Skip to content

Commit

Permalink
Merge pull request #3986 from microsoft/Dev
Browse files Browse the repository at this point in the history
Release 1.23.1129.1
  • Loading branch information
NikCharlebois authored Nov 30, 2023
2 parents 9eee82c + 396f024 commit f412344
Show file tree
Hide file tree
Showing 51 changed files with 1,319 additions and 552 deletions.
65 changes: 65 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,70 @@
# Change log for Microsoft365DSC

# 1.23.1129.1

* AADRoleSetting
* Export sorted by DisplayName for better comparison
* Enable Filter property to be used on export
FIXES [#3919](https://github.com/microsoft/Microsoft365DSC/issues/3919)
* AADUser
* Added the MemberOf Property.
* IntuneAntivirusPolicyWindows10SettingCatalog
* Skipped settingValueTemplateReference and settingInstanceTemplateReference
for severethreats, highseveritythreats, moderateseveritythreats,
lowseveritythreats as per API requirements observed in the Intune portal.
FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818)
FIXES [#3955](https://github.com/microsoft/Microsoft365DSC/issues/3955)
* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy,
IntuneAccountProtectionLocalUserGroupMembershipPolicy,
IntuneAccountProtectionPolicy,
* Fixes export if Assignments is set on existing policies
FIXES [3913](https://github.com/microsoft/Microsoft365DSC/issues/3913)
* Add groupDisplayName to Assignments embedded instance
* IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10,
IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10,
IntuneDeviceConfigurationIdentityProtectionPolicyWindows10,
IntuneDeviceConfigurationEndpointProtectionPolicyWindows10,
IntuneDeviceEnrollmentStatusPageWindows10,
IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined,
IntuneWindowsAutopilotDeploymentProfileAzureADJoined
* Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource
FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888)
* IntuneWindowsAutopilotDeploymentProfileAzureADJoined
* Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment
FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921)
* IntuneDeviceEnrollmentStatusPageWindows10
* Fixed assignments using API call
FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921)
* IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined
* Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment
FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892)
* IntuneWindowsAutopilotDeploymentProfileAzureADJoined
* Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment
FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892)
* IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10
* Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment
* IntuneDeviceConfigurationPolicyWindows10
FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921)
* IntuneDeviceEnrollmentStatusPageWindows10
* Fixed assignments using API call
FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921)
* TeamsMessagingPolicy
* Added support for properties AllowCommunicationComplianceEndUserReporting,
AllowFluidCollaborate and AllowSecurityEndUserReporting.
FIXES [#3968](https://github.com/microsoft/Microsoft365DSC/issues/3968)
* TeamsTeam
* Fixes incompatible type for ComplianceRecordingApplications, expected string[] but receive object[]
FIXES: [#3890](https://github.com/microsoft/Microsoft365DSC/issues/3890)
* DEPENDENCIES
* Updated DSCParser to version 1.4.0.1.
* Updated Microsoft.Graph to version 2.10.0.
* Updated MSCloudLoginAssistant to version 1.1.0.
* MISC
* M365DSCDRGUtil
* Added ConvertFrom-IntunePolicyAssignment and ConvertTo-IntunePolicyAssignment
FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892)
* Support for Multi-Tenancy (Credentials + TenantId).

# 1.23.1122.1

* SPOSharingSettings
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -363,13 +363,19 @@ function Export-TargetResource
}
catch
{
Write-Host $Global:M365DSCEmojiRedX

New-M365DSCLogEntry -Message 'Error during Export:' `
if ($_.ErrorDetails.Message -like "*Insufficient privileges*")
{
Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) Insufficient permissions or license to export Attribute Sets."
}
else
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
}

return ''
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
"description": "Represents a group of related custom security attribute definitions.",
"roles": {
"read": [
"Security Reader"
"Attribute Definition Reader"
],
"update": [
"Authentication Policy Administrator"
"Attribute Definition Administrator"
]
},
"permissions": {
Expand Down
2 changes: 2 additions & 0 deletions Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@
## Description

This resource configures an Azure Active Directory group. IMPORTANT: It does not support mail enabled security groups or mail enabled groups that are not unified or dynamic groups.

If using with AADUser, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADUser
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,14 @@
}
if ($null -eq $schedule -or $null -eq $request)
{
if ($null -eq $schedule)
{
Write-Verbose -Message "Could not retrieve the schedule for {$($request.PrincipalId)} & RoleDefinitionId {$RoleDefinitionId}"
}
if ($null -eq $request)
{
Write-Verbose -Message "Could not request the schedule for {$RoleDefinition}"
}
return $nullResult
}

Expand All @@ -211,6 +219,7 @@

if ($null -eq $PrincipalInstance)
{
Write-Verbose -Message "Couldn't retrieve Principal {$($request.PrincipalId)}"
return $nullResult
}

Expand Down Expand Up @@ -298,7 +307,7 @@
}
catch
{
Write-Verbose "Verbose: $($_.ErrorDetails.Message)"
Write-Verbose "Error: $($_.ErrorDetails.Message)"
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
Expand Down Expand Up @@ -814,15 +823,20 @@ function Export-TargetResource
}
catch
{
Write-Verbose -Message "Exception: $($_.Exception.Message)"

Write-Host $Global:M365DSCEmojiRedX

New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
if ($_.ErrorDetails.Message -like "*The tenant needs an AAD Premium*")
{
Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) Tenant does not meet license requirement to extract this component."
}
else
{
Write-Verbose -Message "Exception: $($_.Exception.Message)"
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
}

return ''
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1283,6 +1283,7 @@ function Test-TargetResource
[Switch]
$ManagedIdentity
)
$Script:ExportMode = $false

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
Expand Down Expand Up @@ -1379,7 +1380,7 @@ function Export-TargetResource
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaRoleManagementDirectoryRoleDefinition -ErrorAction Stop
[array] $Script:exportedInstances = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter $Filter -Sort DisplayName -ErrorAction Stop
$i = 1
$dscContent = ''
Write-Host "`r`n" -NoNewline
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ function Get-TargetResource
[System.String[]]
$LicenseAssignment,

[Parameter()]
[System.String[]]
$MemberOf,

[Parameter()]
[System.Management.Automation.PSCredential]
$Password,
Expand Down Expand Up @@ -150,6 +154,7 @@ function Get-TargetResource
LastName = $null
UsageLocation = $null
LicenseAssignment = $null
MemberOf = $null
Password = $null
Credential = $Credential
ApplicationId = $ApplicationId
Expand Down Expand Up @@ -187,6 +192,9 @@ function Get-TargetResource
$currentLicenseAssignment += $sku.SkuPartNumber
}

# return membership of static groups only
[array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript {$_.GroupTypes -notcontains 'DynamicMembership'}).DisplayName

$userPasswordPolicyInfo = $user | Select-Object UserprincipalName, @{
N = 'PasswordNeverExpires'; E = { $_.PasswordPolicies -contains 'DisablePasswordExpiration' }
}
Expand Down Expand Up @@ -216,6 +224,7 @@ function Get-TargetResource
LastName = $user.Surname
UsageLocation = $user.UsageLocation
LicenseAssignment = $currentLicenseAssignment
MemberOf = $currentMemberOf
Password = $Password
City = $user.City
Country = $user.Country
Expand Down Expand Up @@ -283,6 +292,10 @@ function Set-TargetResource
[System.String[]]
$LicenseAssignment,

[Parameter()]
[System.String[]]
$MemberOf,

[Parameter()]
[System.Management.Automation.PSCredential]
$Password,
Expand Down Expand Up @@ -559,6 +572,79 @@ function Set-TargetResource
}
#endregion

#region Update MemberOf groups - if specified
if ($null -ne $MemberOf)
{
if ($null -eq $user.MemberOf)
{
# user is not currently a member of any groups, add user to groups listed in MemberOf
foreach ($memberOfGroup in $MemberOf)
{
$group = Get-MgGroup -Filter "DisplayName eq '$memberOfGroup'" -Property Id, GroupTypes
if ($null -eq $group)
{
New-M365DSCLogEntry -Message 'Error updating data:' `
-Exception "Attempting to add a user to a group that doesn't exist" `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

throw "Group '$memberOfGroup' does not exist in tenant"
}
if ($group.GroupTypes -contains 'DynamicMembership')
{
New-M365DSCLogEntry -Message 'Error updating data:' `
-Exception "Attempting to add a user to a dynamic group" `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

throw "Cannot add user $UserPrincipalName to group '$memberOfGroup' because it is a dynamic group"
}
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
}
}
else
{
# user is a member of some groups, ensure that user is only a member of groups listed in MemberOf
Compare-Object -ReferenceObject $MemberOf -DifferenceObject $user.MemberOf | ForEach-Object {
$group = Get-MgGroup -Filter "DisplayName eq '$($_.InputObject)" -Property Id, GroupTypes
if ($_.SideIndicator -eq '<=')
{
# Group in MemberOf not present in groups that user is a member of, add user to group
if ($null -eq $group)
{
New-M365DSCLogEntry -Message 'Error updating data:' `
-Exception "Attempting to add a user to a group that doesn't exist" `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

throw "Group '$($_.InputObject)' does not exist in tenant"
}
if ($group.GroupTypes -contains 'DynamicMembership')
{
New-M365DSCLogEntry -Message 'Error updating data:' `
-Exception "Attempting to add a user to a dynamic group" `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

throw "Cannot add user $UserPrincipalName to group '$($_.InputObject)' because it is a dynamic group"
}
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id
}
else
{
# Group that user is a member of is not present in MemberOf, remove user from group
# (no need to test for dynamic groups as they are ignored in Get-TargetResource)
Remove-MgGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $user.Id
}
}
}
}
#endregion

#region Roles
if ($null -ne $Roles)
{
Expand Down Expand Up @@ -633,6 +719,10 @@ function Test-TargetResource
[System.String[]]
$LicenseAssignment,

[Parameter()]
[System.String[]]
$MemberOf,

[Parameter()]
[System.Management.Automation.PSCredential]
$Password,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ class MSFT_AADUser : OMI_BaseResource
[Write, Description("The Country name of the user")] String Country;
[Write, Description("The Department name of the user")] String Department;
[Write, Description("The Fax Number of the user")] String Fax;
[Write, Description("The Groups that the user is a direct member of")] String MemberOf[];
[Write, Description("The Mobile Phone Number of the user")] String MobilePhone;
[Write, Description("The Office Name of the user")] String Office;
[Write, Description("Specifies whether the user password expires periodically. Default value is false")] Boolean PasswordNeverExpires;
Expand Down
4 changes: 3 additions & 1 deletion Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,6 @@

## Description

This resource allows users to create Azure AD Users and assign them licenses.
This resource allows users to create Azure AD Users and assign them licenses, roles and/or groups.

If using with AADGroup, be aware that if AADUser->MemberOf is being specified and the referenced group is configured with AADGroup->Member then a conflict may arise if the two don't match. It is usually best to choose only one of them. See AADGroup
19 changes: 19 additions & 0 deletions Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@
},
{
"name": "User.Read.All"
},
{
"name": "Group.Read.All"
},
{
"name": "GroupMember.Read.All"
}
],
"update": [
Expand All @@ -31,9 +37,22 @@
{
"name": "User.Read.All"
},
{
"name": "Group.Read.All"
},
{
"name": "GroupMember.Read.All"
},
{
"name": "User.ReadWrite.All"
},
{
"name": "Group.ReadWrite.All"
},
{
"name": "GroupMember.ReadWrite.All"
}

]
},
"application": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -752,7 +752,7 @@ function Export-TargetResource

if ($Results.Assignments)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments
if ($complexTypeStringResult)
{
$Results.Assignments = $complexTypeStringResult
Expand Down
Loading

0 comments on commit f412344

Please sign in to comment.