diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fe1dc8ebd..42f03d1f48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADGroup + * Changed the logic to evaluate a drift in the assigned licenses. +* AADRoleEligibilityScheduleRequest + * Changed the mapping logic to find Id of a custom role. +* AADServicePrincipal + * Fixes a regression issue when trying to export instances, the authentication + parameters were no longer returned by the Get-TargetResource function. + # 1.25.122.2 * AADAdminConsentRequestPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 68a19db077..2e1692a9cb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -99,17 +99,16 @@ $nullResult.Ensure = 'Absent' try { - $request = $null if (-not [System.String]::IsNullOrEmpty($Id)) { if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { - $request = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id } + $schedule = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id } } else { Write-Verbose -Message "Getting Role Eligibility by Id {$Id}" - $request = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $Id ` + $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $Id ` -ErrorAction SilentlyContinue } } @@ -139,20 +138,46 @@ $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id Write-Verbose -Message "Retrieved role definition {$RoleDefinition} with ID {$RoleDefinitionId}" - if ($null -eq $request) + if ($null -eq $schedule) { Write-Verbose -Message "Retrieving the request by PrincipalId {$($PrincipalInstance.Id)}, RoleDefinitionId {$($RoleDefinitionId)} and DirectoryScopeId {$($DirectoryScopeId)}" [Array] $requests = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($PrincipalInstance.Id)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '$($DirectoryScopeId)'" if ($requests.Length -eq 0) { - return $nullResult - } + # We need to make sure we're not ending up here because the role is a custom role (which has a different id). + # We start by retrieving all schedules for the given principal. + [Array] $schedulesForPrincipal = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($PrincipalInstance.Id)' and DirectoryScopeId eq '$($DirectoryScopeId)'" + + # Loop through the role associated with each schedule to check and see if we have a match on the name. + $schedule = $null + foreach ($foundSchedule in $schedulesForPrincipal) + { + $scheduleRoleId = $foundSchedule.RoleDefinitionId + $roleEntry = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $scheduleRoleId + if ($roleEntry.DisplayName -eq $RoleDefinition) + { + $RoleDefinitionId = $roleEntry.Id + $schedule = $foundSchedule + break + } + } - $request = $requests[0] + if ($null -eq $schedule) + { + return $nullResult + } + } + else + { + $schedule = $requests[0] + } } - $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)'" - $schedule = $schedules | Where-Object -FilterScript { $_.RoleDefinitionId -eq $RoleDefinitionId } + if ($null -eq $schedule) + { + $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($request.PrincipalId)'" + $schedule = $schedules | Where-Object -FilterScript { $_.RoleDefinitionId -eq $RoleDefinitionId } + } if ($null -eq $schedule) { foreach ($instance in $schedules) @@ -166,16 +191,12 @@ } } - if ($null -eq $schedule -or $null -eq $request) + if ($null -eq $schedule) { if ($null -eq $schedule) { Write-Verbose -Message "Could not retrieve the schedule for {$($request.PrincipalId)} & RoleDefinitionId {$RoleDefinitionId}" } - if ($null -eq $request) - { - Write-Verbose -Message "Could not request the schedule for {$RoleDefinition}" - } return $nullResult } @@ -224,12 +245,12 @@ Principal = $PrincipalValue PrincipalType = $PrincipalType RoleDefinition = $RoleDefinition - DirectoryScopeId = $request.DirectoryScopeId - AppScopeId = $request.AppScopeId - Action = $request.Action - Id = $request.Id - Justification = $request.Justification - IsValidationOnly = $request.IsValidationOnly + DirectoryScopeId = $schedule.DirectoryScopeId + AppScopeId = $schedule.AppScopeId + Action = $schedule.Action + Id = $schedule.Id + Justification = $schedule.Justification + IsValidationOnly = $schedule.IsValidationOnly ScheduleInfo = $ScheduleInfoValue Ensure = 'Present' Credential = $Credential @@ -599,7 +620,10 @@ function Test-TargetResource return $false } } - $ValuesToCheck.Remove('ScheduleInfo') | Out-Null + $ValuesToCheck.Remove('ScheduleInfo') | Out-Null + $ValuesToCheck.Remove('Action') | Out-Null + $ValuesToCheck.Remove('IsValidationOnly') | Out-Null + $ValuesToCheck.Remove('Justification') | Out-Null Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"