Merge branch 'Dev' into fix-dsc-report

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 # UNRELEASED
 
+* MISC
+  * M365DSCReport
+    * Fix nested change detection for CIMInstances
+    * Fix IntuneDeviceEnrolllmentPlatformRestriction comparison in report
+
+# 1.24.124.1
+
 * AADAuthenticationMethodPolicyAuthenticator
   * Remove the logic path to create a new instance in favor of the update flow.
 * AADAuthenticationMethodPolicyEmail
@@ -33,6 +40,10 @@
     QueryString and Characteristic parameters.
 * EXOAddressList
   * Fixed an issue trying to create a new instance when DisplayName is empty.
+* EXOApplicationAccessPolicy
+  * Changed the logic to retrieve existing instances based on Scope.
+* EXODataClassification
+  * DEPRECATED Resource.
 * SCAutoSensitivityLabelRule
   * Correct export indentation, which caused an issue with report conversion to JSON.
     FIXES [[#4240](https://github.com/microsoft/Microsoft365DSC/issues/4240)]
@@ -70,15 +81,18 @@
 * TeamsFilesPolicy
   * Fix condition when resource is absent
     FIXES [#4225](https://github.com/microsoft/Microsoft365DSC/issues/4225)
+* TeamsGroupPolicyAssignment
+  * Ensure assignment can still be created if GroupId is not found by trying to
+    search by DisplayName afterwards
+    FIXES [#4248](https://github.com/microsoft/Microsoft365DSC/issues/4248)
 * TeamsMeetingBroadcastPolicy
   * Fix deletion of resource
     FIXES [#4231](https://github.com/microsoft/Microsoft365DSC/issues/4231)
+* TeamsMobilityPolicy
+  * Validate string set on parameter MobileDialerPreference
 * DEPENDENCIES
   * Updated Microsoft.Graph dependencies to version 2.12.0.
-* MISC
-  * M365DSCReport
-    * Fix nested change detection for CIMInstances
-    * Fix IntuneDeviceEnrolllmentPlatformRestriction comparison in report
+  * Updated MicrosoftTeams dependencies to version 5.9.0.
 
 # 1.24.117.1
 

Modules/Microsoft365DSC/DSCResources/MSFT_EXOApplicationAccessPolicy/MSFT_EXOApplicationAccessPolicy.psm1

@@ -89,20 +89,45 @@ function Get-TargetResource
 
     try
     {
+        $ApplicationAccessPolicy = $null
         try
         {
-            $AllApplicationAccessPolicies = Get-ApplicationAccessPolicy -ErrorAction Stop
+            [Array]$ApplicationAccessPolicy = Get-ApplicationAccessPolicy -Identity $Identity -ErrorAction Stop
+            Write-Verbose -Message "Found policy by Identity {$Identity}"
         }
         catch
         {
-            if ($_.Exception -like "The operation couldn't be performed because object*")
+            Write-Verbose -Message "Could not find policy by Identity {$Identity}"
+        }
+
+        $ScopeIdentityValue = $null
+        if ($null -eq $ApplicationAccessPolicy)
+        {
+            $scopeIdentityGroup = $null
+            try
             {
-                Write-Verbose 'Could not obtain Application Access Policies for Tenant'
-                return $nullReturn
+                $scopeIdentityGroup = Get-Group -Identity $PolicyScopeGroupId -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "Could not find Group with Identity {$PolicyScopeGroupId}"
+            }
+
+            if ($null -ne $scopeIdentityGroup)
+            {
+                $ScopeIdentityValue = $scopeIdentityGroup.WindowsEmailAddress
+                $ApplicationAccessPolicy = Get-ApplicationAccessPolicy | Where-Object -FilterScript { $AppID -eq $_.AppId -and $_.ScopeIdentity -eq $scopeIdentityGroup }
             }
-        }
 
-        $ApplicationAccessPolicy = $AllApplicationAccessPolicies | Where-Object -FilterScript { $_.Identity -eq $Identity }
+            if ($null -ne $ApplicationAccessPolicy)
+            {
+                Write-Verbose -Message "Found Application Access Policy by Scope {$PolicyScopeGroupId}"
+            }
+        }
+        else
+        {
+            $ScopeIdentityValue = $ApplicationAccessPolicy.ScopeIdentity
+        }
 
         if ($null -eq $ApplicationAccessPolicy)
         {
@@ -111,11 +136,12 @@ function Get-TargetResource
         }
         else
         {
+            $ApplicationAccessPolicy = $ApplicationAccessPolicy[0]
             $result = @{
                 Identity              = $ApplicationAccessPolicy.Identity
                 AccessRight           = $ApplicationAccessPolicy.AccessRight
                 AppID                 = $ApplicationAccessPolicy.AppID
-                PolicyScopeGroupId    = $ApplicationAccessPolicy.ScopeIdentity
+                PolicyScopeGroupId    = $ScopeIdentityValue
                 Description           = $ApplicationAccessPolicy.Description
                 Ensure                = 'Present'
                 Credential            = $Credential
@@ -127,7 +153,7 @@ function Get-TargetResource
                 TenantId              = $TenantId
             }
 
-            Write-Verbose -Message "Found Application Access Policy $($Identity)"
+            Write-Verbose -Message "Found Application Access Policy {$($Identity)}"
             return $result
         }
     }
@@ -231,7 +257,7 @@ function Set-TargetResource
     }
 
     $SetApplicationAccessPolicyParams = @{
-        Identity    = $Identity
+        Identity    = $currentApplicationAccessPolicyConfig.Identity
         Description = $Description
         Confirm     = $false
     }
@@ -253,16 +279,18 @@ function Set-TargetResource
     # CASE: Application Access Policy exists and it should, but Description attribute has different values than desired (Set-ApplicationAccessPolicy is only able to change description attribute)
     elseif ($Ensure -eq 'Present' -and $currentApplicationAccessPolicyConfig.Ensure -eq 'Present' -and $currentApplicationAccessPolicyConfig.Description -ne $Description)
     {
-        Write-Verbose -Message "Application Access Policy '$($Identity)' already exists, but needs updating."
-        Write-Verbose -Message "Setting Application Access Policy $($Identity) with values: $(Convert-M365DscHashtableToString -Hashtable $SetApplicationAccessPolicyParams)"
+        Write-Verbose -Message "Application Access Policy '$($currentApplicationAccessPolicyConfig.Identity)' already exists, but needs updating."
+        Write-Verbose -Message "Setting Application Access Policy $($currentApplicationAccessPolicyConfig.Identity) with values: $(Convert-M365DscHashtableToString -Hashtable $SetApplicationAccessPolicyParams)"
         Set-ApplicationAccessPolicy @SetApplicationAccessPolicyParams
     }
     # CASE: Application Access Policy exists and it should, but has different values than the desired one
     # Set-ApplicationAccessPolicy is only able to change description attribute, therefore re-create policy
     elseif ($Ensure -eq 'Present' -and $currentApplicationAccessPolicyConfig.Ensure -eq 'Present' -and $currentApplicationAccessPolicyConfig.Description -eq $Description)
     {
-        Write-Verbose -Message "Re-create Application Access Policy '$($Identity)'"
-        Remove-ApplicationAccessPolicy -Identity $Identity -Confirm:$false
+        Write-Verbose -Message "Re-create Application Access Policy '$($currentApplicationAccessPolicyConfig.Identity)'"
+        Remove-ApplicationAccessPolicy -Identity $currentApplicationAccessPolicyConfig.Identity -Confirm:$false
+        Write-Verbose -Message "Removing existing policy was successful"
+        Write-Verbose -Message "Creating new instance with parameters: $(Convert-M365DscHashtableToString -Hashtable $NewApplicationAccessPolicyParams)"
         New-ApplicationAccessPolicy @NewApplicationAccessPolicyParams
     }
 }
@@ -354,6 +382,7 @@ function Test-TargetResource
     $ValuesToCheck.Remove('CertificatePath') | Out-Null
     $ValuesToCheck.Remove('CertificatePassword') | Out-Null
     $ValuesToCheck.Remove('ManagedIdentity') | Out-Null
+    $ValuesToCheck.Remove('Identity') | Out-Null
 
     $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
         -Source $($MyInvocation.MyCommand.Source) `
@@ -487,4 +516,3 @@ function Export-TargetResource
 }
 
 Export-ModuleMember -Function *-TargetResource
-

Modules/Microsoft365DSC/DSCResources/MSFT_EXODataClassification/MSFT_EXODataClassification.psm1

@@ -242,19 +242,9 @@ function Set-TargetResource
     $DataClassificationParams.Remove('CertificatePassword') | Out-Null
     $DataClassificationParams.Remove('ManagedIdentity') | Out-Null
 
-
     if (('Present' -eq $Ensure ) -and ($null -eq $DataClassification))
     {
-        Write-Verbose -Message "Creating Data classification policy $($Identity)."
-        $DataClassificationParams.Remove('Identity') | Out-Null
-        $DataClassificationParams.Remove('IsDefault') | Out-Null
-        if (-Not [String]::IsNullOrEmpty($DataClassificationParams.Locale))
-        {
-            $DataClassificationParams.Locale = New-Object system.globalization.cultureinfo($DataClassificationParams.Locale)
-        }
-
-        New-DataClassification @DataClassificationParams
-        Write-Verbose -Message 'Data classification policy created successfully.'
+        Write-Verbose -Message "Data Classification in Exchange Online are now deprecated in favor of Sensitive Information Types in Security and Compliance."
     }
     elseif (('Present' -eq $Ensure ) -and ($Null -ne $DataClassification))
     {

Modules/Microsoft365DSC/DSCResources/MSFT_TeamsGroupPolicyAssignment/MSFT_TeamsGroupPolicyAssignment.psm1

@@ -66,39 +66,44 @@ function Get-TargetResource
 
     try
     {
-        if (-not [System.String]::IsNullOrEmpty($GroupId))
+        Write-Verbose -Message "Getting Group with Id {$GroupId}"
+        $Group = Find-CsGroup -SearchQuery $GroupId -ExactMatchOnly $true -ErrorAction SilentlyContinue
+
+        if ($null -eq $Group)
         {
-            Write-Verbose -Message "Getting GroupPolicyAssignment for {$GroupId}"
-            $group = Find-CsGroup -SearchQuery $GroupId -ErrorAction SilentlyContinue
-            if ($group.Length -gt 1)
+            Write-Verbose -Message "Could not find Group with Id {$GroupId}, searching with DisplayName {$GroupDisplayName}"
+            $Group = Find-CsGroup -SearchQuery $GroupDisplayName -ExactMatchOnly $true -ErrorAction SilentlyContinue
+
+            if ($null -eq $Group)
             {
-                Write-Verbose -Message "Found $($group.Length) groups with the id {$GroupId}"
-                $Group = $Group | Where-Object { $_.DisplayName -eq $GroupDisplayName }
+                Write-Verbose -Message "Could not find Group with DisplayName {$GroupDisplayName}"
+                return $nullReturn
             }
-        }
-        else
-        {
-            Write-Verbose -Message "Getting GroupPolicyAssignment for {$GroupDisplayName}"
-            $Group = Find-CsGroup -SearchQuery $GroupDisplayName -ErrorAction SilentlyContinue
-            if ($Group.Length -gt 1)
+
+            if ($Group -and $Group.Count -gt 1)
             {
-                Write-Verbose -Message "Found $($group.Length) groups with the name $GroupDisplayName"
-                $Group = $Group | Where-Object { $_.DisplayName -eq $GroupDisplayName }
+                Write-Verbose -Message "Found $($Group.Count) groups with DisplayName {$GroupDisplayName}"
+                $Group = $Group | Where-Object -FilterScript { $_.DisplayName -eq $GroupDisplayName }
+                if ($Group -and $Group.Count -gt 1)
+                {
+                    Write-Verbose -Message "Still found $($Group.Count) groups with DisplayName {$GroupDisplayName}"
+                    return $nullReturn
+                }
             }
         }
-        if ($null -eq $Group)
-        {
-            Write-Verbose -Message "Group not found for $GroupDisplayName"
-            return $nullReturn
-        }
+
+        Write-Verbose -Message "Getting GroupPolicyAssignment with PolicyType {$PolicyType} for Group {$($Group.DisplayName)}"
         $GroupPolicyAssignment = Get-CsGroupPolicyAssignment -GroupId $Group.Id -PolicyType $PolicyType -ErrorAction SilentlyContinue
         if ($null -eq $GroupPolicyAssignment)
         {
-            Write-Verbose -Message "GroupPolicyAssignment not found for $GroupDisplayName"
+            Write-Verbose -Message "GroupPolicyAssignment not found for Group {$GroupDisplayName}"
             $nullReturn.GroupId = $Group.Id
             return $nullReturn
         }
-        Write-Verbose -Message "Found GroupPolicyAssignment $($Group.Displayname) with PolicyType:$($GroupPolicyAssignment.PolicyType) and Policy Name:$($GroupPolicyAssignment.PolicyName)"
+
+        $Message = "Found GroupPolicyAssignment with PolicyType {$($GroupPolicyAssignment.PolicyType)}, " + `
+            "PolicyName {$($GroupPolicyAssignment.PolicyName)} and Priority {$($GroupPolicyAssignment.Priority)} for Group {$($Group.Displayname)}"
+        Write-Verbose -Message $Message
         return @{
             GroupId               = $Group.Id
             GroupDisplayName      = $Group.Displayname

Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMobilityPolicy/MSFT_TeamsMobilityPolicy.psm1

@@ -24,6 +24,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
+        [ValidateSet('Teams', 'Native', 'UserOverride')]
         $MobileDialerPreference,
 
         [Parameter()]
@@ -125,6 +126,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
+        [ValidateSet('Teams', 'Native', 'UserOverride')]
         $MobileDialerPreference,
 
         [Parameter()]
@@ -246,6 +248,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
+        [ValidateSet('Teams', 'Native', 'UserOverride')]
         $MobileDialerPreference,
 
         [Parameter()]

Modules/Microsoft365DSC/DSCResources/MSFT_TeamsMobilityPolicy/MSFT_TeamsMobilityPolicy.schema.mof

@@ -5,7 +5,7 @@ class MSFT_TeamsMobilityPolicy : OMI_BaseResource
     [Write, Description("Enables administrators to provide explanatory text about the policy. For example, the Description might indicate the users the policy should be assigned to.")] String Description;
     [Write, Description("When set to WifiOnly, prohibits the user from making and receiving calls or joining meetings using VoIP calls on the mobile device while on a cellular data connection. Possible values are: WifiOnly, AllNetworks."), ValueMap{"WifiOnly","AllNetworks"}, Values{"WifiOnly","AllNetworks"}] String IPAudioMobileMode;
     [Write, Description("When set to WifiOnly, prohibits the user from making and receiving video calls or enabling video in meetings using VoIP calls on the mobile device while on a cellular data connection. Possible values are: WifiOnly, AllNetworks."), ValueMap{"WifiOnly","AllNetworks"}, Values{"WifiOnly","AllNetworks"}] String IPVideoMobileMode;
-    [Write, Description("N/A")] String MobileDialerPreference;
+    [Write, Description("Determines the mobile dialer preference, possible values are: Teams, Native, UserOverride."), ValueMap{"Teams","Native","UserOverride"}, Values{"Teams","Native","UserOverride"}] String MobileDialerPreference;
     [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
     [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;

Modules/Microsoft365DSC/Dependencies/Manifest.psd1

@@ -82,7 +82,7 @@
         },
         @{
             ModuleName      = 'MicrosoftTeams'
-            RequiredVersion = '5.8.0'
+            RequiredVersion = '5.9.0'
         },
         @{
             ModuleName      = "MSCloudLoginAssistant"

Modules/Microsoft365DSC/Examples/Resources/EXOApplicationAccessPolicy/1-Create.ps1

@@ -13,14 +13,15 @@ Configuration Example
     )
     Import-DscResource -ModuleName Microsoft365DSC
 
+    $Domain = $Credscredential.Username.Split('@')[1]
     node localhost
     {
         EXOApplicationAccessPolicy 'ConfigureApplicationAccessPolicy'
         {
-            Identity             = "Global"
+            Identity             = "Integration Policy"
             AccessRight          = "DenyAccess"
-            AppID                = @("3dbc2ae1-7198-45ed-9f9f-d86ba3ec35b5", "6ac794ca-2697-4137-8754-d2a78ae47d93")
-            PolicyScopeGroupId   = "Engineering Staff"
+            AppID                = '3dbc2ae1-7198-45ed-9f9f-d86ba3ec35b5'
+            PolicyScopeGroupId   = "IntegrationMailEnabled@$Domain"
             Description          = "Engineering Group Policy"
             Ensure               = "Present"
             Credential           = $Credscredential

Modules/Microsoft365DSC/Examples/Resources/EXOApplicationAccessPolicy/2-Update.ps1

@@ -13,14 +13,15 @@ Configuration Example
     )
     Import-DscResource -ModuleName Microsoft365DSC
 
+    $Domain = $Credscredential.Username.Split('@')[1]
     node localhost
     {
         EXOApplicationAccessPolicy 'ConfigureApplicationAccessPolicy'
         {
-            Identity             = "Global"
+            Identity             = "Integration Policy"
             AccessRight          = "DenyAccess"
-            AppID                = @("3dbc2ae1-7198-45ed-9f9f-d86ba3ec35b5", "6ac794ca-2697-4137-8754-d2a78ae47d93")
-            PolicyScopeGroupId   = "Engineering Staff"
+            AppID                = '3dbc2ae1-7198-45ed-9f9f-d86ba3ec35b5'
+            PolicyScopeGroupId   = "IntegrationMailEnabled@$Domain"
             Description          = "Engineering Group Policy Updated" # Updated Property
             Ensure               = "Present"
             Credential           = $Credscredential

Modules/Microsoft365DSC/Examples/Resources/EXOApplicationAccessPolicy/3-Remove.ps1

@@ -17,7 +17,8 @@ Configuration Example
     {
         EXOApplicationAccessPolicy 'ConfigureApplicationAccessPolicy'
         {
-            Identity             = "Global"
+            Identity             = "Integration Policy"
+            AppID                = '3dbc2ae1-7198-45ed-9f9f-d86ba3ec35b5'
             Ensure               = "Absent"
             Credential           = $Credscredential
         }

Modules/Microsoft365DSC/Examples/Resources/EXOAuthenticationPolicyAssignment/1-Create.ps1

@@ -3,7 +3,7 @@ Configuration Example
     param(
         [Parameter(Mandatory = $true)]
         [PSCredential]
-        $EXOAdmin
+        $Credscredential
     )
     Import-DscResource -ModuleName Microsoft365DSC
 
@@ -14,7 +14,7 @@ Configuration Example
             UserName                 = "AdeleV"
             AuthenticationPolicyName = "Block Basic Auth"
             Ensure                   = "Present"
-            Credential               = $EXOAdmin
+            Credential               = $Credscredential
         }
     }
 }

Modules/Microsoft365DSC/Examples/Resources/EXOAuthenticationPolicyAssignment/2-Update.ps1

@@ -3,18 +3,19 @@ Configuration Example
     param(
         [Parameter(Mandatory = $true)]
         [PSCredential]
-        $EXOAdmin
+        $Credscredential
     )
     Import-DscResource -ModuleName Microsoft365DSC
 
+    $Domain = $Credscredential.Username.Split('@')[1]
     node localhost
     {
         EXOAuthenticationPolicyAssignment 'ConfigureAuthenticationPolicyAssignment'
         {
             UserName                 = "AdeleV"
-            AuthenticationPolicyName = "Test Policy"
+            AuthenticationPolicyName = "Test Policy" # Updaqted Property
             Ensure                   = "Present"
-            Credential               = $EXOAdmin
+            Credential               = $Credscredential
         }
     }
 }