Merge pull request microsoft#5685 from NikCharlebois/AADRoleEligibili…

…tyScheduleRequest AADRoleEligibilityScheduleRequest - Changed Mapping Logic for Custom Roles
FabienTschanz · Jan 29, 2025 · 3296f6b · 3296f6b
2 parents 69890be + 32a2fe8
commit 3296f6b
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Change log for Microsoft365DSC
 
+# UNRELEASED
+
+* AADGroup
+  * Changed the logic to evaluate a drift in the assigned licenses.
+* AADRoleEligibilityScheduleRequest
+  * Changed the mapping logic to find Id of a custom role.
+* AADServicePrincipal
+  * Fixes a regression issue when trying to export instances, the authentication
+    parameters were no longer returned by the Get-TargetResource function.
+
 # 1.25.122.2
 
 * AADAdminConsentRequestPolicy

diff --git a/...ources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/...ources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1
@@ -99,17 +99,16 @@
     $nullResult.Ensure = 'Absent'
     try
     {
-        $request = $null
         if (-not [System.String]::IsNullOrEmpty($Id))
         {
             if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
             {
-                $request = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id }
+                $schedule = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id }
             }
             else
             {
                 Write-Verbose -Message "Getting Role Eligibility by Id {$Id}"
-                $request = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $Id `
+                $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $Id `
                     -ErrorAction SilentlyContinue
             }
         }
@@ -139,20 +138,46 @@
         $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
         Write-Verbose -Message "Retrieved role definition {$RoleDefinition} with ID {$RoleDefinitionId}"
 
-        if ($null -eq $request)
+        if ($null -eq $schedule)
         {
             Write-Verbose -Message "Retrieving the request by PrincipalId {$($PrincipalInstance.Id)}, RoleDefinitionId {$($RoleDefinitionId)} and DirectoryScopeId {$($DirectoryScopeId)}"
             [Array] $requests = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($PrincipalInstance.Id)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '$($DirectoryScopeId)'"
             if ($requests.Length -eq 0)
             {
-                return $nullResult
-            }
+                # We need to make sure we're not ending up here because the role is a custom role (which has a different id).
+                # We start by retrieving all schedules for the given principal.
+                [Array] $schedulesForPrincipal = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($PrincipalInstance.Id)' and DirectoryScopeId eq '$($DirectoryScopeId)'"
+
+                # Loop through the role associated with each schedule to check and see if we have a match on the name.
+                $schedule = $null
+                foreach ($foundSchedule in $schedulesForPrincipal)
+                {
+                    $scheduleRoleId = $foundSchedule.RoleDefinitionId
+                    $roleEntry = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $scheduleRoleId
+                    if ($roleEntry.DisplayName -eq $RoleDefinition)
+                    {
+                        $RoleDefinitionId = $roleEntry.Id
+                        $schedule = $foundSchedule
+                        break
+                    }
+                }
 
-            $request = $requests[0]
+                if ($null -eq $schedule)
+                {
+                    return $nullResult
+                }
+            }
+            else
+            {
+                $schedule = $requests[0]
+            }
         }
 
-        $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)'"
-        $schedule = $schedules | Where-Object -FilterScript { $_.RoleDefinitionId -eq $RoleDefinitionId }
+        if ($null -eq $schedule)
+        {
+            $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)'"
+            $schedule = $schedules | Where-Object -FilterScript { $_.RoleDefinitionId -eq $RoleDefinitionId }
+        }
         if ($null -eq $schedule)
         {
             foreach ($instance in $schedules)
@@ -166,16 +191,12 @@
             }
         }
 
-        if ($null -eq $schedule -or $null -eq $request)
+        if ($null -eq $schedule)
         {
             if ($null -eq $schedule)
             {
                 Write-Verbose -Message "Could not retrieve the schedule for {$($request.PrincipalId)} & RoleDefinitionId {$RoleDefinitionId}"
             }
-            if ($null -eq $request)
-            {
-                Write-Verbose -Message "Could not request the schedule for {$RoleDefinition}"
-            }
             return $nullResult
         }
 
@@ -224,12 +245,12 @@
             Principal             = $PrincipalValue
             PrincipalType         = $PrincipalType
             RoleDefinition        = $RoleDefinition
-            DirectoryScopeId      = $request.DirectoryScopeId
-            AppScopeId            = $request.AppScopeId
-            Action                = $request.Action
-            Id                    = $request.Id
-            Justification         = $request.Justification
-            IsValidationOnly      = $request.IsValidationOnly
+            DirectoryScopeId      = $schedule.DirectoryScopeId
+            AppScopeId            = $schedule.AppScopeId
+            Action                = $schedule.Action
+            Id                    = $schedule.Id
+            Justification         = $schedule.Justification
+            IsValidationOnly      = $schedule.IsValidationOnly
             ScheduleInfo          = $ScheduleInfoValue
             Ensure                = 'Present'
             Credential            = $Credential
@@ -599,7 +620,10 @@ function Test-TargetResource
             return $false
         }
     }
-    $ValuesToCheck.Remove('ScheduleInfo') | Out-Null
+    $ValuesToCheck.Remove('ScheduleInfo') | Out-Null    
+    $ValuesToCheck.Remove('Action') | Out-Null
+    $ValuesToCheck.Remove('IsValidationOnly') | Out-Null
+    $ValuesToCheck.Remove('Justification') | Out-Null
 
     Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
     Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"