Skip to content

Commit

Permalink
Merge pull request #3868 from NikCharlebois/AADExternalIdentityPolicy
Browse files Browse the repository at this point in the history
AADExternalIdentityPolicy Initial Release
  • Loading branch information
NikCharlebois authored Nov 7, 2023
2 parents 52e53a1 + 331ab32 commit b2adcc5
Show file tree
Hide file tree
Showing 8 changed files with 899 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

# UNRELEASED

* AADExternalIdentityPolicy
* Initial release.
* O365OrgSettings
* Force register the Office on the Web ServicePrincipal is it is not present.
FIXES [#3842](https://github.com/microsoft/Microsoft365DSC/issues/3842)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,355 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
[ValidateSet('Yes')]
$IsSingleInstance,

[Parameter()]
[System.Boolean]
$AllowDeletedIdentitiesDataRemoval,

[Parameter(Mandatory = $true)]
[System.Boolean]
$AllowExternalIdentitiesToLeave,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity
)

Write-Verbose -Message 'Getting configuration of External Identity Policy'
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$nullReturn = @{
IsSingleInstance = 'Yes'
}

try
{
$Policy = Get-MgBetaPolicyExternalIdentityPolicy -ErrorAction Stop
}
catch
{
$message = 'Could not find existing external identity policy'

New-M365DSCLogEntry -Message $message `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

return $nullReturn
}

if ($null -eq $Policy)
{
$message = 'Existing External Identity Policy was not found'

New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

return $nullReturn
}
else
{
$result = @{
IsSingleInstance = 'Yes'
AllowDeletedIdentitiesDataRemoval = $Policy.allowDeletedIdentitiesDataRemoval
AllowExternalIdentitiesToLeave = $Policy.allowExternalIdentitiesToLeave
Credential = $Credential
ApplicationSecret = $ApplicationSecret
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
}

Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)"
return $result
}
}

function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
[ValidateSet('Yes')]
$IsSingleInstance,

[Parameter()]
[System.Boolean]
$AllowDeletedIdentitiesDataRemoval,

[Parameter(Mandatory = $true)]
[System.Boolean]
$AllowExternalIdentitiesToLeave,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity
)
Write-Verbose -Message 'Setting configuration for External Identity Policy'

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$desiredParameters = ([hashtable]$PSBoundParameters).Clone()
$desiredParameters.Remove('IsSingleInstance') | Out-Null
$desiredParameters.Remove('ApplicationId') | Out-Null
$desiredParameters.Remove('TenantId') | Out-Null
$desiredParameters.Remove('CertificateThumbprint') | Out-Null
$desiredParameters.Remove('ApplicationSecret') | Out-Null
$desiredParameters.Remove('Credential') | Out-Null
$desiredParameters.Remove('ManagedIdentity') | Out-Null

try
{
Write-Verbose -Message "Updating existing authorization policy with values: $(Convert-M365DscHashtableToString -Hashtable $desiredParameters)"
Update-MgBetaPolicyExternalIdentityPolicy @desiredParameters -ErrorAction Stop | Out-Null
}
catch
{
New-M365DSCLogEntry -Message 'Error updating data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

Write-Verbose -Message "Set-Targetresource: Failed change policy $DisplayName"
throw $_
}
Write-Verbose -Message "Set-Targetresource: finished processing Policy $Displayname"
}

function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
[ValidateSet('Yes')]
$IsSingleInstance,

[Parameter()]
[System.Boolean]
$AllowDeletedIdentitiesDataRemoval,

[Parameter(Mandatory = $true)]
[System.Boolean]
$AllowExternalIdentitiesToLeave,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity
)

Write-Verbose -Message 'Testing configuration of External Identity Policy'

$CurrentValues = Get-TargetResource @PSBoundParameters

Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

$ValuesToCheck = $PSBoundParameters

$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys

Write-Verbose -Message "Test-TargetResource returned $TestResult"

return $TestResult
}

function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity
)

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters

try
{
$params = @{
IsSingleInstance = 'Yes'
AllowExternalIdentitiesToLeave = $true
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity
}
$Results = Get-TargetResource @Params

if ($Results -is [System.Collections.Hashtable] -and $Results.Count -gt 1)
{
Write-Host "`r`n" -NoNewline
Write-Host " |---[1/1] External Identity Policy" -NoNewline
$results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $results `
-Credential $Credential
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName

Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host $Global:M365DSCEmojiRedX
}

return $currentDSCBlock
}
catch
{
Write-Host $Global:M365DSCEmojiRedX

New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

return ''
}
}

Export-ModuleMember -Function *-TargetResource
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADExternalIdentityPolicy")]
class MSFT_AADExternalIdentityPolicy : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Reserved for future use.")] Boolean AllowDeletedIdentitiesDataRemoval;
[Required, Description("Defines whether external users can leave the guest tenant. If set to false, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days.")] Boolean allowExternalIdentitiesToLeave;
[Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] String Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# AADExternalIdentityPolicy

## Description

Represents the tenant-wide policy that controls whether external users can leave the guest Microsoft Entra tenant via self-service controls.
Loading

0 comments on commit b2adcc5

Please sign in to comment.