From 6d3433683a7bfcf68d652ccb76f7ad00d6fe69d6 Mon Sep 17 00:00:00 2001
From: Nik Charlebois <nik_charlebois@hotmail.com>
Date: Thu, 31 Oct 2024 08:04:54 -0400
Subject: [PATCH] AADConditionalAccess Policy - Added Support for
 InsiderRiskLevels

---
 CHANGELOG.md                                   |  7 ++++---
 .../MSFT_AADConditionalAccessPolicy.psm1       | 18 ++++++++++++++++++
 .../MSFT_AADConditionalAccessPolicy.schema.mof |  1 +
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 688d281c94..388e5c92e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
   * Initial release.
 * AADConditionalAccessPolicy
   * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282)
+  * Added support for InsiderRiskLevels.
 * AADCustomSecurityAttributeDefinition
   * Fixed missing permissions in settings.json
 * AADEnrichedAuditLogs
@@ -130,12 +131,12 @@
     properly with their respective parent setting.
 * MISC
   * Fixed references to graph.microsoft.com with dynamic domain name based on target cloud.
-   Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup, 
-   AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10, 
+   Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup,
+   AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10,
    IntuneAccountProtectionLocalUsersGroupMembershipPolicy, IntuneAccountProtectionPolicy,
    IntuneAppProtectionPolicyiOS,IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10,
    IntuneDeviceConfigurationSCEPCertificatePolicyWindows10, IntuneDeviceConfigurationWiredNetworkPolicyWindows10,
-   IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets, 
+   IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets,
    IntuneSettingCatalogCustomPolicyWindows10, M365DSCRGUtil
   * Exponential performance improvements by reducing complexity and roundtrips.
 * DEPENDENCIES
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
index e8548b7a4e..158f822294 100644
--- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
+++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
@@ -219,6 +219,10 @@ function Get-TargetResource
         [System.String]
         $TransferMethods,
 
+        [Parameter()]
+        [System.String]
+        $InsiderRiskLevels,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -709,6 +713,7 @@ function Get-TargetResource
         TransferMethods                          = [System.String]$Policy.Conditions.AuthenticationFlows.TransferMethods
         #Standard part
         TermsOfUse                               = $termOfUseName
+        InsiderRiskLevels                        = $Policy.Conditions.InsiderRiskLevels
         Ensure                                   = 'Present'
         Credential                               = $Credential
         ApplicationSecret                        = $ApplicationSecret
@@ -943,6 +948,10 @@ function Set-TargetResource
         [System.String]
         $TransferMethods,
 
+        [Parameter()]
+        [System.String]
+        $InsiderRiskLevels,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -1577,6 +1586,11 @@ function Set-TargetResource
             }
         }
 
+        if ($null -ne $InsiderRiskLevels)
+        {
+            $conditions.Add("insiderRiskLevels", $InsiderRiskLevels)
+        }
+
         Write-Verbose -Message 'Set-Targetresource: process risk levels and app types'
         Write-Verbose -Message "Set-Targetresource: UserRiskLevels: $UserRiskLevels"
         If ($currentParameters.ContainsKey('UserRiskLevels'))
@@ -2044,6 +2058,10 @@ function Test-TargetResource
         [System.String]
         $TransferMethods,
 
+        [Parameter()]
+        [System.String]
+        $InsiderRiskLevels,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
index 6898850da0..14e50047dc 100644
--- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
+++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
@@ -50,6 +50,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
     [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods;
     [Write, Description("Authentication context class references.")] String AuthenticationContexts[];
+    [Write, Description("Insider risk levels conditions.")] String InsiderRiskLevels;
     [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;