental text displayed alongside each credential. | | +| **logo** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo | The logo to use for the credential. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayConsent + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **title** | Write | String | Title of the consent. | | +| **instructions** | Write | String | Supplemental text to use when displaying consent. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayClaims + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **label** | Write | String | The label of the claim in display. | | +| **claim** | Write | String | The name of the claim to which the label applies. | | +| **type** | Write | String | The type of the claim. | | +| **description** | Write | String | The description of the claim. | | + +### MSFT_AADVerifiedIdAuthorityContractDisplayModel + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **locale** | Write | String | The locale of this display. | | +| **card** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayCard | The display properties of the verifiable credential. | | +| **consent** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayConsent | Supplemental data when the verifiable credential is issued. | | +| **claims** | Write | MSFT_AADVerifiedIdAuthorityContractDisplayClaims[] | Labels for the claims included in the verifiable credential. | | + +### MSFT_AADVerifiedIdAuthorityContractClaimMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **inputClaim** | Write | String | The name of the claim to use from the input. | | +| **outputClaim** | Write | String | The name of the claim in the verifiable credential. | | +| **indexed** | Write | Boolean | Indicating whether the value of this claim is used for searching. | | +| **required** | Write | Boolean | Indicating whether this mapping is required or not. | | +| **type** | Write | String | Type of claim. | | + +### MSFT_AADVerifiedIdAuthorityContractAttestationValues + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **mapping** | Write | MSFT_AADVerifiedIdAuthorityContractClaimMapping[] | Rules to map input claims into output claims in the verifiable credential. | | +| **required** | Write | Boolean | Indicating whether this attestation is required or not. | | +| **trustedIssuers** | Write | StringArray[] | A list of DIDs allowed to issue the verifiable credential for this contract. | | +| **credentialType** | Write | String | Required credential type of the input. | | +| **configuration** | Write | String | Location of the identity provider's configuration document. | | +| **clientId** | Write | String | Client ID to use when obtaining the ID token. | | +| **redirectUri** | Write | String | Redirect URI to use when obtaining the ID token. MUST BE vcclient://openid/ | | +| **scopeValue** | Write | String | Space delimited list of scopes to use when obtaining the ID token. | | + +### MSFT_AADVerifiedIdAuthorityContractAttestations + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **idTokenHints** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Id token hints attestations. | | +| **idTokens** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Id token attestations. | | +| **presentations** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Presentations attestations. | | +| **selfIssued** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Self Issued attestations. | | +| **accessTokens** | Write | MSFT_AADVerifiedIdAuthorityContractAttestationValues[] | Access Token attestations. | | + +### MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **url** | Write | String | The URL of the custom status endpoint. | | +| **type** | Write | String | The type of the endpoint. | | + +### MSFT_AADVerifiedIdAuthorityContractVcType + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **type** | Write | StringArray[] | The type of the vc. | | + +### MSFT_AADVerifiedIdAuthorityContractRulesModel + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **attestations** | Write | MSFT_AADVerifiedIdAuthorityContractAttestations | Describing supported inputs for the rules. | | +| **validityInterval** | Write | UInt32 | This value shows the lifespan of the credential. | | +| **vc** | Write | MSFT_AADVerifiedIdAuthorityContractVcType | Types for this contract. | | +| **customStatusEndpoint** | Write | MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint | Status endpoint to include in the verifiable credential for this contract. | | + +## Description + +Azure AD Verified Identity Authority Contract +Use the VerifiableCredential.Contract.ReadWrite permission to read and write the authority contract. +Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#contracts + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your sample Verified Credential?' #drift + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Present"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADVerifiedIdAuthorityContract 'AADVerifiedIdAuthorityContract-Sample Custom Verified Credentials' + { + displays = @( + MSFT_AADVerifiedIdAuthorityContractDisplayModel{ + consent = MSFT_AADVerifiedIdAuthorityContractDisplayConsent{ + instructions = 'Sign in with your account to get your card.' + title = 'Do you want to get your Verified Credential?' + } + card = MSFT_AADVerifiedIdAuthorityContractDisplayCard{ + description = 'Use your verified credential to prove to anyone that you know all about verifiable credentials.' + issuedBy = 'Microsoft' + backgroundColor = '#000000' + textColor = '#ffffff' + logo = MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo{ + uri = 'https://didcustomerplayground.z13.web.core.windows.net/VerifiedCredentialExpert_icon.png' + description = 'Verified Credential Expert Logo' + } + title = 'Verified Credential Expert' + } + locale = 'en-US' + claims = @( + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'First name' + claim = 'vc.credentialSubject.firstName' + type = 'String' + } + MSFT_AADVerifiedIdAuthorityContractDisplayClaims{ + label = 'Last name' + claim = 'vc.credentialSubject.lastName' + type = 'String' + } + ) + + } + ); + Ensure = "Absent"; + linkedDomainUrl = "https://$OrganizationName/"; + name = "Sample Custom Verified Credentials"; + rules = MSFT_AADVerifiedIdAuthorityContractRulesModel{ + validityInterval = 2592000 + vc = MSFT_AADVerifiedIdAuthorityContractVcType{ + type = @('VerifiedCredentialExpert') + } + attestations = MSFT_AADVerifiedIdAuthorityContractAttestations{ + idTokenHints = @( + MSFT_AADVerifiedIdAuthorityContractAttestationValues{ + mapping = @( + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.given_name' + indexed = $False + outputClaim = 'firstName' + required = $True + } + MSFT_AADVerifiedIdAuthorityContractClaimMapping{ + inputClaim = '$.family_name' + indexed = $True + outputClaim = 'lastName' + required = $True + } + ) + required = $False + } + ) + + } + + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md b/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md new file mode 100644 index 0000000000..de7c72e4f6 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureBillingAccountsAssociatedTenant.md @@ -0,0 +1,172 @@ +# AzureBillingAccountsAssociatedTenant + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AssociatedTenantId** | Key | String | The ID that uniquely identifies a tenant. | | +| **DisplayName** | Write | String | The name of the associated tenant. | | +| **BillingAccount** | Write | String | Name of the billing account. | | +| **BillingManagementState** | Write | String | The state determines whether users from the associated tenant can be assigned roles for commerce activities like viewing and downloading invoices, managing payments, and making purchases. | | +| **ProvisioningManagementState** | Write | String | The state determines whether subscriptions and licenses can be provisioned in the associated tenant. It can be set to 'Pending' to initiate a billing request. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures associated tenants to billing accounts in the Microsoft Admin Center. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "NotAllowed"; # Drift + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Present"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsAssociatedTenant "AzureBillingAccountsAssociatedTenantIntegration Tenant" + { + ApplicationId = $ApplicationId; + AssociatedTenantId = "7a575036-2dac-4713-8e23-2963cc2c5f37"; + BillingAccount = "My Test Account"; + BillingManagementState = "Active"; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "Integration Tenant"; + Ensure = "Absent"; + ProvisioningManagementState = "Pending"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md b/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md new file mode 100644 index 0000000000..cfd9f32a3f --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureBillingaccountsRoleAssignment.md @@ -0,0 +1,172 @@ +# AzureBillingaccountsRoleAssignment + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PrincipalName** | Key | String | Name of the principal associated to the role assignment. | | +| **RoleDefinition** | Key | String | Name of the role assigned to the principal. | | +| **PrincipalType** | Write | String | Principal type. Can be User, Group or ServicePrincipal. | | +| **BillingAccount** | Write | String | Name of the billing account. | | +| **PrincipalTenantId** | Write | String | The principal tenant id of the user to whom the role was assigned. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Manages roles on billing accounts. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account contributor"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureBillingAccountsRoleAssignment "AzureBillingAccountsRoleAssignment" + { + ApplicationId = $ApplicationId; + BillingAccount = "MyTestAccount"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PrincipalName = "John.Smith@contoso.onmicrosoft.com"; + PrincipalType = "User"; + PrincipalTenantId = '9c888910-6b3b-4c17-8cff-844fefb026d4' + RoleDefinition = "Billing account owner"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureDiagnosticSettings.md b/docs/docs/resources/azure-ad/AzureDiagnosticSettings.md new file mode 100644 index 0000000000..3918f4a0b0 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureDiagnosticSettings.md @@ -0,0 +1,323 @@ +# AzureDiagnosticSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Diagnostic setting name. | | +| **Categories** | Write | MSFT_AzureDiagnosticSettingsCategory[] | List of log categories. | | +| **StorageAccountId** | Write | String | Storage account id. | | +| **ServiceBusRuleId** | Write | String | Service bus id. | | +| **EventHubAuthorizationRuleId** | Write | String | Event hub id. | | +| **EventHubName** | Write | String | Event hub name. | | +| **WorkspaceId** | Write | String | Workspace id. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AzureDiagnosticSettingsCategory + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Category** | Write | String | Name of the category. | | +| **enabled** | Write | Boolean | Is the log category enabled or not. | | + +## Description + +Configures Diagnostics settings in Azure. + +Users will need to grant permissions to the associated scope by running the following command in Azure Cloud Shell: +```Powershell +New-AzRoleAssignment -ObjectId "" -Scope "/providers/Microsoft.aadiam" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal' +``` + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCategory{ + category = 'AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'SignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NonInteractiveUserSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ManagedIdentitySignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ProvisioningLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ADFSSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyUsers' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'UserRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessTrafficLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyServicePrincipals' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'EnrichedOffice365AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'MicrosoftGraphActivityLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RemoteNetworkHealthLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessAlerts' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'B2CRequestLogs' + enabled = $False + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCategory{ + category = 'AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'SignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NonInteractiveUserSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ManagedIdentitySignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ProvisioningLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ADFSSignInLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyUsers' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'UserRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessTrafficLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RiskyServicePrincipals' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'ServicePrincipalRiskEvents' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'EnrichedOffice365AuditLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'MicrosoftGraphActivityLogs' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'RemoteNetworkHealthLogs' + enabled = $False #Drift + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'NetworkAccessAlerts' + enabled = $True + } + MSFT_AzureDiagnosticSettingsCategory{ + category = 'B2CRequestLogs' + enabled = $False + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "TestDiag"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettings "AzureDiagnosticSettings-TestDiag" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + Name = "TestDiag"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureDiagnosticSettingsCustomSecurityAttribute.md b/docs/docs/resources/azure-ad/AzureDiagnosticSettingsCustomSecurityAttribute.md new file mode 100644 index 0000000000..622b873558 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureDiagnosticSettingsCustomSecurityAttribute.md @@ -0,0 +1,205 @@ +# AzureDiagnosticSettingsCustomSecurityAttribute + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Diagnostic setting name. | | +| **Categories** | Write | MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory[] | List of log categories. | | +| **StorageAccountId** | Write | String | Storage account id. | | +| **ServiceBusRuleId** | Write | String | Service bus id. | | +| **EventHubAuthorizationRuleId** | Write | String | Event hub id. | | +| **EventHubName** | Write | String | Event hub name. | | +| **WorkspaceId** | Write | String | Workspace id. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Category** | Write | String | Name of the category. | | +| **enabled** | Write | Boolean | Is the log category enabled or not. | | + +## Description + +Configures Diagnostics settings custom security attributes in Azure. + +Users will need to grant permissions to the associated scope by running the following command in Azure Cloud Shell: +```Powershell +New-AzRoleAssignment -ObjectId "" -Scope "/providers/microsoft.AadCustomSecurityAttributesDiagnosticSettings" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal' +``` + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $True + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $False # Drift + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureDiagnosticSettingsCustomSecurityAttribute "AzureDiagnosticSettingsCustomSecurityAttribute-MyAttribute" + { + ApplicationId = $ApplicationId; + Categories = @( + MSFT_AzureDiagnosticSettingsCustomSecurityAttributeCategory{ + category = 'CustomSecurityAttributeAuditLogs' + enabled = $True + } + ); + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + EventHubAuthorizationRuleId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.EventHub/namespaces/myhub/authorizationrules/RootManageSharedAccessKey"; + EventHubName = ""; + Name = "MyAttribute"; + StorageAccountId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.Storage/storageAccounts/demostore"; + TenantId = $TenantId; + WorkspaceId = "/subscriptions/f854132c-570e-4c98-a4c9-3cd902de77dd/resourceGroups/TBD/providers/Microsoft.OperationalInsights/workspaces/MySentinelWorkspace"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AzureSubscription.md b/docs/docs/resources/azure-ad/AzureSubscription.md index 481e5a8eb0..8719c2f1fe 100644 --- a/docs/docs/resources/azure-ad/AzureSubscription.md +++ b/docs/docs/resources/azure-ad/AzureSubscription.md @@ -4,9 +4,10 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Name** | Key | String | The display name of the subscription. | | +| **DisplayName** | Key | String | The display name of the subscription. | | | **Id** | Write | String | The unique identifier of the subscription. | | -| **Enabled** | Write | Boolean | Enables or disables the subscription | | +| **InvoiceSectionId** | Write | String | The unique identifier of the invoice section associated with the subscription. | | +| **Status** | Write | String | Status of the subscription. | | | **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present` | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -72,14 +73,53 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - AzureSubscription 'TestSubscription' + AzureSubscription "AzureSubscription-MySubscription" { - Name = 'MyTestSubscription' - Id = 'd620d94d-916d-4dd9-9de5-179292873e20' - Enabled = $true - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Active"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureSubscription "AzureSubscription-MySubscription" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "My Subscription"; + Ensure = "Present"; + InvoiceSectionId = "/providers/Microsoft.Billing/billingAccounts/0b32abd9-f0e6-4fc9-8b2f-404350313179:0b32abd9-f0e6-4fc9-8b2f-404350313179_2019-05-31/billingProfiles/OHZY-JSSA-BG7-M77W-XXX/invoiceSections/E6RO-KYS7-P2D-MAOR-SGB"; + Status = "Disabled"; #Drift + TenantId = $TenantId; } } } diff --git a/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md b/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md new file mode 100644 index 0000000000..44e5666222 --- /dev/null +++ b/docs/docs/resources/azure-ad/AzureVerifiedIdFaceCheck.md @@ -0,0 +1,92 @@ +# AzureVerifiedIdFaceCheck + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **SubscriptionId** | Key | String | Id of the Azure subscription. | | +| **ResourceGroupName** | Key | String | Name of the associated resource group. | | +| **VerifiedIdAuthorityId** | Key | String | Id of the verified ID authority. | | +| **FaceCheckEnabled** | Write | Boolean | Represents whether or not FaceCheck is enabled for the authrotiy. | | +| **VerifiedIdAuthorityLocation** | Write | String | Location of the Verified ID Authority. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures Azure Verified Id FaceCheck. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AzureVerifiedIdFaceCheck "AzureVerifiedIdFaceCheck" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + FaceCheckEnabled = $True; + ResourceGroupName = "website"; + SubscriptionId = "2dbaf4c4-78f8-4ac9-8188-536d921cf690"; + TenantId = $TenantId; + VerifiedIdAuthorityId = "30961e04-9c35-42db-b80f-c1b6515eb4b2"; + VerifiedIdAuthorityLocation = "westus2"; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md new file mode 100644 index 0000000000..041b496109 --- /dev/null +++ b/docs/docs/resources/exchange/EXOActiveSyncMailboxPolicy.md @@ -0,0 +1,362 @@ +# EXOActiveSyncMailboxPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | Specifies the name of the policy. | | +| **AllowApplePushNotifications** | Write | Boolean | Specifies whether push notifications are allowed for Apple mobile devices. | | +| **AllowBluetooth** | Write | String | Specifies whether the Bluetooth capabilities of the mobile phone are allowed. | `Disable`, `HandsfreeOnly`, `Allow` | +| **AllowBrowser** | Write | Boolean | Specifies whether Microsoft Pocket Internet Explorer is allowed on the mobile phone. | | +| **AllowCamera** | Write | Boolean | Specifies whether the mobile phone's camera is allowed. | | +| **AllowConsumerEmail** | Write | Boolean | Specifies whether the mobile phone user can configure a personal email account on the device. | | +| **AllowDesktopSync** | Write | Boolean | Specifies whether the mobile phone can synchronize with a desktop computer through a cable. | | +| **AllowExternalDeviceManagement** | Write | Boolean | Specifies whether an external device management program is allowed to manage the device. | | +| **AllowHTMLEmail** | Write | Boolean | Specifies whether HTML email is enabled on the device. | | +| **AllowInternetSharing** | Write | Boolean | Specifies whether the mobile phone can be used as a modem to connect a computer to the Internet. | | +| **AllowIrDA** | Write | Boolean | Specifies whether infrared connections are allowed to the mobile phone. | | +| **AllowMobileOTAUpdate** | Write | Boolean | Specifies whether certain updates are seen by devices that implemented support for this restricting functionality. | | +| **AllowNonProvisionableDevices** | Write | Boolean | Enables all devices to synchronize with the computer running Exchange, regardless of whether the device can enforce all the specific settings established in the Mobile Device mailbox policy. | | +| **AllowPOPIMAPEmail** | Write | Boolean | Specifies whether the user can configure a POP3 or IMAP4 email account on the device. | | +| **AllowRemoteDesktop** | Write | Boolean | Specifies whether the mobile phone can initiate a remote desktop connection. | | +| **AllowSimpleDevicePassword** | Write | Boolean | Specifies whether a simple device password is allowed. | | +| **AllowSMIMEEncryptionAlgorithmNegotiation** | Write | String | Specifies whether the messaging application on the device can negotiate the encryption algorithm in case a recipient's certificate doesn't support the specified encryption algorithm. | | +| **AllowSMIMESoftCerts** | Write | Boolean | Specifies whether S/MIME software certificates are allowed. | | +| **AllowStorageCard** | Write | Boolean | Specifies whether the device can access information stored on a storage card. | | +| **AllowTextMessaging** | Write | Boolean | Specifies whether text messaging is allowed from the device. | | +| **AllowUnsignedApplications** | Write | Boolean | Specifies whether unsigned applications can be installed on the device. | | +| **AllowUnsignedInstallationPackages** | Write | Boolean | Specifies whether unsigned installation packages can be run on the device. | | +| **AllowWiFi** | Write | Boolean | Specifies whether wireless Internet access is allowed on the device. | | +| **AlphanumericDevicePasswordRequired** | Write | Boolean | Specifies whether the device password must be alphanumeric. | | +| **ApprovedApplicationList** | Write | StringArray[] | Specifies a list of approved applications for the device. | | +| **AttachmentsEnabled** | Write | Boolean | Specifies whether the user can download attachments. | | +| **DeviceEncryptionEnabled** | Write | Boolean | Enables device encryption on the mobile phone. | | +| **DevicePasswordEnabled** | Write | Boolean | Specifies that the user set a password for the device. | | +| **DevicePasswordExpiration** | Write | String | Specifies the length of time, in days, that a password can be used. | | +| **DevicePasswordHistory** | Write | SInt32 | Specifies the number of previously used passwords to store. | | +| **DevicePolicyRefreshInterval** | Write | String | Specifies how often the policy is sent from the server to the mobile phone | | +| **IrmEnabled** | Write | Boolean | Specifies whether Information Rights Management (IRM) is enabled for the mailbox policy. | | +| **IsDefault** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **IsDefaultPolicy** | Write | Boolean | Specifies whether this policy is the default Mobile Device mailbox policy. | | +| **MaxAttachmentSize** | Write | String | Specifies the maximum size of attachments that can be downloaded to the mobile phone. | | +| **MaxCalendarAgeFilter** | Write | String | Specifies the maximum range of calendar days that can be synchronized to the device. | `All`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxDevicePasswordFailedAttempts** | Write | String | Specifies the number of attempts a user can make to enter the correct password for the device. | | +| **MaxEmailAgeFilter** | Write | String | Specifies the maximum number of days of email items to synchronize to the device. | `All`, `OneDay`, `ThreeDays`, `OneWeek`, `TwoWeeks`, `OneMonth`, `ThreeMonths`, `SixMonths` | +| **MaxEmailBodyTruncationSize** | Write | String | Specifies the maximum size at which email messages are truncated when synchronized to the device. | | +| **MaxEmailHTMLBodyTruncationSize** | Write | String | Specifies the maximum size at which HTML-formatted email messages are synchronized to the device. | | +| **MaxInactivityTimeDeviceLock** | Write | String | Specifies the length of time that the device can be inactive before the password is required to reactivate the device. | | +| **MinDevicePasswordComplexCharacters** | Write | SInt32 | Specifies the minimum number of complex characters required in a device password. | | +| **MinDevicePasswordLength** | Write | SInt32 | Specifies the minimum number of characters in the device password. | | +| **PasswordRecoveryEnabled** | Write | Boolean | Specifies whether you can store the recovery password for the device on an Exchange server. | | +| **RequireDeviceEncryption** | Write | Boolean | Specifies whether encryption is required on the device. | | +| **RequireEncryptedSMIMEMessages** | Write | Boolean | Specifies whether you must encrypt S/MIME messages. | | +| **RequireEncryptionSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when encrypting a message. | | +| **RequireManualSyncWhenRoaming** | Write | Boolean | Specifies whether the device must synchronize manually while roaming. | | +| **RequireSignedSMIMEAlgorithm** | Write | String | Specifies what required algorithm must be used when signing a message. | | +| **RequireSignedSMIMEMessages** | Write | Boolean | Specifies whether the device must send signed S/MIME messages. | | +| **RequireStorageCardEncryption** | Write | Boolean | Specifies whether encryption of a storage card is required. | | +| **UnapprovedInROMApplicationList** | Write | StringArray[] | Specifies a list of applications that can't be run in ROM. | | +| **UNCAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows file shares is enabled. | | +| **WSSAccessEnabled** | Write | Boolean | Specifies whether access to Microsoft Windows SharePoint Services is enabled. | | +| **Identity** | Key | String | Specifies the Mobile Device mailbox policy. | | +| **Ensure** | Write | String | Specifies if this AddressList should exist. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource manages Mobile Device mailbox policy for mailboxes accessed by mobile devices. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Organization Client Access, View-Only Configuration + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $False; #drift + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOActiveSyncMailboxPolicy 'TestActiveSyncMailboxPolicy' + { + AllowApplePushNotifications = $True; + AllowBluetooth = "Allow"; + AllowBrowser = $True; + AllowCamera = $True; + AllowConsumerEmail = $True; + AllowDesktopSync = $True; + AllowExternalDeviceManagement = $False; + AllowHTMLEmail = $True; + AllowInternetSharing = $True; + AllowIrDA = $True; + AllowMobileOTAUpdate = $True; + AllowNonProvisionableDevices = $True; + AllowPOPIMAPEmail = $True; + AllowRemoteDesktop = $True; + AllowSimpleDevicePassword = $True; + AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"; + AllowSMIMESoftCerts = $True; + AllowStorageCard = $True; + AllowTextMessaging = $True; + AllowUnsignedApplications = $True; + AllowUnsignedInstallationPackages = $True; + AllowWiFi = $True; + AlphanumericDevicePasswordRequired = $False; + ApprovedApplicationList = @(); + AttachmentsEnabled = $True; + DeviceEncryptionEnabled = $False; + DevicePasswordEnabled = $False; + DevicePasswordExpiration = "Unlimited"; + DevicePasswordHistory = 0; + DevicePolicyRefreshInterval = "Unlimited"; + Identity = "Test"; + IrmEnabled = $True; + IsDefault = $True; + IsDefaultPolicy = $True; + MaxAttachmentSize = "Unlimited"; + MaxCalendarAgeFilter = "All"; + MaxDevicePasswordFailedAttempts = "Unlimited"; + MaxEmailAgeFilter = "All"; + MaxEmailBodyTruncationSize = "Unlimited"; + MaxEmailHTMLBodyTruncationSize = "Unlimited"; + MaxInactivityTimeDeviceLock = "Unlimited"; + MinDevicePasswordComplexCharacters = 1; + MinDevicePasswordLength = 1; + Name = "Test"; + PasswordRecoveryEnabled = $False; + RequireDeviceEncryption = $False; + RequireEncryptedSMIMEMessages = $False; + RequireEncryptionSMIMEAlgorithm = "TripleDES"; + RequireManualSyncWhenRoaming = $False; + RequireSignedSMIMEAlgorithm = "SHA1"; + RequireSignedSMIMEMessages = $False; + RequireStorageCardEncryption = $False; + UnapprovedInROMApplicationList = @(); + UNCAccessEnabled = $True; + WSSAccessEnabled = $True; + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md new file mode 100644 index 0000000000..cb604b3bed --- /dev/null +++ b/docs/docs/resources/exchange/EXOMailboxAuditBypassAssociation.md @@ -0,0 +1,73 @@ +# EXOMailboxAuditBypassAssociation + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter specifies the user account or computer account where you want to view the value of the AuditBypassEnabled property. | | +| **AuditBypassEnabled** | Write | Boolean | The AuditBypassEnabled parameter specifies whether audit bypass is enabled for the user or computer. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +Use the Set-MailboxAuditBypassAssociation cmdlet to configure mailbox audit logging bypass for user or computer accounts such as service accounts for applications that access mailboxes frequently. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Compliance Admin, View-Only Configuration, Journaling + +#### Role Groups + +- Organization Management, Compliance Management, Records Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMailboxAuditBypassAssociation "EXOMailboxAuditBypassAssociation-Test" + { + AuditBypassEnabled = $True; #Updated Property + Identity = "TestMailbox109"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOMailboxSettings.md b/docs/docs/resources/exchange/EXOMailboxSettings.md index 0007b04d38..b1c37157dc 100644 --- a/docs/docs/resources/exchange/EXOMailboxSettings.md +++ b/docs/docs/resources/exchange/EXOMailboxSettings.md @@ -5,6 +5,10 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **DisplayName** | Key | String | The display name of the Shared Mailbox | | +| **RetentionPolicy** | Write | String | Associated retention policy. | | +| **AddressBookPolicy** | Write | String | Associated address book policy. | | +| **RoleAssignmentPolicy** | Write | String | Associated role assignment policy. | | +| **SharingPolicy** | Write | String | Associated sharing policy. | | | **TimeZone** | Write | String | The name of the Time Zone to assign to the mailbox | | | **Locale** | Write | String | The code of the Locale to assign to the mailbox | | | **Ensure** | Write | String | Present ensures the Mailbox Settings are applied | `Present` | diff --git a/docs/docs/resources/exchange/EXOServicePrincipal.md b/docs/docs/resources/exchange/EXOServicePrincipal.md new file mode 100644 index 0000000000..caffb4f533 --- /dev/null +++ b/docs/docs/resources/exchange/EXOServicePrincipal.md @@ -0,0 +1,192 @@ +# EXOServicePrincipal + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AppName** | Key | String | The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. | | +| **DisplayName** | Write | String | The DisplayName parameter specifies the friendly name of the service principal. | | +| **Identity** | Write | String | The Identity parameter specifies the service principal that you want to view. | | +| **AppId** | Write | String | The AppId parameter specifies the unique AppId GUID value for the service principal. | | +| **Ensure** | Write | String | Present ensures the group exists, absent ensures it is removed | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Exchange Global Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +Use the ServicePrincipal cmdlets to create, change service principals in your cloud-based organization. + +## Parameters + +- Identity: The Identity parameter specifies the service principal that you want to modify. You can use any value that uniquely identifies the service principal. For example: Name, Distinguished name (DN), GUID, AppId, ObjectId +- AppName: The AppName parameter specifies the corresponding friendly name of the unique AppId GUID value for the service principal. +- DisplayName: The DisplayName parameter specifies the friendly name of the service principal. If the name contains spaces, enclose the name in quotation marks ("). +- AppId: The AppId parameter specifies the unique AppId GUID value for the service principal. +- ObjectId: The ObjectId parameter specifies the unique ObjectId GUID value for the service principal. + +## Examples + +- Set-ServicePrincipal -Identity dc873ad4-0397-4d74-b5c0-897cd3a94731 -DisplayName "Another App Name" +- New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId 6233fba6-0198-4277-892f-9275bf728bcc + +## Parameters present in New and not in Set + +- AppId +- ObjectId + +## Parameters present in Set and not in New + +- Identity + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Kartikeya"; + Ensure = "Present"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOServicePrincipal 'ServicePrincipal' + { + AppId = "c6871074-3ded-4935-a5dc-b8f8d91d7d06"; + AppName = "ISV Portal"; + DisplayName = "Arpita"; + Ensure = "Absent"; + Identity = "00f6b0e4-1d00-427b-9a5b-ce6c43c43fc7"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOTenantAllowBlockListSpoofItems.md b/docs/docs/resources/exchange/EXOTenantAllowBlockListSpoofItems.md new file mode 100644 index 0000000000..c95b7b1621 --- /dev/null +++ b/docs/docs/resources/exchange/EXOTenantAllowBlockListSpoofItems.md @@ -0,0 +1,169 @@ +# EXOTenantAllowBlockListSpoofItems + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **SpoofedUser** | Key | String | The SpoofedUser parameter specifies the email address or domain for the spoofed sender entry. | | +| **Action** | Write | String | The Action parameter specifies whether is an allowed or blocked spoofed sender entry. | | +| **Identity** | Write | String | Unique identified for the blocked item. | | +| **SendingInfrastructure** | Write | String | The SendingInfrastructure parameter specifies the source of the messages sent by the spoofed sender that's defined in the SpoofedUser parameter.. | | +| **SpoofType** | Write | String | The SpoofType parameter specifies whether this is an internal or external spoofed sender entry. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures blocked spoofed items in Exchange Online. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Block"; #Drift + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOTenantAllowBlockListSpoofItems "EXOTenantAllowBlockListSpoofItems-b66ffa0c-ad85-df9d-0a16-ad3cb9956f71" + { + Action = "Allow"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + SendingInfrastructure = "121.0.0.7"; + SpoofedUser = "contoso.com"; + SpoofType = "Internal"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md index 0134626168..a2a8e9febb 100644 --- a/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneASRRulesPolicyWindows10.md @@ -70,7 +70,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -80,7 +80,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index 9736f856f2..7f39e3c94a 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -71,7 +71,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md index 25709f754b..3e94814c76 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalUserGroupMembershipPolicy.md @@ -37,7 +37,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **Action** | Write | String | The action to use for adding / removing members. | `add_update`, `remove_update`, `add_replace` | +| **Action** | Write | String | The action to use for adding / removing members. Note: add_replace is superseded by add_restrict | `add_update`, `remove_update`, `add_replace`, `add_restrict` | | **LocalGroups** | Write | StringArray[] | The local groups to add / remove the members to / from. List of the following values: `administrators`, `users`, `guests`, `powerusers`, `remotedesktopusers`, `remotemanagementusers` | | | **Members** | Write | StringArray[] | The members to add / remove to / from the group. For AzureAD Users, use the format `AzureAD\`. For groups, use the security identifier (SID). | | | **UserSelectionType** | Write | String | The type of the selection. Either users / groups from AzureAD, or by manual identifier. | `users`, `manual` | @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md index 2da74fb4a8..6c8c2806ec 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicy.md @@ -65,7 +65,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -75,7 +75,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md index 8a3356509d..0eef097e57 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md @@ -85,21 +85,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md b/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md new file mode 100644 index 0000000000..390afdcdb4 --- /dev/null +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md @@ -0,0 +1,276 @@ +# IntuneAntivirusPolicyLinux + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **enabled** | Write | String | Enable cloud delivered protection (false: Disabled, true: Enabled) | `false`, `true` | +| **automaticSampleSubmissionConsent** | Write | String | Enable automatic sample submissions (none: None, safe: Safe, all: All) | `none`, `safe`, `all` | +| **diagnosticLevel** | Write | String | Diagnostic data collection level (0: optional, 1: required) | `0`, `1` | +| **automaticDefinitionUpdateEnabled** | Write | String | Automatic security intelligence updates (false: Disabled, true: Enabled) | `false`, `true` | +| **enableRealTimeProtection** | Write | String | Enable real-time protection (deprecated) (false: Disabled, true: Enabled) | `false`, `true` | +| **passiveMode** | Write | String | Enable passive mode (deprecated) (false: Disabled, true: Enabled) | `false`, `true` | +| **scanHistoryMaximumItems** | Write | SInt32 | Scan history size | | +| **scanResultsRetentionDays** | Write | SInt32 | Scan results retention | | +| **exclusionsMergePolicy** | Write | String | Exclusions merge (0: merge, 1: admin_only) | `0`, `1` | +| **exclusions** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions[] | Scan exclusions | | +| **threatTypeSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings[] | Threat type settings | | +| **threatTypeSettingsMergePolicy** | Write | String | Threat type settings merge (0: merge, 1: admin_only) | `0`, `1` | +| **allowedThreats** | Write | StringArray[] | Allowed threats | | +| **disallowedThreatActions** | Write | StringArray[] | Disallowed threat actions | | +| **scanArchives** | Write | String | Enable scanning of archives (false: Disabled, true: Enabled) | `false`, `true` | +| **scanAfterDefinitionUpdate** | Write | String | Enable scanning after definition update (false: Disabled, true: Enabled) | `false`, `true` | +| **enableFileHashComputation** | Write | String | Enable file hash computation (false: Disabled, true: Enabled) | `false`, `true` | +| **behaviorMonitoring** | Write | String | Enable behavior monitoring (0: Disabled, 1: Enabled) | `0`, `1` | +| **cloudBlockLevel** | Write | String | Configure cloud block level (normal: Normal, moderate: Moderate, high: High, plus: High_Plus, tolerance: Zero_Tolerance) | `normal`, `moderate`, `high`, `plus`, `tolerance` | +| **maximumOnDemandScanThreads** | Write | SInt32 | maximum on demand scan threads | | +| **networkprotection_enforcementLevel** | Write | String | Enforcement Level (0: disabled, 1: audit, 2: block) | `0`, `1`, `2` | +| **unmonitoredFilesystems** | Write | StringArray[] | Unmonitored Filesystems | | +| **nonExecMountPolicy** | Write | String | non execute mount mute (0: unmute, 1: mute) | `0`, `1` | +| **antivirusengine_enforcementLevel** | Write | String | Enforcement Level (0: Realtime, 1: OnDemand, 2: Passive) | `0`, `1`, `2` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **exclusions_item_type** | Write | String | Type - Depends on exclusions (0: Path, 1: File extension, 2: Process name) | `0`, `1`, `2` | +| **exclusions_item_extension** | Write | String | File extension - Depends on exclusions_item_type=1 | | +| **exclusions_item_name** | Write | String | File name - exclusions_item_type=2 | | +| **exclusions_item_path** | Write | String | Path - exclusions_item_type=0 | | +| **exclusions_item_isDirectory** | Write | String | Is directory (false: Disabled, true: Enabled) - Depends on exclusions_item_type=0 | `false`, `true` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **threatTypeSettings_item_key** | Write | String | Threat type - Depends on threatTypeSettings (0: potentially_unwanted_application, 1: archive_bomb) | `0`, `1` | +| **threatTypeSettings_item_value** | Write | String | Action to take - Depends on threatTypeSettings (0: audit, 1: block, 2: off) | `0`, `1`, `2` | + + +## Description + +Intune Antivirus Policy Linux + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + allowedThreats = @("Threat 1"); + Assignments = @(); + Description = ""; + disallowedThreatActions = @("Disallowed Thread Action 1"); + DisplayName = "Test"; + enabled = "true"; + Ensure = "Present"; + exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.exe' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + threatTypeSettings = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '1' + ThreatTypeSettings_item_value = '1' + } + ); + unmonitoredFilesystems = @("Filesystem 1"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + allowedThreats = @("Threat 1"); + Assignments = @(); + Description = ""; + disallowedThreatActions = @("Disallowed Thread Action 1"); + DisplayName = "Test"; + enabled = "true"; + Ensure = "Present"; + exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.vba' # Updated property + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + threatTypeSettings = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '0' + ThreatTypeSettings_item_value = '0' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogThreatTypeSettings{ + ThreatTypeSettings_item_key = '1' + ThreatTypeSettings_item_value = '1' + } + ); + unmonitoredFilesystems = @("Filesystem 1"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md index 15667b067a..83653bc0e8 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md @@ -124,7 +124,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -134,7 +134,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md index 31b41d628a..7282b36bb0 100644 --- a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md @@ -65,21 +65,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.md new file mode 100644 index 0000000000..ea1fcec906 --- /dev/null +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr.md @@ -0,0 +1,230 @@ +# IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **AllowWindowsDefenderApplicationGuard** | Write | String | Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments) | `0`, `1`, `2`, `3` | +| **ClipboardSettings** | Write | String | Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.) | `0`, `1`, `2`, `3` | +| **SaveFilesToHost** | Write | String | Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.) | `0`, `1` | +| **InstallWindowsDefenderApplicationGuard** | Write | String | Install Windows defender application guard (install: Install). Required if AllowWindowsDefenderApplicationGuard is not set to 0. | `install` | +| **ClipboardFileType** | Write | String | Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.) | `1`, `2`, `3` | +| **AllowPersistence** | Write | String | Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.) | `0`, `1` | +| **AllowVirtualGPU** | Write | String | Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.) | `0`, `1` | +| **PrintingSettings** | Write | SInt32Array[] | Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.) | `0`, `1`, `2`, `4`, `8` | +| **AllowCameraMicrophoneRedirection** | Write | String | Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.) | `0`, `1` | +| **AuditApplicationGuard** | Write | String | Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.) | `0`, `1` | +| **CertificateThumbprints** | Write | StringArray[] | Certificate Thumbprints | | +| **EnterpriseIPRange** | Write | StringArray[] | Enterprise IP Range | | +| **EnterpriseCloudResources** | Write | StringArray[] | Enterprise Cloud Resources | | +| **EnterpriseNetworkDomainNames** | Write | StringArray[] | Enterprise Network Domain Names | | +| **EnterpriseProxyServers** | Write | StringArray[] | Enterprise Proxy Servers | | +| **EnterpriseInternalProxyServers** | Write | StringArray[] | Enterprise Internal Proxy Servers | | +| **NeutralResources** | Write | StringArray[] | Neutral Resources | | +| **EnterpriseProxyServersAreAuthoritative** | Write | String | Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **EnterpriseIPRangesAreAuthoritative** | Write | String | Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune App And Browser Isolation Policy for Windows10 Config Mgr + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example creates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example updates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example removes a Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr 'ConfigureAppAndBrowserIsolationPolicyWindows10ConfigMgr' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md index 319165e8e6..79e0395881 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationDevicePolicy.md @@ -75,21 +75,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md index c82c22102d..cea7be67b5 100644 --- a/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md +++ b/docs/docs/resources/intune/IntuneAppConfigurationPolicy.md @@ -59,7 +59,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -69,7 +69,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md index d3a1ef135e..2aac0e36e1 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyAndroid.md @@ -76,7 +76,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -86,7 +86,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md index 3f09651531..d35a55f973 100644 --- a/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneAppProtectionPolicyiOS.md @@ -84,7 +84,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions @@ -94,7 +94,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md b/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md new file mode 100644 index 0000000000..e29c0d7be2 --- /dev/null +++ b/docs/docs/resources/intune/IntuneAppleMDMPushNotificationCertificate.md @@ -0,0 +1,171 @@ +# IntuneAppleMDMPushNotificationCertificate + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **AppleIdentifier** | Key | String | The name of the Apple Identifier. | | +| **Certificate** | Write | String | The Apple Push notification certificate. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DataSharingConsetGranted** | Write | Boolean | The boolean indicating DataSharing Conset agreement granted or not between Intune and Apple. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures a resource for Apple MDM Push notification certificate used for device enrollment. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Apple ID"; + Certificate = "FakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; + DataSharingConsetGranted = $True; + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "Patched cert"; #drift + Certificate = "PatchedFakeCertMIIFdjCCBF6gAwIBAgIIMVIk4qQ3QnQwDQYJKoZIhvcNAQELBQAwgYwxQDA+BgNVBAMMN0FwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yNDEwMjUxODE0NThaFw0yNTEwMjUxODE0NTdaMIGPMUwwSgYKCZImiZPyLGQBAQw8Y29tLmFwcGxlLm1nbXQuRXh0ZXJuYWwuMDA1NWU3ZTktNDkyYi00ZDQ2LTk2N2EtMjhmYzVkNDllZGI2MTIwMAYDVQQDDClBUFNQOjAwNTVlN2U5LTQ5MmItNGQ0Ni05NjdhLTI4ZmM1ZDQ5ZWRiNjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrEk6ojXS2lXZCW0P6Wtkv36ko7E1pDlu90IbKN+tesevGhghARFrGNJaRnCjjh7m430KMx2HmwuH08VHpevne2ANdSBOgbVD/8tbkfLN4GeO7Z+E0O5WvEKJ0h0IloV4PjhfZm367n7WDBGmAEXp/aUU91TDIGvAlwUB6M/s7WDypfKenpU7VI7BBNHOn/LwaeNyyTsr8/bn+D7CRDPb6UBYPc5wyQoEjgEjByprUB4qkICfjjvDqg0S+x/gkk4U6QDhjFcUb439EpUyUhbYFH/Opjq5uJ22xueTX3FLQII6ZFoPcC/NJLpwdEDGOOHEHb62ahrwTxzYNGoOG5v/NAgMBAAGjggHVMIIB0TAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFPe+fCFgkds9G3vYOjKBad+ebH+bMIIBHAYDVR0gBIIBEzCCAQ8wggELBgkqhkiG92NkBQEwgf0wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNQYIKwYBBQUHAgEWKWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FhaTJjYS5jcmwwHQYDVR0OBBYEFE1pV3J04vJkpwqxzg040WR6U/7IMAsGA1UdDwQEAwIHgDAQBgoqhkiG92NkBgMCBAIFADANBgkqhkiG9w0BAQsFAAOCAQEAPVKFj5stCpsUT+lcC36hzR2wh8/fys/QFNFuFn57x4oe9kBvvyAXqLBhPm/J3lC+0oU/AJf3EYXwTGNxo2gCiPhJcomX3WXnbYrZHU/TH8umhtVgGqd6Xlke9iFwypidHC9dHWmwud4V42oAMZ9FHItSwh5o6rQMoZop7uKD72vxSuunEWFymF9S22DJ0oums1Ya8JmUpNfMzkyGVMMZs1OCYpzQxYpuwC+sMAVfGucp1IRLutccRGYeSV4LTN4CwfWreCPnPGjkBEmGqmusn5t/THirGjRBykUARWFpthx1wmJqHFqeAv4nhbcR/+Fu4gQQQaayX0dauBcU0T57=="; #drift + + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppleMDMPushNotificationCertificate "IntuneAppleMDMPushNotificationCertificate-66f4ec83-754f-4a59-a73d-e3182cc636a5" + { + AppleIdentifier = "AppleID"; + Certificate = ""; + + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md index a45a81497f..9dd1be00fd 100644 --- a/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneApplicationControlPolicyWindows10.md @@ -51,7 +51,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -61,7 +61,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md index 205075bc84..b307c64c4a 100644 --- a/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md +++ b/docs/docs/resources/intune/IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.md @@ -68,21 +68,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDerivedCredential.md b/docs/docs/resources/intune/IntuneDerivedCredential.md index c43b79bec9..b42c76a61e 100644 --- a/docs/docs/resources/intune/IntuneDerivedCredential.md +++ b/docs/docs/resources/intune/IntuneDerivedCredential.md @@ -9,7 +9,7 @@ | **HelpUrl** | Write | String | The URL that will be accessible to end users as they retrieve a derived credential using the Company Portal. | | | **RenewalThresholdPercentage** | Write | UInt32 | The nominal percentage of time before certificate renewal is initiated by the client. | | | **Issuer** | Write | String | Supported values for the derived credential issuer. | `intercede`, `entrustDatacard`, `purebred` | -| **NotificationType** | Write | String | Supported values for the notification type to use. | `none`, `email`, `companyPortal` | +| **NotificationType** | Write | String | Supported values for the notification type to use. | `none`, `email`, `companyPortal`, `companyPortal,email` | | **Ensure** | Write | String | Supported values for the notification type to use. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Intune Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md index f80985d6ae..c3052f5d90 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroid.md @@ -240,7 +240,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -250,7 +250,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md index 5077132b8a..674e6e1ce3 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidDeviceOwner.md @@ -183,7 +183,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -193,7 +193,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md index 0ac8a37438..be23f3a17d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyAndroidWorkProfile.md @@ -192,7 +192,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -202,7 +202,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md index 1dbafd1602..62ed0cb6a2 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyMacOS.md @@ -149,7 +149,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -159,7 +159,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md index 540cb06564..c5213a4659 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyWindows10.md @@ -275,7 +275,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -285,7 +285,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md index b52a7bcd11..108291075d 100644 --- a/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md +++ b/docs/docs/resources/intune/IntuneDeviceCompliancePolicyiOs.md @@ -78,7 +78,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -88,7 +88,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md index b40d25a38c..eea55ebd46 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.md @@ -106,7 +106,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -116,7 +116,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md index 37558493b4..1905c60a5e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md @@ -67,7 +67,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -77,7 +77,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md index 4cb1a2d2a3..0f4534a56e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.md @@ -56,7 +56,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -66,7 +66,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md index 0bf2db5749..00f76e0a2f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.md @@ -112,7 +112,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -122,7 +122,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md index a705947392..c1e6c2166f 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationDomainJoinPolicyWindows10.md @@ -64,7 +64,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md index d798e86d27..560d2b0695 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEmailProfilePolicyWindows10.md @@ -62,7 +62,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -72,7 +72,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md index 46db453044..580b09ee95 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.md @@ -412,7 +412,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions @@ -422,7 +422,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md index 6ec96ea63a..2ae37fd998 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md index b22ae76162..9679aeb85c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md index 2d9c1e50bd..45082593bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md index cb9e49e688..34a6e4f5bb 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md index 998029d885..3104bea335 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationKioskPolicyWindows10.md @@ -176,21 +176,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md index 756039e8b5..64eaedfc79 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.md @@ -82,21 +82,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md index 150c6e599a..d6c299b557 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.md @@ -77,21 +77,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md index 00ee60fb40..a4049bc531 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md index 0c8d6a404f..00a71444f3 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.md @@ -107,21 +107,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md index 599a916218..62d2dd381c 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidDeviceOwner.md @@ -278,21 +278,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md index 4052c23262..cc5b36011b 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md index 830ea4f2f4..ca514643c2 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyAndroidWorkProfile.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md index 44ac6ea8b4..3c13057576 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyMacOS.md @@ -160,21 +160,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md index 076052931f..2902d595a1 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyWindows10.md @@ -378,21 +378,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md index 56ff63330b..cb796d8f23 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPolicyiOS.md @@ -335,21 +335,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md index 9f84dbc720..e12a9b17d0 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationScepCertificatePolicyWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md index f864dc4e88..b17818c54e 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.md @@ -53,21 +53,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md index 443fb8dac9..6c17828e42 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md index 90261573a7..6d4624b074 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md index f677318176..a4a4da3902 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationVpnPolicyWindows10.md @@ -185,21 +185,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md index 93cceec8d8..d128159cae 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWindowsTeamPolicyWindows10.md @@ -66,21 +66,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md index ab63011a7a..6269122839 100644 --- a/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationWiredNetworkPolicyWindows10.md @@ -74,21 +74,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md index 39762924d8..5d5854b665 100644 --- a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md index 30dcaf901c..d262958eee 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentPlatformRestriction.md @@ -73,21 +73,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md index 231aff3635..9a1c3bb492 100644 --- a/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md +++ b/docs/docs/resources/intune/IntuneDeviceEnrollmentStatusPageWindows10.md @@ -59,21 +59,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementApps.Read.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md b/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md new file mode 100644 index 0000000000..dc012b2780 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagementEnrollmentAndroidGooglePlay.md @@ -0,0 +1,93 @@ +# IntuneDeviceManagementEnrollmentAndroidGooglePlay + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | Primary key identifier of the Android Managed Store Account Enterprise Setting. | | +| **BindStatus** | Write | String | Binding status of the Android Managed Store Account Enterprise Setting (e.g., 'bound', 'notBound'). | | +| **OwnerUserPrincipalName** | Write | String | The user principal name of the owner of the Android Managed Store Account. | | +| **OwnerOrganizationName** | Write | String | The organization name of the owner of the Android Managed Store Account. | | +| **EnrollmentTarget** | Write | String | Specifies the enrollment target for the account enterprise setting (e.g., 'defaultEnrollmentRestrictions', 'targetedAsEnrollmentRestrictions'). | | +| **DeviceOwnerManagementEnabled** | Write | Boolean | Specifies whether device owner management is enabled. | | +| **AndroidDeviceOwnerFullyManagedEnrollmentEnabled** | Write | Boolean | Specifies whether fully managed enrollment is enabled for Android devices. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin. | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Credential for the application secret used in authentication. | | +| **ManagedIdentity** | Write | Boolean | Indicates whether a Managed Identity is used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access tokens used for authentication in scenarios requiring multiple tokens. | | + + +## Description + +This resource configures Android Enterprise enrollment settings for device management within Microsoft Intune. +Note: Currently the bind API to enroll is waiting for the product team to make changes so the API can be called outside of an Intune portal. Until those changes are made, we can only unbind (disconnect/unenroll). For that reason we have commented out certain parameters that cannot be set. This will be uncommented once those changes are made. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementEnrollmentAndroidGooglePlay "RemoveAndroidGooglePlayEnrollment" + { + Id = "androidManagedStoreAccountEnterpriseSettings" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md new file mode 100644 index 0000000000..5418d04e0f --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md @@ -0,0 +1,223 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name for the enrollment profile. | | +| **Id** | Write | String | Unique GUID for the enrollment profile. Read-Only. | | +| **AccountId** | Write | String | Intune AccountId GUID the enrollment profile belongs to. | | +| **Description** | Write | String | Description for the enrollment profile. | | +| **EnrollmentMode** | Write | String | The enrollment mode of devices that use this enrollment profile. | `corporateOwnedDedicatedDevice`, `corporateOwnedFullyManaged`, `corporateOwnedWorkProfile`, `corporateOwnedAOSPUserlessDevice`, `corporateOwnedAOSPUserAssociatedDevice` | +| **EnrollmentTokenType** | Write | String | The enrollment token type for an enrollment profile. | `default`, `corporateOwnedDedicatedDeviceWithAzureADSharedMode`, `deviceStaging` | +| **TokenValue** | Write | String | Value of the most recently created token for this enrollment profile. | | +| **TokenCreationDateTime** | Write | String | Date time the most recently created token was created. | | +| **TokenExpirationDateTime** | Write | String | Date time the most recently created token will expire. | | +| **EnrolledDeviceCount** | Write | UInt32 | Total number of Android devices that have enrolled using this enrollment profile. | | +| **EnrollmentTokenUsageCount** | Write | UInt32 | Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000 | | +| **QrCodeContent** | Write | String | String used to generate a QR code for the token. | | +| **QrCodeImage** | Write | String | String used to generate a QR code for the token. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **ConfigureWifi** | Write | Boolean | Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default. | | +| **WifiSsid** | Write | String | String that contains the wi-fi login ssid | | +| **WifiPassword** | Write | PSCredential | String that contains the wi-fi login password. The parameter is a PSCredential object. | | +| **WifiSecurityType** | Write | String | String that contains the wi-fi security type. | `none`, `wpa`, `wep` | +| **WifiHidden** | Write | Boolean | Boolean that indicates if hidden wifi networks are enabled | | +| **IsTeamsDeviceProfile** | Write | Boolean | Boolean indicating if this profile is an Android AOSP for Teams device profile. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **type** | Write | String | Indicates the content mime type. | | +| **value** | Write | String | The byte array that contains the actual content. | | + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md index f9763f951e..b68f9395bf 100644 --- a/docs/docs/resources/intune/IntuneDeviceRemediation.md +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -99,21 +99,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md index f4289f16e9..27a43c72ee 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionMacOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md index b359738f21..30ea1cc6ef 100644 --- a/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md +++ b/docs/docs/resources/intune/IntuneDiskEncryptionWindows10.md @@ -101,21 +101,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md index dcce4db30c..3e214c55ea 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyLinux.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md index d7f9f57a4b..b7440d0972 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyMacOS.md @@ -48,21 +48,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md index 92a2428a6d..7ab1d07c4a 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md @@ -49,21 +49,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md index 17b0440a3d..bc0860cef2 100644 --- a/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneExploitProtectionPolicyWindows10SettingCatalog.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md index f9ad6cee2b..c09a160b70 100644 --- a/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneFirewallPolicyWindows10.md @@ -123,21 +123,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md index cdb64c20a7..da90863d02 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md @@ -14,12 +14,12 @@ | **Owner** | Write | String | The owner of the app. Inherited from mobileApp. | | | **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | | **Publisher** | Write | String | The publisher of the app. Inherited from mobileApp. | | -| **PublishingState** | Write | String | The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp. | `notPublished`, `processing`, `published` | | **BundleId** | Write | String | The bundleId of the app. | | | **BuildNumber** | Write | String | The build number of the app. | | | **VersionNumber** | Write | String | The version number of the app. | | | **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | | **IgnoreVersionDetection** | Write | Boolean | Whether to ignore the version of the app or not. | | +| **InstallAsManaged** | Write | Boolean | Install the app as managed. Requires macOS 11.0. | | | **LargeIcon** | Write | MSFT_DeviceManagementMimeContent | The icon for this app. | | | **MinimumSupportedOperatingSystem** | Write | MSFT_DeviceManagementMinimumOperatingSystem | The minimum supported operating system to install the app. | | | **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | @@ -110,21 +110,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples @@ -234,7 +234,6 @@ Configuration Example Owner = ""; PrivacyInformationUrl = ""; Publisher = "Contoso"; - PublishingState = "published"; Assignments = @( MSFT_DeviceManagementMobileAppAssignment { groupDisplayName = 'All devices' diff --git a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md index 52bfea559e..ca844c4abd 100644 --- a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md +++ b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md @@ -104,21 +104,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md new file mode 100644 index 0000000000..66dee65b7e --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md @@ -0,0 +1,227 @@ +# IntuneMobileThreatDefenseConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **DisplayName** | Write | String | The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API. | | +| **AllowPartnerToCollectIosApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AllowPartnerToCollectIosPersonalApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AndroidDeviceBlockedOnMissingPartnerData** | Write | Boolean | For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **AndroidEnabled** | Write | Boolean | For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **AndroidMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **IosDeviceBlockedOnMissingPartnerData** | Write | Boolean | For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **IosEnabled** | Write | Boolean | For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **IosMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **LastHeartbeatDateTime** | Write | DateTime | DateTime of last Heartbeat received from the Mobile Threat Defense partner. | | +| **MicrosoftDefenderForEndpointAttachEnabled** | Write | Boolean | When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE. | | +| **PartnerState** | Write | String | Partner state of this tenant. | | +| **PartnerUnresponsivenessThresholdInDays** | Write | UInt32 | Get or Set days the per tenant tolerance to unresponsiveness for this partner integration. | | +| **PartnerUnsupportedOSVersionBlocked** | Write | Boolean | Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner. | | +| **WindowsDeviceBlockedOnMissingPartnerData** | Write | Boolean | When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE. | | +| **WindowsEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +This resource configures a connection to Mobile Threat Defense partner. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntunePolicySets.md b/docs/docs/resources/intune/IntunePolicySets.md index d1bb683e0a..ddc91dc234 100644 --- a/docs/docs/resources/intune/IntunePolicySets.md +++ b/docs/docs/resources/intune/IntunePolicySets.md @@ -60,21 +60,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - None + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneRoleAssignment.md b/docs/docs/resources/intune/IntuneRoleAssignment.md index ab0133db1c..0ca60f3e19 100644 --- a/docs/docs/resources/intune/IntuneRoleAssignment.md +++ b/docs/docs/resources/intune/IntuneRoleAssignment.md @@ -38,21 +38,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementRBAC.Read.All + - Group.Read.All, DeviceManagementRBAC.Read.All - **Update** - - DeviceManagementRBAC.ReadWrite.All + - Group.Read.All, DeviceManagementRBAC.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md new file mode 100644 index 0000000000..af77fafef9 --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineDefenderForEndpoint.md @@ -0,0 +1,342 @@ +# IntuneSecurityBaselineDefenderForEndpoint + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint | Scope for Device Setting | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint | Scope for Device Setting | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DeviceInstall_Classes_Deny** | Write | String | Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Classes_Deny_List** | Write | StringArray[] | Prevented Classes - Depends on DeviceInstall_Classes_Deny | | +| **DeviceInstall_Classes_Deny_Retroactive** | Write | String | Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True) | `0`, `1` | +| **EncryptionMethodWithXts_Name** | Write | String | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) (0: Disabled, 1: Enabled) | `0`, `1` | +| **EncryptionMethodWithXtsOsDropDown_Name** | Write | String | Select the encryption method for operating system drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **EncryptionMethodWithXtsFdvDropDown_Name** | Write | String | Select the encryption method for fixed data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **EncryptionMethodWithXtsRdvDropDown_Name** | Write | String | Select the encryption method for removable data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit (default), 4: AES-CBC 256-bit, 6: XTS-AES 128-bit, 7: XTS-AES 256-bit) | `3`, `4`, `6`, `7` | +| **FDVRecoveryUsage_Name** | Write | String | Choose how BitLocker-protected fixed drives can be recovered (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVActiveDirectoryBackup_Name** | Write | String | Save BitLocker recovery information to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVHideRecoveryPage_Name** | Write | String | Omit recovery options from the BitLocker setup wizard - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVRecoveryPasswordUsageDropDown_Name** | Write | String | Configure user storage of BitLocker recovery information: - Depends on FDVRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) | `2`, `1`, `0` | +| **FDVRequireActiveDirectoryBackup_Name** | Write | String | Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVAllowDRA_Name** | Write | String | Allow data recovery agent - Depends on FDVRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **FDVActiveDirectoryBackupDropDown_Name** | Write | String | Configure storage of BitLocker recovery information to AD DS: - Depends on FDVRecoveryUsage_Name (1: Backup recovery passwords and key packages, 2: Backup recovery passwords only) | `1`, `2` | +| **FDVRecoveryKeyUsageDropDown_Name** | Write | String | - Depends on FDVRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) | `2`, `1`, `0` | +| **FDVDenyWriteAccess_Name** | Write | String | Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVEncryptionType_Name** | Write | String | Enforce drive encryption type on fixed data drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **FDVEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) - Depends on FDVEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **EnablePreBootPinExceptionOnDECapableDevice_Name** | Write | String | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (0: Disabled, 1: Enabled) | `0`, `1` | +| **EnhancedPIN_Name** | Write | String | Allow enhanced PINs for startup (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSRecoveryUsage_Name** | Write | String | Choose how BitLocker-protected operating system drives can be recovered (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSRequireActiveDirectoryBackup_Name** | Write | String | Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSActiveDirectoryBackup_Name** | Write | String | Save BitLocker recovery information to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSRecoveryPasswordUsageDropDown_Name** | Write | String | Configure user storage of BitLocker recovery information: - Depends on OSRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) | `2`, `1`, `0` | +| **OSHideRecoveryPage_Name** | Write | String | Omit recovery options from the BitLocker setup wizard - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSAllowDRA_Name** | Write | String | Allow data recovery agent - Depends on OSRecoveryUsage_Name (0: False, 1: True) | `0`, `1` | +| **OSRecoveryKeyUsageDropDown_Name** | Write | String | - Depends on OSRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) | `2`, `1`, `0` | +| **OSActiveDirectoryBackupDropDown_Name** | Write | String | Configure storage of BitLocker recovery information to AD DS: - Depends on OSRecoveryUsage_Name (1: Store recovery passwords and key packages, 2: Store recovery passwords only) | `1`, `2` | +| **EnablePrebootInputProtectorsOnSlates_Name** | Write | String | Enable use of BitLocker authentication requiring preboot keyboard input on slates (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSEncryptionType_Name** | Write | String | Enforce drive encryption type on operating system drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **OSEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) - Depends on OSEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **ConfigureAdvancedStartup_Name** | Write | String | Require additional authentication at startup (0: Disabled, 1: Enabled) | `0`, `1` | +| **ConfigureTPMStartupKeyUsageDropDown_Name** | Write | String | Configure TPM startup key: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key with TPM, 1: Require startup key with TPM, 0: Do not allow startup key with TPM) | `2`, `1`, `0` | +| **ConfigureTPMPINKeyUsageDropDown_Name** | Write | String | Configure TPM startup key and PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key and PIN with TPM, 1: Require startup key and PIN with TPM, 0: Do not allow startup key and PIN with TPM) | `2`, `1`, `0` | +| **ConfigureTPMUsageDropDown_Name** | Write | String | Configure TPM startup: - Depends on ConfigureAdvancedStartup_Name (2: Allow TPM, 1: Require TPM, 0: Do not allow TPM) | `2`, `1`, `0` | +| **ConfigureNonTPMStartupKeyUsage_Name** | Write | String | Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - Depends on ConfigureAdvancedStartup_Name (0: False, 1: True) | `0`, `1` | +| **ConfigurePINUsageDropDown_Name** | Write | String | Configure TPM startup PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup PIN with TPM, 1: Require startup PIN with TPM, 0: Do not allow startup PIN with TPM) | `2`, `1`, `0` | +| **RDVConfigureBDE** | Write | String | Control use of BitLocker on removable drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVAllowBDE_Name** | Write | String | Allow users to apply BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) | `0`, `1` | +| **RDVEncryptionType_Name** | Write | String | Enforce drive encryption type on removable data drives (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVEncryptionTypeDropDown_Name** | Write | String | Select the encryption type: (Device) (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) | `0`, `1`, `2` | +| **RDVDisableBDE_Name** | Write | String | Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) | `0`, `1` | +| **RDVDenyWriteAccess_Name** | Write | String | Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled) | `0`, `1` | +| **RDVCrossOrg** | Write | String | Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True) | `0`, `1` | +| **EnableSmartScreen** | Write | String | Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **EnableSmartScreenDropdown** | Write | String | Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn) | `block`, `warn` | +| **DisableSafetyFilterOverrideForAppRepUnknown** | Write | String | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled) | `0`, `1` | +| **Disable_Managing_Safety_Filter_IE9** | Write | String | Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled) | `0`, `1` | +| **IE9SafetyFilterOptions** | Write | String | Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On) | `0`, `1` | +| **AllowWarningForOtherDiskEncryption** | Write | String | Allow Warning For Other Disk Encryption (0: Disabled, 1: Enabled) | `0`, `1` | +| **AllowStandardUserEncryption** | Write | String | Allow Standard User Encryption - Depends on AllowWarningForOtherDiskEncryption (0: This is the default, when the policy is not set. If current logged on user is a standard user, 'RequireDeviceEncryption' policy will not try to enable encryption on any drive., 1: 'RequireDeviceEncryption' policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.) | `0`, `1` | +| **ConfigureRecoveryPasswordRotation** | Write | String | Configure Recovery Password Rotation (0: Refresh off (default), 1: Refresh on for Azure AD-joined devices, 2: Refresh on for both Azure AD-joined and hybrid-joined devices) | `0`, `1`, `2` | +| **RequireDeviceEncryption** | Write | String | Require Device Encryption (0: Disabled, 1: Enabled) | `0`, `1` | +| **AllowArchiveScanning** | Write | String | Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.) | `0`, `1` | +| **AllowBehaviorMonitoring** | Write | String | Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.) | `0`, `1` | +| **AllowCloudProtection** | Write | String | Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.) | `0`, `1` | +| **AllowEmailScanning** | Write | String | Allow Email Scanning (0: Not allowed. Turns off email scanning., 1: Allowed. Turns on email scanning.) | `0`, `1` | +| **AllowFullScanRemovableDriveScanning** | Write | String | Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.) | `0`, `1` | +| **AllowOnAccessProtection** | Write | String | Allow On Access Protection (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowRealtimeMonitoring** | Write | String | Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.) | `0`, `1` | +| **AllowScanningNetworkFiles** | Write | String | Allow Scanning Network Files (0: Not allowed. Turns off scanning of network files., 1: Allowed. Scans network files.) | `0`, `1` | +| **AllowIOAVProtection** | Write | String | Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowScriptScanning** | Write | String | Allow Script Scanning (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowUserUIAccess** | Write | String | Allow User UI Access (0: Not allowed. Prevents users from accessing UI., 1: Allowed. Lets users access UI.) | `0`, `1` | +| **BlockExecutionOfPotentiallyObfuscatedScripts** | Write | String | Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockWin32APICallsFromOfficeMacros** | Write | String | Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion** | Write | String | Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeCommunicationAppFromCreatingChildProcesses** | Write | String | Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAllOfficeApplicationsFromCreatingChildProcesses** | Write | String | Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAdobeReaderFromCreatingChildProcesses** | Write | String | Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem** | Write | String | Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent** | Write | String | Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockWebshellCreationForServers** | Write | String | Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockWebshellCreationForServers_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockUntrustedUnsignedProcessesThatRunFromUSB** | Write | String | Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockPersistenceThroughWMIEventSubscription** | Write | String | Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUseOfCopiedOrImpersonatedSystemTools** | Write | String | [PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockAbuseOfExploitedVulnerableSignedDrivers** | Write | String | Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockProcessCreationsFromPSExecAndWMICommands** | Write | String | Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeApplicationsFromCreatingExecutableContent** | Write | String | Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses** | Write | String | Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockRebootingMachineInSafeMode** | Write | String | [PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **UseAdvancedProtectionAgainstRansomware** | Write | String | Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **BlockExecutableContentFromEmailClientAndWebmail** | Write | String | Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) | `off`, `block`, `audit`, `warn` | +| **BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions** | Write | StringArray[] | ASR Only Per Rule Exclusions | | +| **CheckForSignaturesBeforeRunningScan** | Write | String | Check For Signatures Before Running Scan (0: Disabled, 1: Enabled) | `0`, `1` | +| **CloudBlockLevel** | Write | String | Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance) | `0`, `2`, `4`, `6` | +| **CloudExtendedTimeout** | Write | SInt32 | Cloud Extended Timeout | | +| **DisableLocalAdminMerge** | Write | String | Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge) | `0`, `1` | +| **EnableNetworkProtection** | Write | String | Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode)) | `0`, `1`, `2` | +| **HideExclusionsFromLocalAdmins** | Write | String | Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.) | `1`, `0` | +| **HideExclusionsFromLocalUsers** | Write | String | Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.) | `1`, `0` | +| **OobeEnableRtpAndSigUpdate** | Write | String | Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.) | `1`, `0` | +| **PUAProtection** | Write | String | PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.) | `0`, `1`, `2` | +| **RealTimeScanDirection** | Write | String | Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.) | `0`, `1`, `2` | +| **ScanParameter** | Write | String | Scan Parameter (1: Quick scan, 2: Full scan) | `1`, `2` | +| **ScheduleQuickScanTime** | Write | SInt32 | Schedule Quick Scan Time | | +| **ScheduleScanDay** | Write | String | Schedule Scan Day (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan) | `0`, `1`, `2`, `3`, `4`, `5`, `6`, `7`, `8` | +| **ScheduleScanTime** | Write | SInt32 | Schedule Scan Time | | +| **SignatureUpdateInterval** | Write | SInt32 | Signature Update Interval | | +| **SubmitSamplesConsent** | Write | String | Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.) | `0`, `1`, `2`, `3` | +| **LsaCfgFlags** | Write | String | Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.) | `0`, `1`, `2` | +| **DeviceEnumerationPolicy** | Write | String | Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive)) | `0`, `1`, `2` | +| **SmartScreenEnabled** | Write | String | Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenPuaEnabled** | Write | String | Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenDnsRequestsEnabled** | Write | String | Enable Microsoft Defender SmartScreen DNS requests (0: Disabled, 1: Enabled) | `0`, `1` | +| **NewSmartScreenLibraryEnabled** | Write | String | Enable new SmartScreen library (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenForTrustedDownloadsEnabled** | Write | String | Force Microsoft Defender SmartScreen checks on downloads from trusted sources (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverride** | Write | String | Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverrideForFiles** | Write | String | Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled) | `0`, `1` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisableSafetyFilterOverrideForAppRepUnknown** | Write | String | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | + + +## Description + +Intune Security Baseline Defender For Endpoint + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '1' + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint + { + BlockExecutionOfPotentiallyObfuscatedScripts = 'off' + AllowRealtimeMonitoring = '0' #drift + BlockWin32APICallsFromOfficeMacros = 'warn' + CloudBlockLevel = '2' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint + { + DisableSafetyFilterOverrideForAppRepUnknown = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md index 78a3f1969a..3c60a47ae5 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md @@ -499,21 +499,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md index 439264f0bc..858d62840b 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -67,21 +67,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md index b565f3f12c..90d9ba2ebd 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogASRRulesPolicyWindows10.md @@ -88,21 +88,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md index fb7b396272..9962ba0a3c 100644 --- a/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneSettingCatalogCustomPolicyWindows10.md @@ -137,21 +137,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md index 8f3324c65a..7483c4710f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md index a2d42ba204..b3861e4351 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.md @@ -57,21 +57,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md index 3b93f6cb7f..8fafa7ecab 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md index 01e681328d..3eb7f1c1b2 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidForWork.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md index ef98411a57..f5c81807de 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyAndroidOpenSourceProject.md @@ -52,21 +52,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md index ddcf26325a..241082231f 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyIOS.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md index 57e8731161..d542ae3f65 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyMacOS.md @@ -55,21 +55,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md index 23ba85724c..f4ed4299f5 100644 --- a/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneWifiConfigurationPolicyWindows10.md @@ -58,21 +58,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md index 43d2e26d9f..348408777b 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.md @@ -81,21 +81,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md index 526656617c..fee1d8eb6c 100644 --- a/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md +++ b/docs/docs/resources/intune/IntuneWindowsAutopilotDeploymentProfileAzureADJoined.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementServiceConfig.Read.All + - Group.Read.All, DeviceManagementServiceConfig.Read.All - **Update** - - DeviceManagementServiceConfig.ReadWrite.All + - Group.Read.All, DeviceManagementServiceConfig.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md index e581a1dcc1..75f98f153f 100644 --- a/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md +++ b/docs/docs/resources/intune/IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.md @@ -140,21 +140,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementApps.Read.All + - Group.Read.All, DeviceManagementApps.Read.All - **Update** - - DeviceManagementApps.ReadWrite.All + - Group.Read.All, DeviceManagementApps.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md index edb5abbe42..6b8532fcc2 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md @@ -50,21 +50,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md index 2c6cec626d..da5c950514 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.md @@ -80,21 +80,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md index 413892c638..edeac97ca8 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessQualityUpdateProfileWindows10.md @@ -56,21 +56,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md index 46d2e49c70..b12b125578 100644 --- a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.md @@ -91,21 +91,21 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All #### Application permissions - **Read** - - DeviceManagementConfiguration.Read.All + - Group.Read.All, DeviceManagementConfiguration.Read.All - **Update** - - DeviceManagementConfiguration.ReadWrite.All + - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All ## Examples diff --git a/docs/docs/resources/intune/M365DSCRuleEvaluation.md b/docs/docs/resources/intune/M365DSCRuleEvaluation.md index 84e4143b74..8d78bc8531 100644 --- a/docs/docs/resources/intune/M365DSCRuleEvaluation.md +++ b/docs/docs/resources/intune/M365DSCRuleEvaluation.md @@ -4,7 +4,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **ResourceName** | Key | String | Name of the resource to monitor | | +| **ResourceTypeName** | Key | String | Name of the resource to monitor | | | **RuleDefinition** | Required | String | Specify the rules to monitor the resource for. | | | **AfterRuleCountQuery** | Write | String | Query to check how many instances exist, using PowerShell format | | | **Credential** | Write | PSCredential | Credentials of the Azure Active Directory Admin | | @@ -68,9 +68,9 @@ Configuration Example { M365DSCRuleEvaluation 'AllowAnonymousUsersToJoinMeetingAllPolicies' { - ResourceName = 'TeamsMeetingPolicy' - RuleDefinition = "`$_.AllowAnonymousUsersToJoinMeeting -eq `$true" - Credential = $CredsCredential + ResourceTypeName = 'TeamsMeetingPolicy' + RuleDefinition = "`$_.AllowAnonymousUsersToJoinMeeting -eq `$true" + Credential = $CredsCredential } } } diff --git a/docs/docs/resources/onedrive/ODSettings.md b/docs/docs/resources/onedrive/ODSettings.md index 9297f4f4f0..1ce2931a20 100644 --- a/docs/docs/resources/onedrive/ODSettings.md +++ b/docs/docs/resources/onedrive/ODSettings.md @@ -8,7 +8,7 @@ | **OneDriveStorageQuota** | Write | UInt32 | The resource quota to apply to the OneDrive sites | | | **OrphanedPersonalSitesRetentionPeriod** | Write | UInt32 | Number of days after a user's account is deleted that their OneDrive for Business content will be deleted. | | | **OneDriveForGuestsEnabled** | Write | Boolean | Enable guest acess for OneDrive | | -| **NotifyOwnersWhenInvitationsAccepted** | Write | Boolean | When true and when an external user accepts an invitation to a resource in a user’s OneDrive for Business owner is notified by e-mail | | +| **NotifyOwnersWhenInvitationsAccepted** | Write | Boolean | DEPRECATED | | | **NotificationsInOneDriveForBusinessEnabled** | Write | Boolean | Turn notifications on/off OneDrive | | | **ODBMembersCanShare** | Write | String | Lets administrators set policy on re-sharing behavior in OneDrive for Business | `On`, `Off`, `Unspecified` | | **ODBAccessRequests** | Write | String | Lets administrators set policy on access requests and requests to share in OneDrive for Business | `On`, `Off`, `Unspecified` | diff --git a/docs/docs/resources/power-platform/PPPowerAppsEnvironment.md b/docs/docs/resources/power-platform/PPPowerAppsEnvironment.md index 8ebaf5e2dc..00d8d81cc8 100644 --- a/docs/docs/resources/power-platform/PPPowerAppsEnvironment.md +++ b/docs/docs/resources/power-platform/PPPowerAppsEnvironment.md @@ -7,6 +7,9 @@ | **DisplayName** | Key | String | Display name for the PowerApps environment | | | **Location** | Required | String | Location of the PowerApps environment. | `canada`, `unitedstates`, `europe`, `asia`, `australia`, `india`, `japan`, `unitedkingdom`, `unitedstatesfirstrelease`, `southamerica`, `france`, `usgov`, `unitedarabemirates`, `germany`, `switzerland`, `norway`, `korea`, `southafrica` | | **EnvironmentSKU** | Required | String | Environment type. | `Production`, `Standard`, `Trial`, `Sandbox`, `SubscriptionBasedTrial`, `Teams`, `Developer` | +| **ProvisionDatabase** | Write | Boolean | The switch to provision a Dataverse database when creating the environment. If set, LanguageName and CurrencyName are mandatory to pass as arguments. | | +| **LanguageName** | Write | String | The default languages for the database, use Get-AdminPowerAppCdsDatabaseLanguages to get the support values. | `1033`, `1025`, `1069`, `1026`, `1027`, `3076`, `2052`, `1028`, `1050`, `1029`, `1030`, `1043`, `1061`, `1035`, `1036`, `1110`, `1031`, `1032`, `1037`, `1081`, `1038`, `1040`, `1041`, `1087`, `1042`, `1062`, `1063`, `1044`, `1045`, `1046`, `2070`, `1048`, `1049`, `2074`, `1051`, `1060`, `3082`, `1053`, `1054`, `1055`, `1058`, `1066`, `3098`, `1086`, `1057` | +| **CurrencyName** | Write | String | The default currency for the database, use Get-AdminPowerAppCdsDatabaseCurrencies to get the supported values. | `KZT`, `ZAR`, `ETB`, `AED`, `BHD`, `DZD`, `EGP`, `IQD`, `JOD`, `KWD`, `LBP`, `LYD`, `MAD`, `OMR`, `QAR`, `SAR`, `SYP`, `TND`, `YER`, `CLP`, `INR`, `AZN`, `RUB`, `BYN`, `BGN`, `NGN`, `BDT`, `CNY`, `EUR`, `BAM`, `USD`, `CZK`, `GBP`, `DKK`, `CHF`, `MVR`, `BTN`, `XCD`, `AUD`, `BZD`, `CAD`, `HKD`, `IDR`, `JMD`, `MYR`, `NZD`, `PHP`, `SGD`, `TTD`, `XDR`, `ARS`, `BOB`, `COP`, `CRC`, `CUP`, `DOP`, `GTQ`, `HNL`, `MXN`, `NIO`, `PAB`, `PEN`, `PYG`, `UYU`, `VES`, `IRR`, `XOF`, `CDF`, `XAF`, `HTG`, `ILS`, `HUF`, `AMD`, `ISK`, `JPY`, `GEL`, `KHR`, `KRW`, `KGS`, `LAK`, `MKD`, `MNT`, `BND`, `MMK`, `NOK`, `NPR`, `PKR`, `PLN`, `AFN`, `BRL`, `MDL`, `RON`, `RWF`, `SEK`, `LKR`, `SOS`, `ALL`, `RSD`, `KES`, `TJS`, `THB`, `ERN`, `TMT`, `BWP`, `TRY`, `UAH`, `UZS`, `VND`, `MOP`, `TWD` | | **Ensure** | Write | String | Only accepted value is 'Present'. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Power Platform Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/power-platform/PPTenantSettings.md b/docs/docs/resources/power-platform/PPTenantSettings.md index 5545656d97..3abd28ac3d 100644 --- a/docs/docs/resources/power-platform/PPTenantSettings.md +++ b/docs/docs/resources/power-platform/PPTenantSettings.md @@ -5,6 +5,40 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **IsSingleInstance** | Key | String | Should be set to yes | `Yes` | +| **DisableCopilotFeedback** | Write | Boolean | TBD | | +| **DisableMakerMatch** | Write | Boolean | TBD | | +| **DisableUnusedLicenseAssignment** | Write | Boolean | TBD | | +| **DisableCreateFromImage** | Write | Boolean | TBD | | +| **DisableConnectionSharingWithEveryone** | Write | Boolean | TBD | | +| **AllowNewOrgChannelDefault** | Write | Boolean | TBD | | +| **DisableCopilot** | Write | Boolean | TBD | | +| **DisableCopilotWithBing** | Write | Boolean | TBD | | +| **DisableAdminDigest** | Write | Boolean | TBD | | +| **DisablePreferredDataLocationForTeamsEnvironment** | Write | Boolean | TBD | | +| **DisableDeveloperEnvironmentCreationByNonAdminUsers** | Write | Boolean | TBD | | +| **EnvironmentRoutingAllMakers** | Write | Boolean | TBD | | +| **EnableDefaultEnvironmentRouting** | Write | Boolean | TBD | | +| **EnableDesktopFlowDataPolicyManagement** | Write | String | TBD | | +| **EnableCanvasAppInsights** | Write | Boolean | TBD | | +| **DisableCreateFromFigma** | Write | Boolean | TBD | | +| **DisableBillingPolicyCreationByNonAdminUsers** | Write | Boolean | TBD | | +| **StorageCapacityConsumptionWarningThreshold** | Write | UInt32 | TBD | | +| **EnableTenantCapacityReportForEnvironmentAdmins** | Write | Boolean | TBD | | +| **EnableTenantLicensingReportForEnvironmentAdmins** | Write | Boolean | TBD | | +| **DisableUseOfUnassignedAIBuilderCredits** | Write | Boolean | TBD | | +| **EnableGenerativeAIFeaturesForSiteUsers** | Write | String | TBD | | +| **EnableExternalAuthenticationProvidersInPowerPages** | Write | String | TBD | | +| **DisableChampionsInvitationReachout** | Write | Boolean | TBD | | +| **DisableSkillsMatchInvitationReachout** | Write | Boolean | TBD | | +| **EnableOpenAiBotPublishing** | Write | Boolean | TBD | | +| **DisableAiPrompts** | Write | Boolean | TBD | | +| **DisableCopilotFeedbackMetadata** | Write | Boolean | TBD | | +| **EnableModelDataSharing** | Write | Boolean | TBD | | +| **DisableDataLogging** | Write | Boolean | TBD | | +| **PowerCatalogAudienceSetting** | Write | String | TBD | | +| **EnableDeleteDisabledUserinAllEnvironments** | Write | Boolean | TBD | | +| **DisableHelpSupportCopilot** | Write | Boolean | TBD | | +| **DisableSurveyScreenshots** | Write | Boolean | TBD | | | **WalkMeOptOut** | Write | Boolean | When set to true this will disable the Walk Me guidance. | | | **DisableNPSCommentsReachout** | Write | Boolean | When set to true this will disable the NPS Comments Reachout. | | | **DisableNewsletterSendout** | Write | Boolean | When set to true this will disable the monthly newsletters. | | diff --git a/docs/docs/resources/security-compliance/SCInsiderRiskPolicy.md b/docs/docs/resources/security-compliance/SCInsiderRiskPolicy.md index 960b48328f..57b972c764 100644 --- a/docs/docs/resources/security-compliance/SCInsiderRiskPolicy.md +++ b/docs/docs/resources/security-compliance/SCInsiderRiskPolicy.md @@ -172,6 +172,9 @@ | **RetainSeverityAfterTriage** | Write | Boolean | Official documentation to come. | | | **LookbackTimeSpan** | Write | UInt32 | Official documentation to come. | | | **ProfileInScopeTimeSpan** | Write | UInt32 | Official documentation to come. | | +| **GPUUtilizationLimit** | Write | UInt32 | Official documentation to come. | | +| **CPUUtilizationLimit** | Write | UInt32 | Official documentation to come. | | +| **MDATPTriageStatus** | Write | String | Official documentation to come. | | | **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/security-compliance/SCPolicyConfig.md b/docs/docs/resources/security-compliance/SCPolicyConfig.md new file mode 100644 index 0000000000..24d6efb596 --- /dev/null +++ b/docs/docs/resources/security-compliance/SCPolicyConfig.md @@ -0,0 +1,481 @@ +# SCPolicyConfig + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Accepted value is 'Yes'. | `Yes` | +| **AdvancedClassificationEnabled** | Write | Boolean | TBD | | +| **AuditFileActivity** | Write | Boolean | TBD | | +| **BandwidthLimitEnabled** | Write | Boolean | TBD | | +| **BusinessJustificationList** | Write | MSFT_PolicyConfigBusinessJustificationList[] | TBD | | +| **CloudAppMode** | Write | String | TBD | | +| **CloudAppRestrictionList** | Write | StringArray[] | TBD | | +| **CustomBusinessJustificationNotification** | Write | UInt32 | TBD | | +| **DailyBandwidthLimitInMB** | Write | UInt32 | TBD | | +| **DLPAppGroups** | Write | MSFT_PolicyConfigDLPAppGroups[] | TBD | | +| **DLPNetworkShareGroups** | Write | MSFT_PolicyConfigDLPNetworkShareGroups[] | TBD | | +| **DLPPrinterGroups** | Write | MSFT_PolicyConfigDLPPrinterGroups[] | TBD | | +| **DLPRemovableMediaGroups** | Write | MSFT_PolicyConfigDLPRemovableMediaGroups[] | TBD | | +| **IncludePredefinedUnallowedBluetoothApps** | Write | Boolean | TBD | | +| **MacDefaultPathExclusionsEnabled** | Write | Boolean | TBD | | +| **MacPathExclusion** | Write | StringArray[] | TBD | | +| **NetworkPathEnforcementEnabled** | Write | Boolean | TBD | | +| **NetworkPathExclusion** | Write | String | TBD | | +| **PathExclusion** | Write | StringArray[] | TBD | | +| **serverDlpEnabled** | Write | Boolean | TBD | | +| **EvidenceStoreSettings** | Write | MSFT_PolicyConfigEvidenceStoreSettings | TBD | | +| **SiteGroups** | Write | MSFT_PolicyConfigDLPSiteGroups[] | TBD | | +| **UnallowedApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedCloudSyncApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedBluetoothApp** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **UnallowedBrowser** | Write | MSFT_PolicyConfigApp[] | TBD | | +| **QuarantineParameters** | Write | MSFT_PolicyConfigQuarantineParameters | TBD | | +| **VPNSettings** | Write | StringArray[] | TBD | | +| **EnableLabelCoauth** | Write | Boolean | TBD | | +| **EnableSpoAipMigration** | Write | Boolean | TBD | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_PolicyConfigApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Value** | Write | String | Name of the application. | | +| **Executable** | Write | String | Name of the executable file. | | + +### MSFT_PolicyConfigStorageAccount + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Write | String | TBD | | +| **BlobUri** | Write | String | TBD | | + +### MSFT_PolicyConfigSiteGroupAddress + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **MatchType** | Write | String | TBD | | +| **Url** | Write | String | TBD | | +| **AddressLower** | Write | String | TBD | | +| **AddressUpper** | Write | String | TBD | | + +### MSFT_PolicyConfigDLPSiteGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **addresses** | Write | MSFT_PolicyConfigSiteGroupAddress[] | TBD | | + +### MSFT_PolicyConfigRemovableMedia + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **deviceId** | Write | String | TBD | | +| **removableMediaVID** | Write | String | TBD | | +| **name** | Write | String | TBD | | +| **alias** | Write | String | TBD | | +| **removableMediaPID** | Write | String | TBD | | +| **instancePathId** | Write | String | TBD | | +| **serialNumberId** | Write | String | TBD | | +| **hardwareId** | Write | String | TBD | | + +### MSFT_PolicyConfigDLPRemovableMediaGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **removableMedia** | Write | MSFT_PolicyConfigRemovableMedia[] | TBD | | + +### MSFT_PolicyConfigIPRange + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **fromAddress** | Write | String | TBD | | +| **toAddress** | Write | String | TBD | | + +### MSFT_PolicyConfigPrinter + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **universalPrinter** | Write | Boolean | TBD | | +| **usbPrinter** | Write | Boolean | TBD | | +| **usbPrinterId** | Write | String | TBD | | +| **name** | Write | String | TBD | | +| **alias** | Write | String | TBD | | +| **usbPrinterVID** | Write | String | TBD | | +| **ipRange** | Write | MSFT_PolicyConfigIPRange | TBD | | +| **corporatePrinter** | Write | Boolean | TBD | | +| **printToLocal** | Write | Boolean | TBD | | +| **printToFile** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPNetworkShareGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **groupId** | Write | String | TBD | | +| **networkPaths** | Write | StringArray[] | TBD | | + +### MSFT_PolicyConfigDLPApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ExecutableName** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **Quarantine** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPAppGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **Name** | Write | String | TBD | | +| **Description** | Write | String | TBD | | +| **Apps** | Write | MSFT_PolicyConfigDLPApp[] | TBD | | + +### MSFT_PolicyConfigEvidenceStoreSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **FileEvidenceIsEnabled** | Write | Boolean | TBD | | +| **NumberOfDaysToRetain** | Write | UInt32 | TBD | | +| **StorageAccounts** | Write | MSFT_PolicyConfigStorageAccount[] | TBD | | +| **Store** | Write | String | TBD | | + +### MSFT_PolicyConfigBusinessJustificationList + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | TBD | | +| **justificationText** | Write | String | TBD | | +| **Enable** | Write | Boolean | TBD | | + +### MSFT_PolicyConfigDLPPrinterGroups + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **groupName** | Write | String | TBD | | +| **groupId** | Write | String | TBD | | +| **printers** | Write | MSFT_PolicyConfigPrinter[] | TBD | | + +### MSFT_PolicyConfigQuarantineParameters + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EnableQuarantineForCloudSyncApps** | Write | Boolean | TBD | | +| **QuarantinePath** | Write | String | TBD | | +| **MacQuarantinePath** | Write | String | TBD | | +| **ShouldReplaceFile** | Write | Boolean | TBD | | +| **FileReplacementText** | Write | String | TBD | | + + +## Description + +Configures the Data Loss Prevention settings in Purview. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SCPolicyConfig "SCPolicyConfig" + { + AdvancedClassificationEnabled = $True; + ApplicationId = $ApplicationId; + AuditFileActivity = $False; + BandwidthLimitEnabled = $False; + BusinessJustificationList = @( + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification1' + Enable = $True + justificationText = 'default:Were' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification2' + Enable = $True + justificationText = 'default:Not' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification3' + Enable = $True + justificationText = 'default:Going' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification4' + Enable = $True + justificationText = 'default:To' + } + MSFT_PolicyConfigBusinessJustificationList + { + Id = 'businessJustification5' + Enable = $True + justificationText = 'default:Take It' + } + ); + CertificateThumbprint = $CertificateThumbprint; + CloudAppMode = "Block"; + CloudAppRestrictionList = @("contoso.net","contoso.com"); + CustomBusinessJustificationNotification = 3; + DailyBandwidthLimitInMB = 0; + DLPAppGroups = @( + MSFT_PolicyConfigDLPAppGroups + { + Name = 'Maracas' + Id = '5c124091-bb75-4d20-9c09-b00d584c6270' + Description = 'Lacucaracha' + Apps = @( + MSFT_PolicyConfigDLPApp + { + ExecutableName = 'toc.exe' + Name = 'toctoctoc' + Quarantine = $False + } + ) + } + ); + DLPNetworkShareGroups = @( + MSFT_PolicyConfigDLPNetworkShareGroups + { + groupName = 'Network Share Group' + networkPaths = @('\\share2','\\share') + } + ); + DLPPrinterGroups = @( + MSFT_PolicyConfigDLPPrinterGroups + { + groupName = 'MyGroup' + groupId = '928f8844-80af-4740-b563-232b33b29f5d' + printers = @( + MSFT_PolicyConfigPrinter + { + universalPrinter = $False + usbPrinter = $True + usbPrinterId = '' + name = 'asdf' + alias = 'aasdf' + usbPrinterVID = '' + ipRange = MSFT_PolicyConfigIPRange + { + fromAddress = '' + toAddress = '' + } + corporatePrinter = $False + printToLocal = $False + printToFile = $False + } + ) + } + ); + DLPRemovableMediaGroups = @( + MSFT_PolicyConfigDLPRemovableMediaGroups + { + groupName = 'My Removable USB device group' + removablemedia = @( + MSFT_PolicyConfigRemovableMedia + { + deviceId = 'Nik' + removableMediaVID = 'bob' + name = 'MaCles' + alias = 'My Device' + removableMediaPID = 'asdfsd' + instancePathId = 'instance path' + serialNumberId = 'asdf' + hardwareId = 'hardware' + } + ) + } + ); + EnableLabelCoauth = $False; + EnableSpoAipMigration = $False; + EvidenceStoreSettings = MSFT_PolicyConfigEvidenceStoreSettings + { + FileEvidenceIsEnabled = $True + NumberOfDaysToRetain = 7 + StorageAccounts = @( + MSFT_PolicyConfigStorageAccount + { + Name = 'My storage' + BlobUri = 'https://contoso.com' + } + MSFT_PolicyConfigStorageAccount + { + Name = 'My 2nd storage' + BlobUri = 'https://coucou.com' + } + ) + Store = 'CustomerManaged' + }; + IncludePredefinedUnallowedBluetoothApps = $True; + IsSingleInstance = "Yes"; + MacDefaultPathExclusionsEnabled = $True; + MacPathExclusion = @("/pear","/apple","/orange"); + NetworkPathEnforcementEnabled = $True; + NetworkPathExclusion = "\\MyFirstPath:\\MySecondPath:\\MythirdPAth"; + PathExclusion = @("\\includemenot","\\excludemeWindows","\\excludeme3"); + QuarantineParameters = MSFT_PolicyConfigQuarantineParameters + { + EnableQuarantineForCloudSyncApps = $False + QuarantinePath = '%homedrive%%homepath%\Microsoft DLP\Quarantine' + MacQuarantinePath = '/System/Applications/Microsoft DLP/QuarantineMA' + ShouldReplaceFile = $True + FileReplacementText = 'Gargamel' + } + serverDlpEnabled = $True; + SiteGroups = @( + MSFT_PolicyConfigDLPSiteGroups + { + Id = 'cfa0d856-4dc9-4497-b0aa-93584e919a83' + Name = 'Whatever' + Addresses = @( + MSFT_PolicyConfigSiteGroupAddress + { + MatchType = 'UrlMatch' + Url = 'Karakette.com' + AddressLower = '' + AddressUpper = '' + } + ) + } + ); + TenantId = $TenantId; + UnallowedApp = @( + MSFT_PolicyConfigApp + { + Value = 'Caramel' + Executable = 'cara.exe' + } + MSFT_PolicyConfigApp + { + Value = 'Fudge' + Executable = 'chocolate.exe' + } + ); + UnallowedBluetoothApp = @( + MSFT_PolicyConfigApp + { + Value = 'bluetooth' + Executable = 'micase.exe' + } + MSFT_PolicyConfigApp + { + Value = 'marmelade' + Executable = 'julia.exe' + } + ); + UnallowedBrowser = @( + MSFT_PolicyConfigApp + { + Value = 'UC Browser' + Executable = 'ucbrowser.exe' + } + MSFT_PolicyConfigApp + { + Value = 'CapitainOS' + Executable = 'captn.exe' + } + ); + UnallowedCloudSyncApp = @( + MSFT_PolicyConfigApp + { + Value = 'ikochou' + Executable = 'gillex.msi' + } + MSFT_PolicyConfigApp + { + Value = 'johny' + Executable = 'boo.msi' + } + ); + VPNSettings = @("MyVPNAddress","MySecondVPNAddress"); + } + } +} +``` + diff --git a/docs/docs/resources/security-compliance/SentinelAlertRule.md b/docs/docs/resources/security-compliance/SentinelAlertRule.md new file mode 100644 index 0000000000..89da026080 --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelAlertRule.md @@ -0,0 +1,361 @@ +# SentinelAlertRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **ProductFilter** | Write | String | The alerts' productName on which the cases will be generated | | +| **Enabled** | Write | Boolean | Determines whether this alert rule is enabled or disabled. | | +| **Severity** | Write | String | The severity for alerts created by this alert rule. | | +| **Tactics** | Write | StringArray[] | The tactics of the alert rule | | +| **Techniques** | Write | StringArray[] | The techniques of the alert rule | | +| **SubTechniques** | Write | StringArray[] | The sub-techniques of the alert rule | | +| **Query** | Write | String | The query that creates alerts for this rule. | | +| **QueryFrequency** | Write | String | The frequency (in ISO 8601 duration format) for this alert rule to run. | | +| **QueryPeriod** | Write | String | The period (in ISO 8601 duration format) that this alert rule looks at. | | +| **TriggerOperator** | Write | String | The operation against the threshold that triggers alert rule. | | +| **TriggerThreshold** | Write | UInt32 | The threshold triggers this alert rule. | | +| **SuppressionDuration** | Write | String | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | | +| **SuppressionEnabled** | Write | String | Determines whether the suppression for this alert rule is enabled or disabled. | | +| **AlertRuleTemplateName** | Write | String | The Name of the alert rule template used to create this rule. | | +| **DisplayNamesExcludeFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will not be generated. | | +| **DisplayNamesFilter** | Write | StringArray[] | The alerts' displayNames on which the cases will be generated. | | +| **SeveritiesFilter** | Write | StringArray[] | The alerts' severities on which the cases will be generated | | +| **EventGroupingSettings** | Write | MSFT_SentinelAlertRuleEventGroupingSettings | The event grouping settings. | | +| **CustomDetails** | Write | MSFT_SentinelAlertRuleCustomDetails[] | Dictionary of string key-value pairs of columns to be attached to the alert | | +| **EntityMappings** | Write | MSFT_SentinelAlertRuleEntityMapping[] | Array of the entity mappings of the alert rule | | +| **AlertDetailsOverride** | Write | MSFT_SentinelAlertRuleAlertDetailsOverride | The alert details override settings | | +| **IncidentConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | | +| **Kind** | Write | String | The kind of the alert rule | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_SentinelAlertRuleEventGroupingSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **aggregationKind** | Write | String | The event grouping aggregation kinds | | + +### MSFT_SentinelAlertRuleCustomDetails + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DetailKey** | Write | String | Key of the custom detail. | | +| **DetailValue** | Write | String | Associated value with the custom detail. | | + +### MSFT_SentinelAlertRuleEntityMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **entityType** | Write | String | Type of entity. | | +| **fieldMappings** | Write | MSFT_SentinelAlertRuleEntityMappingFieldMapping[] | List of field mappings. | | + +### MSFT_SentinelAlertRuleEntityMappingFieldMapping + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **columnName** | Write | String | Name of the column | | +| **identifier** | Write | String | Identifier of the associated field. | | + +### MSFT_SentinelAlertRuleAlertDetailsOverride + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertDescriptionFormat** | Write | String | The format containing columns name(s) to override the alert description | | +| **alertDisplayNameFormat** | Write | String | The format containing columns name(s) to override the alert name | | +| **alertSeverityColumnName** | Write | String | The column name to take the alert severity from | | +| **alertTacticsColumnName** | Write | String | The column name to take the alert tactics from | | +| **alertDynamicProperties** | Write | MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] | List of additional dynamic properties to override | | + +### MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alertProperty** | Write | String | Dynamic property key. | | +| **alertPropertyValue** | Write | String | Dynamic property value. | | + +### MSFT_SentinelAlertRuleIncidentConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **createIncident** | Write | Boolean | Create incidents from alerts triggered by this analytics rule | | +| **groupingConfiguration** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **enabled** | Write | Boolean | Grouping enabled | | +| **groupByAlertDetails** | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] | A list of alert details to group by (when matchingMethod is Selected) | | +| **groupByCustomDetails** | Write | StringArray[] | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | | +| **groupByEntities** | Write | StringArray[] | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | | +| **lookbackDuration** | Write | String | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | | +| **matchingMethod** | Write | String | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | | +| **reopenClosedIncident** | Write | Boolean | Re-open closed matching incidents | | + +### MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Display name of the alert detail. | | +| **Severity** | Write | String | Severity level associated with the alert detail. | | + + +## Description + +Configures alert rules in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{ + alertDescriptionFormat = 'This is an example of the alert content' + alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} ' + }; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + CustomDetails = @( + MSFT_SentinelAlertRuleCustomDetails{ + DetailKey = 'Color' + DetailValue = 'TenantId' + } + ); + Description = "Test"; + DisplayName = "MyNRTRule"; + Enabled = $True; + Ensure = "Present"; + EntityMappings = @( + MSFT_SentinelAlertRuleEntityMapping{ + fieldMappings = @( + MSFT_SentinelAlertRuleEntityMappingFieldMapping{ + identifier = 'AppId' + columnName = 'Id' + } + ) + entityType = 'CloudApplication' + } + ); + IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{ + groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{ + lookbackDuration = 'PT5H' + matchingMethod = 'Selected' + groupByCustomDetails = @('Color') + groupByEntities = @('CloudApplication') + reopenClosedIncident = $True + enabled = $True + } + createIncident = $True + }; + Query = "ThreatIntelIndicators"; + ResourceGroupName = "ResourceGroupName"; + Severity = "High"; #Drift + SubscriptionId = "xxxx"; + SuppressionDuration = "PT5H"; + Tactics = @(); + Techniques = @(); + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelAlertRule "SentinelAlertRule-MyNRTRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Description = "Test"; + DisplayName = "MyNRTRule"; + Ensure = "Absent"; + ResourceGroupName = "ResourceGroupName"; + Severity = "Medium"; + SubscriptionId = "xxxx"; + TenantId = $TenantId; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + diff --git a/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md new file mode 100644 index 0000000000..cfed84166e --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelThreatIntelligenceIndicator.md @@ -0,0 +1,202 @@ +# SentinelThreatIntelligenceIndicator + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The display name of the indicator | | +| **SubscriptionId** | Write | String | The name of the resource group. The name is case insensitive. | | +| **ResourceGroupName** | Write | String | The name of the resource group. The name is case insensitive. | | +| **WorkspaceName** | Write | String | The name of the workspace. | | +| **Id** | Write | String | The unique id of the indicator. | | +| **Description** | Write | String | The name of the workspace. | | +| **PatternType** | Write | String | Pattern type of a threat intelligence entity | | +| **Pattern** | Write | String | Pattern of a threat intelligence entity | | +| **Revoked** | Write | String | Is threat intelligence entity revoked | | +| **ValidFrom** | Write | String | Valid from | | +| **ValidUntil** | Write | String | Valid until | | +| **Source** | Write | String | Source type. | | +| **Labels** | Write | StringArray[] | Labels of threat intelligence entity | | +| **ThreatIntelligenceTags** | Write | StringArray[] | List of tags | | +| **ThreatTypes** | Write | StringArray[] | Threat types | | +| **KillChainPhases** | Write | StringArray[] | Kill chain phases | | +| **Confidence** | Write | UInt32 | Confidence of threat intelligence entity | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures threat intelligence indicators in Azure Sentinel. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Present"; + Labels = @("Tag1", "Tag2", "Tag3"); #Drift + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "MyIndicator"; + Ensure = "Absent"; + Labels = @("Tag1", "Tag2"); + Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']"; + PatternType = "ipv6-addr"; + ResourceGroupName = "MyResourceGroup"; + Source = "Microsoft Sentinel"; + SubscriptionId = "12345-12345-12345-12345-12345"; + TenantId = $TenantId; + ThreatIntelligenceTags = @(); + ValidFrom = "2024-10-21T19:03:57.24Z"; + ValidUntil = "2024-10-21T19:03:57.24Z"; + WorkspaceName = "SentinelWorkspace"; + } + } +} +``` + diff --git a/docs/docs/resources/sharepoint/SPOSharingSettings.md b/docs/docs/resources/sharepoint/SPOSharingSettings.md index 1869690d40..cb9424b3d9 100644 --- a/docs/docs/resources/sharepoint/SPOSharingSettings.md +++ b/docs/docs/resources/sharepoint/SPOSharingSettings.md @@ -25,7 +25,7 @@ | **FolderAnonymousLinkType** | Write | String | Configures anonymous link types for folders | `View`, `Edit` | | **NotifyOwnersWhenItemsReshared** | Write | Boolean | When this parameter is set to $true and another user re-shares a document from a user’s OneDrive for Business, the OneDrive for Business owner is notified by e-mail. | | | **DefaultLinkPermission** | Write | String | Specifies the link permission on the tenant level. Valid values to set are View and Edit. A value of None will be set to Edit as its the default value. | `None`, `View`, `Edit` | -| **RequireAcceptingAccountMatchInvitedAccount** | Write | Boolean | Ensures that an external user can only accept an external sharing invitation with an account matching the invited email address.Administrators who desire increased control over external collaborators should consider enabling this feature. False (default) - When a document is shared with an external user, bob@contoso.com, it can be accepted by any user with access to the invitation link in the original e-mail.True - User must accept this invitation with bob@contoso.com. | | +| **RequireAcceptingAccountMatchInvitedAccount** | Write | Boolean | DEPRECATED | | | **Ensure** | Write | String | Only accepted value is 'Present'. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the account to authenticate with. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/sharepoint/SPOTenantSettings.md b/docs/docs/resources/sharepoint/SPOTenantSettings.md index a9527057ce..4baad6486b 100644 --- a/docs/docs/resources/sharepoint/SPOTenantSettings.md +++ b/docs/docs/resources/sharepoint/SPOTenantSettings.md @@ -27,6 +27,11 @@ | **SocialBarOnSitePagesDisabled** | Write | Boolean | Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page. | | | **CommentsOnSitePagesDisabled** | Write | Boolean | Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature. | | | **EnableAIPIntegration** | Write | Boolean | Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant. | | +| **ExemptNativeUsersFromTenantLevelRestricedAccessControl** | Write | Boolean | Determines whether or not we need to include external participants in shared channels for SharePoint access restriction. | | +| **AllowSelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to include in OneDrive access restrictions | | +| **DenySelectSGsInODBListInTenant** | Write | StringArray[] | List of security groups to exclude in OneDrive access restrictions | | +| **DenySelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to exclude in SharePoint access restrictions | | +| **AllowSelectSecurityGroupsInSPSitesList** | Write | StringArray[] | List of security groups to include in SharePoint access restrictions. | | | **TenantDefaultTimezone** | Write | String | The default timezone of a tenant for newly created sites. | | | **Ensure** | Write | String | Only accepted value is 'Present'. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the account to authenticate with. | | diff --git a/docs/docs/resources/teams/TeamsMeetingPolicy.md b/docs/docs/resources/teams/TeamsMeetingPolicy.md index eb0d697b33..acefdca8e8 100644 --- a/docs/docs/resources/teams/TeamsMeetingPolicy.md +++ b/docs/docs/resources/teams/TeamsMeetingPolicy.md @@ -6,67 +6,79 @@ | --- | --- | --- | --- | --- | | **Identity** | Key | String | Identity of the Teams Meeting Policy. | | | **Description** | Write | String | Description of the Teams Meeting Policy. | | -| **AllowChannelMeetingScheduling** | Write | Boolean | Determines whether a user can schedule channel meetings. Set this to TRUE to allow a user to schedule channel meetings. Set this to FALSE to prohibit the user from scheduling channel meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | -| **AllowMeetNow** | Write | Boolean | Determines whether a user can start ad-hoc meetings. Set this to TRUE to allow a user to start ad-hoc meetings. Set this to FALSE to prohibit the user from starting ad-hoc meetings. | | -| **AllowPrivateMeetNow** | Write | Boolean | Determines whether a user can start private ad-hoc meetings. Set this to TRUE to allow a user to start private ad-hoc meetings. Set this to FALSE to prohibit the user from starting private ad-hoc meetings. | | -| **MeetingChatEnabledType** | Write | String | Determines whether or not Chat will be enabled, enabled except anonymous or disabled for meetings. | `Disabled`, `Enabled`, `EnabledExceptAnonymous` | -| **LiveCaptionsEnabledType** | Write | String | Determines whether a user should have the option to view live captions or not in a meeting. | `Disabled`, `DisabledUserOverride` | -| **AllowIPAudio** | Write | Boolean | Determines whether audio is enabled in a user's meetings or calls. Set this to TRUE to allow the user to share their audioo. Set this to FALSE to prohibit the user from sharing their audio. | | -| **AllowIPVideo** | Write | Boolean | Determines whether video is enabled in a user's meetings or calls. Set this to TRUE to allow the user to share their video. Set this to FALSE to prohibit the user from sharing their video. | | -| **AllowEngagementReport** | Write | String | Determines whether or not a meeting Organizer can track join and leave times for all users within their meetings as well as download a roster. | `Enabled`, `Disabled` | -| **IPAudioMode** | Write | String | Determines whether or not a user can use audio in a meeting that supports it. | `EnabledOutgoingIncoming`, `Disabled` | -| **IPVideoMode** | Write | String | Determines whether or not a user can use video in a meeting that supports it. Can only be enabled if IPAudioMode is enabled | `EnabledOutgoingIncoming`, `Disabled` | +| **AllowAnnotations** | Write | Boolean | Determines whether a user can use the Annotation feature | | | **AllowAnonymousUsersToDialOut** | Write | Boolean | CURRENTLY DISABLED: Determines whether anonymous users can use the Call Me At feature for meeting audio. | | -| **AllowAnonymousUsersToStartMeeting** | Write | Boolean | Determines whether anonymous users can initiate a meeting. Set this to TRUE to allow anonymous users to initiate a meeting. Set this to FALSE to prohibit them from initiating a meeting. | | -| **AllowPrivateMeetingScheduling** | Write | Boolean | Determines whether a user can schedule private meetings. Set this to TRUE to allow a user to schedule private meetings. Set this to FALSE to prohibit the user from scheduling private meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | -| **AutoAdmittedUsers** | Write | String | Determines what types of participants will automatically be added to meetings organized by this user. Set this to EveryoneInCompany if you would like meetings to place every external user in the lobby but allow all users in the company to join the meeting immediately. Set this to Everyone if you'd like to admit anonymous users by default. Set this to EveryoneInSameAndFederatedCompany if you would like meetings to allow federated users to join like your company's users, but place all other external users in a lobby. Set this to InvitedUsers if you would like meetings to allow only the invited users. | `EveryoneInCompany`, `Everyone`, `EveryoneInSameAndFederatedCompany`, `OrganizerOnly`, `InvitedUsers`, `EveryoneInCompanyExcludingGuests` | -| **AllowPSTNUsersToBypassLobby** | Write | Boolean | Determines whether PSTN users should be automatically admitted to the meetings. Set this to TRUE to allow the PSTN user to be able bypass the meetinglobby. Set this to FALSE to prohibit the PSTN user from bypassing the meetinglobby. | | -| **AllowCloudRecording** | Write | Boolean | Determines whether cloud recording is allowed in a user's meetings. Set this to TRUE to allow the user to be able to record meetings. Set this to FALSE to prohibit the user from recording meetings. | | -| **AllowRecordingStorageOutsideRegion** | Write | Boolean | Determines whether cloud recording can be stored out of region for go-local tenants where recording is not yet enabled. | | -| **DesignatedPresenterRoleMode** | Write | String | Determines if users can change the default value of the Who can present? setting in Meeting options in the Teams client. This policy setting affects all meetings, including Meet Now meetings. | `OrganizerOnlyUserOverride`, `EveryoneInCompanyUserOverride`, `EveryoneUserOverride` | -| **AllowOutlookAddIn** | Write | Boolean | Determines whether a user can schedule Teams Meetings in Outlook desktop client. Set this to TRUE to allow the user to be able to schedule Teams meetings in Outlook client. Set this to FALSE to prohibit a user from scheduling Teams meeting in Outlook client. | | -| **AllowPowerPointSharing** | Write | Boolean | Determines whether Powerpoint sharing is allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowParticipantGiveRequestControl** | Write | Boolean | Determines whether participants can request or give control of screen sharing during meetings scheduled by this user. Set this to TRUE to allow the user to be able to give or request control. Set this to FALSE to prohibit the user from giving, requesting control in a meeting. | | -| **AllowExternalParticipantGiveRequestControl** | Write | Boolean | Determines whether external participants can request or give control of screen sharing during meetings scheduled by this user. Set this to TRUE to allow the user to be able to give or request control. Set this to FALSE to prohibit an external user from giving or requesting control in a meeting. | | -| **AllowSharedNotes** | Write | Boolean | Determines whether users are allowed to take shared notes. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowWhiteboard** | Write | Boolean | Determines whether whiteboard is allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **AllowTranscription** | Write | Boolean | Determines whether real-time and/or post-meeting captions and transcriptions are allowed in a user's meetings. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **MediaBitRateKb** | Write | UInt32 | Determines the media bit rate for audio/video/app sharing transmissions in meetings. | | -| **ScreenSharingMode** | Write | String | Determines the mode in which a user can share a screen in calls or meetings. Set this to SingleApplication to allow the user to share an application at a given point in time. Set this to EntireScreen to allow the user to share anything on their screens. Set this to Disabled to prohibit the user from sharing their screens. | `SingleApplication`, `EntireScreen`, `Disabled` | -| **VideoFiltersMode** | Write | String | Determines which background filters are available to meeting attendees. | `NoFilters`, `BlurOnly`, `BlurAndDefaultBackgrounds`, `AllFilters` | -| **AllowOrganizersToOverrideLobbySettings** | Write | Boolean | Determines whether organizers can override lobby settings for both VOIP and PSTN. Set this to TRUE to allow. Set this to FALSE to prohibit. | | -| **PreferredMeetingProviderForIslandsMode** | Write | String | Determines which Outlook Add-in the user will get as preferred Meeting provider(TeamsAndSfb or Teams). | `TeamsAndSfb`, `Teams` | -| **AllowNDIStreaming** | Write | Boolean | Determines whether a user is able to use NDI (Network Device Interface) in meetings - both for output and input streams. | | -| **AllowUserToJoinExternalMeeting** | Write | String | Determines what types of external meetings users can join. Enabled is able join all external meetings. | `Enabled`, `FederatedOnly`, `Disabled` | -| **EnrollUserOverride** | Write | String | Determines whether or not users will be able to enroll/capture their Biometric data: Face & Voice. | `Disabled`, `Enabled` | -| **RoomAttributeUserOverride** | Write | String | Determines whether or not biometric data will be used to distinguish and or attribute in the transcript. | `Off`, `Distinguish`, `Attribute` | -| **StreamingAttendeeMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the meeting overflow capability. | `Disabled`, `Enabled` | +| **AllowAnonymousUsersToJoinMeeting** | Write | Boolean | Determines whether anonymous users can join the meetings that impacted users organize. | | +| **AllowAnonymousUsersToStartMeeting** | Write | Boolean | Determines whether anonymous users can initiate a meeting. | | | **AllowBreakoutRooms** | Write | Boolean | Determines whether or not meetings created by users with this policy are able to utilize the Breakout Rooms feature. | | -| **TeamsCameraFarEndPTZMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the Camera Far-End PTZ Mode. | `Disabled`, `AutoAcceptInTenant`, `AutoAcceptAll` | +| **AllowCartCaptionsScheduling** | Write | String | Determines whether a user can add a URL for captions from a Communications Access Real-Time Translation (CART) captioner for providing real-time captions in meetings. | `EnabledUserOverride`, `DisabledUserOverride`, `Disabled` | +| **AllowChannelMeetingScheduling** | Write | Boolean | Determines whether a user can schedule channel meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | +| **AllowCloudRecording** | Write | Boolean | Determines whether cloud recording is allowed in a user's meetings. | | +| **AllowDocumentCollaboration** | Write | String | This setting will allow admins to choose which users will be able to use the Document Collaboration feature. | `Enabled`, `Disabled` | +| **AllowedStreamingMediaInput** | Write | String | Enables the use of RTMP-In in Teams meetings. | | +| **AllowEngagementReport** | Write | String | Determines whether or not a meeting Organizer can track join and leave times for all users within their meetings as well as download a roster. | `Enabled`, `Disabled`, `ForceEnabled` | +| **AllowExternalNonTrustedMeetingChat** | Write | Boolean | This field controls whether a user is allowed to chat in external meetings with users from non trusted organizations. | | +| **AllowExternalParticipantGiveRequestControl** | Write | Boolean | Determines whether external participants can request or give control of screen sharing during meetings scheduled by this user. | | +| **AllowIPAudio** | Write | Boolean | Determines whether audio is enabled in a user's meetings or calls. | | +| **AllowIPVideo** | Write | Boolean | Determines whether video is enabled in a user's meetings or calls. | | +| **AllowMeetingCoach** | Write | Boolean | This setting will allow admins to allow users the option of turning on Meeting Coach during meetings, which provides users with private personalized feedback on their communication and inclusivity. | | | **AllowMeetingReactions** | Write | Boolean | Determines whether or not meetings created by users with this policy are able to utilize the Meeting Reactions feature. | | -| **WhoCanRegister** | Write | String | Specifies who can attend and register for webinars. | `Everyone`, `EveryoneInCompany` | -| **AllowAnnotations** | Write | Boolean | N/A | | -| **AllowAnonymousUsersToJoinMeeting** | Write | Boolean | Determines whether anonymous users can join the meetings that impacted users organize. Set this to TRUE to allow anonymous users to join a meeting. Set this to FALSE to prohibit them from joining a meeting. | | -| **AllowMeetingCoach** | Write | Boolean | N/A | | | **AllowMeetingRegistration** | Write | Boolean | Controls if a user can create a webinar meeting. The default value is True. | | +| **AllowMeetNow** | Write | Boolean | Determines whether a user can start ad-hoc meetings. | | +| **AllowNDIStreaming** | Write | Boolean | Determines whether a user is able to use NDI (Network Device Interface) in meetings - both for output and input streams. | | | **AllowNetworkConfigurationSettingsLookup** | Write | Boolean | Determines whether network configuration setting lookups can be made by users who are not Enterprise Voice enabled. It is used to enable Network Roaming policies. | | -| **AllowWatermarkForCameraVideo** | Write | Boolean | N/A | | -| **AllowWatermarkForScreenSharing** | Write | Boolean | N/A | | -| **NewMeetingRecordingExpirationDays** | Write | SInt32 | Specifies the number of days before meeting recordings will expire and move to the recycle bin. Value can be from 1 to 99,999 days. NOTE: You may opt to set Meeting Recordings to never expire by entering the value -1. | | -| **AllowCartCaptionsScheduling** | Write | String | Determines whether a user can add a URL for captions from a Communications Access Real-Time Translation (CART) captioner for providing real-time captions in meetings. | `EnabledUserOverride`, `DisabledUserOverride`, `Disabled` | -| **AllowDocumentCollaboration** | Write | String | N/A | | -| **AllowedStreamingMediaInput** | Write | String | N/A | | +| **AllowOrganizersToOverrideLobbySettings** | Write | Boolean | Determines whether organizers can override lobby settings for both VOIP and PSTN. | | +| **AllowOutlookAddIn** | Write | Boolean | Determines whether a user can schedule Teams Meetings in Outlook desktop client. | | +| **AllowParticipantGiveRequestControl** | Write | Boolean | Determines whether participants can request or give control of screen sharing during meetings scheduled by this user. | | +| **AllowPowerPointSharing** | Write | Boolean | Determines whether Powerpoint sharing is allowed in a user's meetings. | | +| **AllowPrivateMeetingScheduling** | Write | Boolean | Determines whether a user can schedule private meetings. Note this only restricts from scheduling and not from joining a meeting scheduled by another user. | | +| **AllowPrivateMeetNow** | Write | Boolean | Determines whether a user can start private ad-hoc meetings. | | +| **AllowPSTNUsersToBypassLobby** | Write | Boolean | Determines whether PSTN users should be automatically admitted to the meetings. | | +| **AllowRecordingStorageOutsideRegion** | Write | Boolean | Determines whether cloud recording can be stored out of region for go-local tenants where recording is not yet enabled. | | +| **AllowSharedNotes** | Write | Boolean | Determines whether users are allowed to take shared notes. | | +| **AllowTranscription** | Write | Boolean | Determines whether real-time and/or post-meeting captions and transcriptions are allowed in a user's meetings. | | +| **AllowUserToJoinExternalMeeting** | Write | String | Determines what types of external meetings users can join. Enabled is able join all external meetings. | `Enabled`, `FederatedOnly`, `Disabled` | +| **AllowWatermarkForCameraVideo** | Write | Boolean | This setting allows scheduling meetings with watermarking for video enabled. | | +| **AllowWatermarkForScreenSharing** | Write | Boolean | This setting allows scheduling meetings with watermarking for screen sharing enabled. | | +| **AllowWhiteboard** | Write | Boolean | Determines whether whiteboard is allowed in a user's meetings. | | +| **AttendeeIdentityMasking** | Write | String | This setting will allow admins to enable or disable Masked Attendee mode in Meetings. Masked Attendee meetings will hide attendees' identifying information (e.g., name, contact information, profile photo). | `Enabled`, `Disabled`, `DisabledUserOverride` | +| **AutoAdmittedUsers** | Write | String | Determines what types of participants will automatically be added to meetings organized by this user. Set this to EveryoneInCompany if you would like meetings to place every external user in the lobby but allow all users in the company to join the meeting immediately. Set this to Everyone if you'd like to admit anonymous users by default. Set this to EveryoneInSameAndFederatedCompany if you would like meetings to allow federated users to join like your company's users, but place all other external users in a lobby. Set this to InvitedUsers if you would like meetings to allow only the invited users. | `EveryoneInCompany`, `Everyone`, `EveryoneInSameAndFederatedCompany`, `OrganizerOnly`, `InvitedUsers`, `EveryoneInCompanyExcludingGuests` | +| **AutomaticallyStartCopilot** | Write | String | This setting gives admins the ability to auto-start Copilot. | `Enabled`, `Disabled` | +| **AutoRecording** | Write | String | This setting will enable Tenant Admins to turn on/off auto recording feature. | `Enabled`, `Disabled` | | **BlockedAnonymousJoinClientTypes** | Write | String | A user can join a Teams meeting anonymously using a Teams client or using a custom application built using Azure Communication Services. When anonymous meeting join is enabled, both types of clients may be used by default. This optional parameter can be used to block one of the client types that can be used. The allowed values are ACS (to block the use of Azure Communication Services clients) or Teams (to block the use of Teams clients). Both can also be specified, separated by a comma, but this is equivalent to disabling anonymous join completely. | | -| **ChannelRecordingDownload** | Write | String | Determines how channel meeting recordings are saved, permissioned, and who can download them. | | -| **ExplicitRecordingConsent** | Write | String | N/A | | -| **ForceStreamingAttendeeMode** | Write | String | N/A | | -| **InfoShownInReportMode** | Write | String | N/A | | +| **ChannelRecordingDownload** | Write | String | Determines how channel meeting recordings are saved, permissioned, and who can download them. | `Allow`, `Block` | +| **ConnectToMeetingControls** | Write | String | Allows external connections of thirdparty apps to Microsoft Teams. | `Enabled`, `Disabled` | +| **ContentSharingInExternalMeetings** | Write | String | This policy allows admins to determine whether the user can share content in meetings organized by external organizations. The user should have a Teams Premium license to be protected under this policy. | `EnabledForAnyone`, `EnabledForTrustedOrgs`, `Disabled` | +| **Copilot** | Write | String | This setting allows the admin to choose whether Copilot will be enabled with a persisted transcript or a non-persisted transcript. | `Enabled`, `EnabledWithTranscript` | +| **CopyRestriction** | Write | Boolean | This parameter enables a setting that controls a meeting option which allows users to disable right-click or Ctrl+C to copy, Copy link, Forward message, and Share to Outlook for meeting chat messages. | | +| **DesignatedPresenterRoleMode** | Write | String | Determines if users can change the default value of the Who can present? setting in Meeting options in the Teams client. This policy setting affects all meetings, including Meet Now meetings. | `OrganizerOnlyUserOverride`, `EveryoneInCompanyUserOverride`, `EveryoneUserOverride` | +| **DetectSensitiveContentDuringScreenSharing** | Write | Boolean | Allows the admin to enable sensitive content detection during screen share. | | +| **EnrollUserOverride** | Write | String | Determines whether or not users will be able to enroll/capture their Biometric data: Face & Voice. | `Disabled`, `Enabled` | +| **ExplicitRecordingConsent** | Write | String | This setting will enable Tenant Admins to turn on/off Explicit Recording Consent feature. | `Disabled`, `Enabled` | +| **ExternalMeetingJoin** | Write | String | Determines whether the user is allowed to join external meetings. | `EnabledForAnyone`, `EnabledForTrustedOrgs`, `Disabled` | +| **InfoShownInReportMode** | Write | String | This policy controls what kind of information get shown for the user's attendance in attendance report/dashboard. | | +| **IPAudioMode** | Write | String | Determines whether audio can be turned on in meetings and group calls. | `EnabledOutgoingIncoming`, `Disabled` | +| **IPVideoMode** | Write | String | Determines whether video can be turned on in meetings and group calls. Can only be enabled if IPAudioMode is enabled | `EnabledOutgoingIncoming`, `Disabled` | +| **LiveCaptionsEnabledType** | Write | String | Determines whether a user should have the option to view live captions or not in a meeting. | `Disabled`, `DisabledUserOverride` | | **LiveInterpretationEnabledType** | Write | String | Determines how meeting organizers can configure a meeting for language interpretation, select attendees of the meeting to become interpreters that other attendees can select and listen to the real-time translation they provide. | | | **LiveStreamingMode** | Write | String | Determines whether you provide support for your users to stream their Teams meetings to large audiences through Real-Time Messaging Protocol (RTMP). | `Disabled`, `Enabled` | +| **MediaBitRateKb** | Write | UInt32 | Determines the media bit rate for audio/video/app sharing transmissions in meetings. | | +| **MeetingChatEnabledType** | Write | String | Determines whether or not Chat will be enabled, enabled except anonymous or disabled for meetings. | `Disabled`, `Enabled`, `EnabledExceptAnonymous` | | **MeetingInviteLanguages** | Write | String | Controls how the join information in meeting invitations is displayed by enforcing a common language or enabling up to two languages to be displayed. Note: All Teams supported languages can be specified using language codes. | | -| **QnAEngagementMode** | Write | String | N/A | | -| **RoomPeopleNameUserOverride** | Write | String | N/A | | -| **SpeakerAttributionMode** | Write | String | Possible values: EnabledUserOverride or Disabled. | `Disabled`, `EnabledUserOverride` | +| **NewMeetingRecordingExpirationDays** | Write | SInt32 | Specifies the number of days before meeting recordings will expire and move to the recycle bin. Value can be from 1 to 99,999 days. NOTE: You may opt to set Meeting Recordings to never expire by entering the value -1. | | +| **ParticipantNameChange** | Write | String | This setting will enable Tenant Admins to turn on/off participant renaming feature. | `Disabled`, `Enabled` | +| **PreferredMeetingProviderForIslandsMode** | Write | String | Determines which Outlook Add-in the user will get as preferred Meeting provider(TeamsAndSfb or Teams). | `TeamsAndSfb`, `Teams` | +| **QnAEngagementMode** | Write | String | This setting enables Microsoft 365 Tenant Admins to Enable or Disable the Questions and Answers experience (Q+A). | `Disabled`, `Enabled` | +| **RoomAttributeUserOverride** | Write | String | Determines whether or not biometric data will be used to distinguish and or attribute in the transcript. | `Off`, `Distinguish`, `Attribute` | +| **RoomPeopleNameUserOverride** | Write | String | Determines if people recognition option is enabled for Teams Rooms. Enabling requires the RoomAttributeUserOverride to be Attribute for allowing individual voice and face profiles to be used for recognition in meetings. | `Off`, `On` | +| **ScreenSharingMode** | Write | String | Determines the mode in which a user can share a screen in calls or meetings. | `SingleApplication`, `EntireScreen`, `Disabled` | +| **SpeakerAttributionMode** | Write | String | Determines if users are identified in transcriptions and if they can change the value of the Automatically identify me in meeting captions and transcripts setting. | `Disabled`, `DisabledUserOverride`, `EnabledUserOverride`, `Enabled` | +| **StreamingAttendeeMode** | Write | String | Controls if Teams uses overflow capability once a meeting reaches its capacity (1,000 users with full functionality). | `Disabled`, `Enabled` | +| **TeamsCameraFarEndPTZMode** | Write | String | Determines whether or not meetings created by users with this policy are able to utilize the Camera Far-End PTZ Mode. | `Disabled`, `AutoAcceptInTenant`, `AutoAcceptAll` | +| **VideoFiltersMode** | Write | String | Determines the background effects that a user can configure in the Teams client. | `NoFilters`, `BlurOnly`, `BlurAndDefaultBackgrounds`, `AllFilters` | +| **VoiceIsolation** | Write | String | Determines whether you provide support for your users to enable voice isolation in Teams meeting calls. | `Disabled`, `Enabled` | +| **WhoCanRegister** | Write | String | Specifies who can attend and register for webinars. | `Everyone`, `EveryoneInCompany` | +| **ForceStreamingAttendeeMode** | Write | String | DEPRECATED | | | **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Teams Global Admin. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/user-guide/get-started/authentication-and-permissions.md b/docs/docs/user-guide/get-started/authentication-and-permissions.md index 4ac4f19396..8c7e4c5262 100644 --- a/docs/docs/user-guide/get-started/authentication-and-permissions.md +++ b/docs/docs/user-guide/get-started/authentication-and-permissions.md @@ -103,10 +103,10 @@ In order to be able to interact with these components, you need to grant your ap Doing so will return an object with two properties. The **ReadPermissions** property contains a list of the minimal permissions that need to be granted for the app to be able to read information about the selected components. These are the permissions you want to grant if you are taking a snapshot of the configuration of an existing tenant. The second property, **UpdatePermissions**, contains the minimal permissions required to interact with and configure the selected components. You will need to grant your application these permissions if you are trying to apply a configuration onto a tenant. -By default, this cmdlet outputs the permissions required for Delegated permissions. To output the Application permissions, use the PermissionsType parameter +By default, this cmdlet outputs the permissions required for Delegated permissions. To output the Application permissions, use the PermissionType and AccessType parameters ```PowerShell -Get-M365DSCCompiledPermissionList -ResourceNameList @('AADUser', 'AADApplication') -PermissionsType 'Application' +Get-M365DSCCompiledPermissionList -ResourceNameList @('AADUser', 'AADApplication') -PermissionType 'Application' -AccessType 'Read' ``` If you are trying to interact with all available components in Microsoft365DSC, you can get a complete picture of all permissions required across all resources by running the following line of PowerShell. diff --git a/docs/docs/user-guide/get-started/cloning-tenants.md b/docs/docs/user-guide/get-started/cloning-tenants.md index 5884cd7e38..e1a02fa04b 100644 --- a/docs/docs/user-guide/get-started/cloning-tenants.md +++ b/docs/docs/user-guide/get-started/cloning-tenants.md @@ -29,7 +29,15 @@ $SourceCredential = Get-Credential Update-M365DSCAllowedGraphScopes -ResourceNameList @("AADGroupsNamingPolicy") -Type Read Export-M365DSCConfiguration -Components @("AADGroupsNamingPolicy") -Credential $SourceCredential -Path C:\Dsc +``` + +Now browse to the specified export folder and open the generated ConfigurationData.psd1 file. Update all tenant specific information in this file with the correct information for the target tenant. For example, a UPN suffix (tenantname.onmicrosoft.com) or the SharePoint URL (tenantname.sharepoint.com). + +Then open the M365TenantConfig.ps1 file and replace all instances of tenant specific information in this file. +> **NOTE:** Our goal is to save all tenant specific information to just the ConfigurationData.psd1 file during export. Unfortunately, at the moment there are a couple of instances where this isn't implemented consistently and tenant specific information is also written in the M365TenantConfig.ps1 file. + +```PowerShell $TargetCredential = Get-Credential Update-M365DSCAllowedGraphScopes -ResourceNameList @("AADGroupsNamingPolicy") -Type Update