-
Notifications
You must be signed in to change notification settings - Fork 523
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3868 from NikCharlebois/AADExternalIdentityPolicy
AADExternalIdentityPolicy Initial Release
- Loading branch information
Showing
8 changed files
with
899 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
355 changes: 355 additions & 0 deletions
355
...oft365DSC/DSCResources/MSFT_AADExternalIdentityPolicy/MSFT_AADExternalIdentityPolicy.psm1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,355 @@ | ||
function Get-TargetResource | ||
{ | ||
[CmdletBinding()] | ||
[OutputType([System.Collections.Hashtable])] | ||
param | ||
( | ||
[Parameter(Mandatory = $true)] | ||
[System.String] | ||
[ValidateSet('Yes')] | ||
$IsSingleInstance, | ||
|
||
[Parameter()] | ||
[System.Boolean] | ||
$AllowDeletedIdentitiesDataRemoval, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[System.Boolean] | ||
$AllowExternalIdentitiesToLeave, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$Credential, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$ApplicationId, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$TenantId, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$ApplicationSecret, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$CertificateThumbprint, | ||
|
||
[Parameter()] | ||
[Switch] | ||
$ManagedIdentity | ||
) | ||
|
||
Write-Verbose -Message 'Getting configuration of External Identity Policy' | ||
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` | ||
-InboundParameters $PSBoundParameters | ||
|
||
#Ensure the proper dependencies are installed in the current environment. | ||
Confirm-M365DSCDependencies | ||
|
||
#region Telemetry | ||
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' | ||
$CommandName = $MyInvocation.MyCommand | ||
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` | ||
-CommandName $CommandName ` | ||
-Parameters $PSBoundParameters | ||
Add-M365DSCTelemetryEvent -Data $data | ||
#endregion | ||
|
||
$nullReturn = @{ | ||
IsSingleInstance = 'Yes' | ||
} | ||
|
||
try | ||
{ | ||
$Policy = Get-MgBetaPolicyExternalIdentityPolicy -ErrorAction Stop | ||
} | ||
catch | ||
{ | ||
$message = 'Could not find existing external identity policy' | ||
|
||
New-M365DSCLogEntry -Message $message ` | ||
-Exception $_ ` | ||
-Source $($MyInvocation.MyCommand.Source) ` | ||
-TenantId $TenantId ` | ||
-Credential $Credential | ||
|
||
return $nullReturn | ||
} | ||
|
||
if ($null -eq $Policy) | ||
{ | ||
$message = 'Existing External Identity Policy was not found' | ||
|
||
New-M365DSCLogEntry -Message $message ` | ||
-Source $($MyInvocation.MyCommand.Source) ` | ||
-TenantId $TenantId ` | ||
-Credential $Credential | ||
|
||
return $nullReturn | ||
} | ||
else | ||
{ | ||
$result = @{ | ||
IsSingleInstance = 'Yes' | ||
AllowDeletedIdentitiesDataRemoval = $Policy.allowDeletedIdentitiesDataRemoval | ||
AllowExternalIdentitiesToLeave = $Policy.allowExternalIdentitiesToLeave | ||
Credential = $Credential | ||
ApplicationSecret = $ApplicationSecret | ||
ApplicationId = $ApplicationId | ||
TenantId = $TenantId | ||
CertificateThumbprint = $CertificateThumbprint | ||
Managedidentity = $ManagedIdentity.IsPresent | ||
} | ||
|
||
Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" | ||
return $result | ||
} | ||
} | ||
|
||
function Set-TargetResource | ||
{ | ||
[CmdletBinding()] | ||
param | ||
( | ||
[Parameter(Mandatory = $true)] | ||
[System.String] | ||
[ValidateSet('Yes')] | ||
$IsSingleInstance, | ||
|
||
[Parameter()] | ||
[System.Boolean] | ||
$AllowDeletedIdentitiesDataRemoval, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[System.Boolean] | ||
$AllowExternalIdentitiesToLeave, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$Credential, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$ApplicationId, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$TenantId, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$ApplicationSecret, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$CertificateThumbprint, | ||
|
||
[Parameter()] | ||
[Switch] | ||
$ManagedIdentity | ||
) | ||
Write-Verbose -Message 'Setting configuration for External Identity Policy' | ||
|
||
#Ensure the proper dependencies are installed in the current environment. | ||
Confirm-M365DSCDependencies | ||
|
||
#region Telemetry | ||
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' | ||
$CommandName = $MyInvocation.MyCommand | ||
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` | ||
-CommandName $CommandName ` | ||
-Parameters $PSBoundParameters | ||
Add-M365DSCTelemetryEvent -Data $data | ||
#endregion | ||
|
||
$desiredParameters = ([hashtable]$PSBoundParameters).Clone() | ||
$desiredParameters.Remove('IsSingleInstance') | Out-Null | ||
$desiredParameters.Remove('ApplicationId') | Out-Null | ||
$desiredParameters.Remove('TenantId') | Out-Null | ||
$desiredParameters.Remove('CertificateThumbprint') | Out-Null | ||
$desiredParameters.Remove('ApplicationSecret') | Out-Null | ||
$desiredParameters.Remove('Credential') | Out-Null | ||
$desiredParameters.Remove('ManagedIdentity') | Out-Null | ||
|
||
try | ||
{ | ||
Write-Verbose -Message "Updating existing authorization policy with values: $(Convert-M365DscHashtableToString -Hashtable $desiredParameters)" | ||
Update-MgBetaPolicyExternalIdentityPolicy @desiredParameters -ErrorAction Stop | Out-Null | ||
} | ||
catch | ||
{ | ||
New-M365DSCLogEntry -Message 'Error updating data:' ` | ||
-Exception $_ ` | ||
-Source $($MyInvocation.MyCommand.Source) ` | ||
-TenantId $TenantId ` | ||
-Credential $Credential | ||
|
||
Write-Verbose -Message "Set-Targetresource: Failed change policy $DisplayName" | ||
throw $_ | ||
} | ||
Write-Verbose -Message "Set-Targetresource: finished processing Policy $Displayname" | ||
} | ||
|
||
function Test-TargetResource | ||
{ | ||
[CmdletBinding()] | ||
[OutputType([System.Boolean])] | ||
param | ||
( | ||
[Parameter(Mandatory = $true)] | ||
[System.String] | ||
[ValidateSet('Yes')] | ||
$IsSingleInstance, | ||
|
||
[Parameter()] | ||
[System.Boolean] | ||
$AllowDeletedIdentitiesDataRemoval, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[System.Boolean] | ||
$AllowExternalIdentitiesToLeave, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$Credential, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$ApplicationId, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$TenantId, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$ApplicationSecret, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$CertificateThumbprint, | ||
|
||
[Parameter()] | ||
[Switch] | ||
$ManagedIdentity | ||
) | ||
|
||
Write-Verbose -Message 'Testing configuration of External Identity Policy' | ||
|
||
$CurrentValues = Get-TargetResource @PSBoundParameters | ||
|
||
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" | ||
|
||
$ValuesToCheck = $PSBoundParameters | ||
|
||
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` | ||
-Source $($MyInvocation.MyCommand.Source) ` | ||
-DesiredValues $PSBoundParameters ` | ||
-ValuesToCheck $ValuesToCheck.Keys | ||
|
||
Write-Verbose -Message "Test-TargetResource returned $TestResult" | ||
|
||
return $TestResult | ||
} | ||
|
||
function Export-TargetResource | ||
{ | ||
[CmdletBinding()] | ||
[OutputType([System.String])] | ||
param | ||
( | ||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$Credential, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$ApplicationId, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$TenantId, | ||
|
||
[Parameter()] | ||
[System.Management.Automation.PSCredential] | ||
$ApplicationSecret, | ||
|
||
[Parameter()] | ||
[System.String] | ||
$CertificateThumbprint, | ||
|
||
[Parameter()] | ||
[Switch] | ||
$ManagedIdentity | ||
) | ||
|
||
#Ensure the proper dependencies are installed in the current environment. | ||
Confirm-M365DSCDependencies | ||
|
||
#region Telemetry | ||
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' | ||
$CommandName = $MyInvocation.MyCommand | ||
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` | ||
-CommandName $CommandName ` | ||
-Parameters $PSBoundParameters | ||
Add-M365DSCTelemetryEvent -Data $data | ||
#endregion | ||
|
||
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` | ||
-InboundParameters $PSBoundParameters | ||
|
||
try | ||
{ | ||
$params = @{ | ||
IsSingleInstance = 'Yes' | ||
AllowExternalIdentitiesToLeave = $true | ||
Credential = $Credential | ||
ApplicationId = $ApplicationId | ||
TenantId = $TenantId | ||
ApplicationSecret = $ApplicationSecret | ||
CertificateThumbprint = $CertificateThumbprint | ||
ManagedIdentity = $ManagedIdentity | ||
} | ||
$Results = Get-TargetResource @Params | ||
|
||
if ($Results -is [System.Collections.Hashtable] -and $Results.Count -gt 1) | ||
{ | ||
Write-Host "`r`n" -NoNewline | ||
Write-Host " |---[1/1] External Identity Policy" -NoNewline | ||
$results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` | ||
-Results $results | ||
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` | ||
-ConnectionMode $ConnectionMode ` | ||
-ModulePath $PSScriptRoot ` | ||
-Results $results ` | ||
-Credential $Credential | ||
Save-M365DSCPartialExport -Content $currentDSCBlock ` | ||
-FileName $Global:PartialExportFileName | ||
|
||
Write-Host $Global:M365DSCEmojiGreenCheckMark | ||
} | ||
else | ||
{ | ||
Write-Host $Global:M365DSCEmojiRedX | ||
} | ||
|
||
return $currentDSCBlock | ||
} | ||
catch | ||
{ | ||
Write-Host $Global:M365DSCEmojiRedX | ||
|
||
New-M365DSCLogEntry -Message 'Error during Export:' ` | ||
-Exception $_ ` | ||
-Source $($MyInvocation.MyCommand.Source) ` | ||
-TenantId $TenantId ` | ||
-Credential $Credential | ||
|
||
return '' | ||
} | ||
} | ||
|
||
Export-ModuleMember -Function *-TargetResource |
13 changes: 13 additions & 0 deletions
13
...DSC/DSCResources/MSFT_AADExternalIdentityPolicy/MSFT_AADExternalIdentityPolicy.schema.mof
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
[ClassVersion("1.0.0.0"), FriendlyName("AADExternalIdentityPolicy")] | ||
class MSFT_AADExternalIdentityPolicy : OMI_BaseResource | ||
{ | ||
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; | ||
[Write, Description("Reserved for future use.")] Boolean AllowDeletedIdentitiesDataRemoval; | ||
[Required, Description("Defines whether external users can leave the guest tenant. If set to false, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days.")] Boolean allowExternalIdentitiesToLeave; | ||
[Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] String Credential; | ||
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; | ||
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; | ||
[Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; | ||
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; | ||
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; | ||
}; |
5 changes: 5 additions & 0 deletions
5
Modules/Microsoft365DSC/DSCResources/MSFT_AADExternalIdentityPolicy/Readme.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# AADExternalIdentityPolicy | ||
|
||
## Description | ||
|
||
Represents the tenant-wide policy that controls whether external users can leave the guest Microsoft Entra tenant via self-service controls. |
Oops, something went wrong.