Merge branch 'Dev' into fix-aadrolesetting-displayname

FabienTschanz · Feb 14, 2024 · cf20db3 · cf20db3
2 parents 51b92a1 + 3c83f2f
commit cf20db3
Show file tree

Hide file tree

Showing 9 changed files with 238 additions and 122 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,12 +2,20 @@
 
 # UNRELEASED
 
+* AADConditionalAccessPolicy
+  * Removed invalid empty string value that was added to the validate set
+    of two parameters.
+  * Updated permission reference for app-onlzy authentication.
+    FIXES [[#3329](https://github.com/microsoft/Microsoft365DSC/issues/3329)]
 * AADRoleEligibilityScheduleRequest
   * Fixed an issue where an error was thrown if no requests were found instead
     of simply returning the Null object.
 * AADRoleSetting
   * Fix handling of DisplayName property in comparison
     FIXES [#4019](https://github.com/microsoft/Microsoft365DSC/issues/4019)
+* AADUser
+  * Fixed and issue where an user would be created even if the resrouce was set to absent.
+    FIXES [[#4265](https://github.com/microsoft/Microsoft365DSC/issues/4265)]
 * EXOMobileDeviceMailboxPolicy
   * Fixes an issue where an empty MinPasswordLength value was always passed down
     to the update logic flow.
@@ -28,6 +36,15 @@
   * Fix typo in variable which made it export incorrectly and report that
     resource was not in correct state due to testing an incorrect value
     FIXES [#3972](https://github.com/microsoft/Microsoft365DSC/issues/3972)
+* IntuneSettingCatalogASRRulesPolicyWindows10
+  * Fix removal of resource if Identity comes from another tenant or is not
+    present in blueprint
+  * Fix Test-TargetResource by not comparing Identity since it might be from
+    another tenant or not present in blueprint
+  FIXES [#4302](https://github.com/microsoft/Microsoft365DSC/issues/4302)
+* SPOSharingSettings
+  * Fixed an issue where the resource would return multiple sites.
+    FIXES [#2759](https://github.com/microsoft/Microsoft365DSC/issues/2759)
 * DEPENDENCIES
   * Updated DSCParser to version 1.4.0.2.
   * Updated Microsoft.Graph dependencies to version 2.13.1.
@@ -37,6 +54,7 @@
     * Fix nested change detection for CIMInstances
     * Fix IntuneDeviceEnrolllmentPlatformRestriction comparison in report
       FIXES [#4291](https://github.com/microsoft/Microsoft365DSC/issues/4291)
+  * Added new QA test to check for missing description in resource schema
 
 # 1.24.207.2
 

diff --git a/...t365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/...t365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
@@ -71,7 +71,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -85,7 +85,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -755,7 +755,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -769,7 +769,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -1738,7 +1738,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -1752,7 +1752,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]

diff --git a/...C/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/...C/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
@@ -16,10 +16,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("AAD Admin Roles in scope of the Policy.")] String IncludeRoles[];
     [Write, Description("AAD Admin Roles out of scope of the Policy.")] String ExcludeRoles[];
     [Write, Description("Represents the Included internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String IncludeGuestOrExternalUserTypes[];
-    [Write, Description("Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String IncludeExternalTenantsMembershipKind;
+    [Write, Description("Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"all","enumerated","unknownFutureValue"}, Values{"all","enumerated","unknownFutureValue"}] String IncludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Included collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String IncludeExternalTenantsMembers[];
     [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[];
-    [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
+    [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"all","enumerated","unknownFutureValue"}, Values{"all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[];
     [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[];
     [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[];

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json
@@ -52,16 +52,46 @@
             },
             "application": {
                 "read": [
+                    {
+                        "name": "Agreement.Read.All"
+                    },
+                    {
+                        "name": "Application.Read.All"
+                    },
+                    {
+                        "name": "Group.Read.All"
+                    },
                     {
                         "name": "Policy.Read.All"
+                    },
+                    {
+                        "name": "RoleManagement.Read.Directory"
+                    },
+                    {
+                        "name": "User.Read.All"
                     }
                 ],
                 "update": [
+                    {
+                        "name": "Agreement.Read.All"
+                    },
                     {
                         "name": "Application.Read.All"
                     },
+                    {
+                        "name": "Group.Read.All"
+                    },
+                    {
+                        "name": "Policy.Read.All"
+                    },
                     {
                         "name": "Policy.ReadWrite.ConditionalAccess"
+                    },
+                    {
+                        "name": "RoleManagement.Read.Directory"
+                    },
+                    {
+                        "name": "User.Read.All"
                     }
                 ]
             }

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1
@@ -180,8 +180,8 @@ function Get-TargetResource
         }
         else
         {
-            Write-Verbose -Message "Retrieving user from the exported instances"
-            $user = $Script:M365DSCExportInstances | Where-Object -FilterScript {$_.UserPrincipalName -eq $UserPrincipalName}
+            Write-Verbose -Message 'Retrieving user from the exported instances'
+            $user = $Script:M365DSCExportInstances | Where-Object -FilterScript { $_.UserPrincipalName -eq $UserPrincipalName }
         }
 
         Write-Verbose -Message "Found User $($UserPrincipalName)"
@@ -193,7 +193,7 @@ function Get-TargetResource
         }
 
         # return membership of static groups only
-        [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript {$_.GroupTypes -notcontains 'DynamicMembership'}).DisplayName
+        [array]$currentMemberOf = (Get-MgUserMemberOfAsGroup -UserId $UserPrincipalName -All | Where-Object -FilterScript { $_.GroupTypes -notcontains 'DynamicMembership' }).DisplayName
 
         $userPasswordPolicyInfo = $user | Select-Object UserprincipalName, @{
             N = 'PasswordNeverExpires'; E = { $_.PasswordPolicies -contains 'DisablePasswordExpiration' }
@@ -204,7 +204,7 @@ function Get-TargetResource
         {
             $Script:allDirectoryRoleAssignment = Get-MgBetaRoleManagementDirectoryRoleAssignment -All
         }
-        $assignedRoles = $Script:allDirectoryRoleAssignment | Where-Object -FilterScript {$_.PrincipalId -eq $user.Id}
+        $assignedRoles = $Script:allDirectoryRoleAssignment | Where-Object -FilterScript { $_.PrincipalId -eq $user.Id }
 
         $rolesValue = @()
         if ($null -eq $Script:allAssignedRoles -and $assignedRoles.Length -gt 0)
@@ -213,7 +213,7 @@ function Get-TargetResource
         }
         foreach ($assignedRole in $assignedRoles)
         {
-            $currentRoleInfo = $Script:allAssignedRoles | Where-Object -FilterScript {$_.Id -eq $assignedRole.RoleDefinitionId}
+            $currentRoleInfo = $Script:allAssignedRoles | Where-Object -FilterScript { $_.Id -eq $assignedRole.RoleDefinitionId }
             $rolesValue += $currentRoleInfo.DisplayName
         }
 
@@ -418,7 +418,7 @@ function Set-TargetResource
         Write-Verbose -Message "Removing User {$UserPrincipalName}"
         Remove-MgUser -UserId $UserPrincipalName
     }
-    else
+    elseif ($Ensure -eq 'Present')
     {
         $PasswordPolicies = $null
         if ($PasswordNeverExpires)
@@ -498,7 +498,7 @@ function Set-TargetResource
 
             if ($null -ne $Password)
             {
-                Write-Verbose -Message "PasswordProfile property will not be updated"
+                Write-Verbose -Message 'PasswordProfile property will not be updated'
             }
 
             $CreationParams.Add('UserId', $UserPrincipalName)
@@ -584,20 +584,20 @@ function Set-TargetResource
                     if ($null -eq $group)
                     {
                         New-M365DSCLogEntry -Message 'Error updating data:' `
-                        -Exception "Attempting to add a user to a group that doesn't exist" `
-                        -Source $($MyInvocation.MyCommand.Source) `
-                        -TenantId $TenantId `
-                        -Credential $Credential
+                            -Exception "Attempting to add a user to a group that doesn't exist" `
+                            -Source $($MyInvocation.MyCommand.Source) `
+                            -TenantId $TenantId `
+                            -Credential $Credential
 
                         throw "Group '$memberOfGroup' does not exist in tenant"
                     }
                     if ($group.GroupTypes -contains 'DynamicMembership')
                     {
                         New-M365DSCLogEntry -Message 'Error updating data:' `
-                        -Exception "Attempting to add a user to a dynamic group" `
-                        -Source $($MyInvocation.MyCommand.Source) `
-                        -TenantId $TenantId `
-                        -Credential $Credential
+                            -Exception 'Attempting to add a user to a dynamic group' `
+                            -Source $($MyInvocation.MyCommand.Source) `
+                            -TenantId $TenantId `
+                            -Credential $Credential
 
                         throw "Cannot add user $UserPrincipalName to group '$memberOfGroup' because it is a dynamic group"
                     }
@@ -615,20 +615,20 @@ function Set-TargetResource
                         if ($null -eq $group)
                         {
                             New-M365DSCLogEntry -Message 'Error updating data:' `
-                            -Exception "Attempting to add a user to a group that doesn't exist" `
-                            -Source $($MyInvocation.MyCommand.Source) `
-                            -TenantId $TenantId `
-                            -Credential $Credential
+                                -Exception "Attempting to add a user to a group that doesn't exist" `
+                                -Source $($MyInvocation.MyCommand.Source) `
+                                -TenantId $TenantId `
+                                -Credential $Credential
 
                             throw "Group '$($_.InputObject)' does not exist in tenant"
                         }
                         if ($group.GroupTypes -contains 'DynamicMembership')
                         {
                             New-M365DSCLogEntry -Message 'Error updating data:' `
-                            -Exception "Attempting to add a user to a dynamic group" `
-                            -Source $($MyInvocation.MyCommand.Source) `
-                            -TenantId $TenantId `
-                            -Credential $Credential
+                                -Exception 'Attempting to add a user to a dynamic group' `
+                                -Source $($MyInvocation.MyCommand.Source) `
+                                -TenantId $TenantId `
+                                -Credential $Credential
 
                             throw "Cannot add user $UserPrincipalName to group '$($_.InputObject)' because it is a dynamic group"
                         }
@@ -914,7 +914,8 @@ function Export-TargetResource
             Property    = $propertiesToRetrieve
             ErrorAction = 'Stop'
         }
-        if ($Filter -like "*endsWith*") {
+        if ($Filter -like '*endsWith*')
+        {
             $ExportParameters.Add('CountVariable', 'count')
             $ExportParameters.Add('ConsistencyLevel', 'eventual')
         }

diff --git a/...ttingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/...ttingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1
@@ -183,7 +183,14 @@ function Get-TargetResource
     try
     {
         #Retrieve policy general settings
-        $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction silentlyContinue
+        try
+        {
+            $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction Stop
+        }
+        catch
+        {
+            $policy = $null
+        }
 
         if ($null -eq $policy)
         {
@@ -453,13 +460,7 @@ function Set-TargetResource
     #endregion
 
     $currentPolicy = Get-TargetResource @PSBoundParameters
-    $PSBoundParameters.Remove('Ensure') | Out-Null
-    $PSBoundParameters.Remove('Credential') | Out-Null
-    $PSBoundParameters.Remove('ApplicationId') | Out-Null
-    $PSBoundParameters.Remove('TenantId') | Out-Null
-    $PSBoundParameters.Remove('ApplicationSecret') | Out-Null
-    $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null
-    $PSBoundParameters.Remove('ManagedIdentity') | Out-Null
+    $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
 
     $templateReferenceId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1'
 
@@ -533,7 +534,7 @@ function Set-TargetResource
     elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Removing Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}"
-        Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity
+        Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity
     }
 }
 
@@ -709,15 +710,12 @@ function Test-TargetResource
     Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}"
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
+    $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
+    $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
+    $ValuesToCheck.Remove('Identity') | Out-Null
 
     Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
-    Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
-
-    $ValuesToCheck = $PSBoundParameters
-    $ValuesToCheck.Remove('Credential') | Out-Null
-    $ValuesToCheck.Remove('ApplicationId') | Out-Null
-    $ValuesToCheck.Remove('TenantId') | Out-Null
-    $ValuesToCheck.Remove('ApplicationSecret') | Out-Null
+    Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
 
     if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure)
     {

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1
@@ -520,7 +520,7 @@ function Set-TargetResource
     Set-PnPTenant @CurrentParameters | Out-Null
     if ($SetMySharingCapability)
     {
-        $mysite = Get-PnPTenantSite | Where-Object { $_.Url -match '-my.sharepoint.com/' }
+        $mysite = Get-PnPTenantSite | Where-Object { $_.Url -match '-my.sharepoint.com/' -and $_.Template -notmatch '^RedirectSite#' }
         Set-PnPTenantSite -Identity $mysite.Url -SharingCapability $MySiteSharingCapability
     }
 }