Merge pull request #3121 from adrianvb/issue-3093

Fix #3093
microsoft · Apr 12, 2023 · 2ffcedc · 2ffcedc
2 parents a0ada07 + 054fd03
commit 2ffcedc
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -57,6 +57,8 @@
   * [BREAKING CHANGE] Remove deprecated parameter PreferredDataLocation* EXOAntiPhishPolicy
   * [BREAKING CHANGE] Remove deprecated parameters EnableAntispoofEnforcement and
     TargetedDomainProtectionAction
+  * Password property will only used with New-MgUser and ignored for updates
+    FIXES [#3093](https://github.com/microsoft/Microsoft365DSC/issues/3093)
 * EXOGroupSettings
   * Initial Release
     FIXES [#3089](https://github.com/microsoft/Microsoft365DSC/issues/3089)

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1
@@ -462,51 +462,58 @@ function Set-TargetResource
         }
         #endregion
 
-        if ($null -ne $Password)
+        if ($null -ne $user.UserPrincipalName)
         {
-            $passwordValue = $Password.GetNetworkCredential().Password
+            Write-Verbose -Message "Updating Office 365 User $UserPrincipalName Information"
+
+            if ($null -ne $Password)
+            {
+                Write-Verbose -Message "PasswordProfile property will not be updated"
+            }
+
+            $CreationParams.Add('UserId', $UserPrincipalName)
+            Update-MgUser @CreationParams
         }
         else
         {
-            try
+
+            if ($null -ne $Password)
             {
-                # This only works in PowerShell 5.1
-                $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2)
+                $passwordValue = $Password.GetNetworkCredential().Password
             }
-            catch
+            else
             {
-                $TokenSet = @{
-                    U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-                    L = [Char[]]'abcdefghijklmnopqrstuvwxyz'
-                    N = [Char[]]'0123456789'
-                    S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~'
+                if ($PSVersionTable.PSVersion.Major -eq 5)
+                {
+                    Add-Type -AssemblyName System.Web
+                    $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2)
                 }
+                else
+                {
+                    $TokenSet = @{
+                        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+                        L = [Char[]]'abcdefghijklmnopqrstuvwxyz'
+                        N = [Char[]]'0123456789'
+                        S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~'
+                    }
 
-                $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
-                $Lower = Get-Random -Count 5 -InputObject $TokenSet.L
-                $Number = Get-Random -Count 5 -InputObject $TokenSet.N
-                $Special = Get-Random -Count 5 -InputObject $TokenSet.S
+                    $Upper = Get-Random -Count 8 -InputObject $TokenSet.U
+                    $Lower = Get-Random -Count 8 -InputObject $TokenSet.L
+                    $Number = Get-Random -Count 8 -InputObject $TokenSet.N
+                    $Special = Get-Random -Count 8 -InputObject $TokenSet.S
 
-                $StringSet = $Upper + $Lower + $Number + $Special
+                    $StringSet = $Upper + $Lower + $Number + $Special
 
-                $stringPassword = (Get-Random -Count 15 -InputObject $StringSet) -join ''
-                $passwordValue = ConvertTo-SecureString $stringPassword -AsPlainText -Force
+                    $stringPassword = (Get-Random -Count 30 -InputObject $StringSet) -join ''
+                    $passwordValue = ConvertTo-SecureString $stringPassword -AsPlainText -Force
+                }
             }
-        }
 
-        $PasswordProfile = @{
-            Password = $passwordValue
-        }
-        $CreationParams.Add('PasswordProfile', $PasswordProfile)
+            $PasswordProfile = @{
+                Password = $passwordValue
+            }
+            $CreationParams.Add('PasswordProfile', $PasswordProfile)
 
-        if ($user.UserPrincipalName)
-        {
-            Write-Verbose -Message "Updating Office 365 User $UserPrincipalName Information"
-            $CreationParams.Add('UserId', $UserPrincipalName)
-            Update-MgUser @CreationParams
-        }
-        else
-        {
             Write-Verbose -Message "Creating Office 365 User $UserPrincipalName"
             $CreationParams.Add('AccountEnabled', $true)
             $CreationParams.Add('MailNickName', $UserPrincipalName.Split('@')[0])

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof
@@ -8,7 +8,7 @@ class MSFT_AADUser : OMI_BaseResource
     [Write, Description("The list of Azure Active Directory roles assigned to the user.")] String Roles[];
     [Write, Description("The country code the user will be assigned to")] String UsageLocation;
     [Write, Description("The account SKU Id for the license to be assigned to the user")] String LicenseAssignment[];
-    [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used"), EmbeddedInstance("MSFT_Credential")] String Password;
+    [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates."), EmbeddedInstance("MSFT_Credential")] String Password;
     [Write, Description("The City name of the user")] String City;
     [Write, Description("The Country name of the user")] String Country;
     [Write, Description("The Department name of the user")] String Department;

diff --git a/docs/docs/resources/azure-ad/AADUser.md b/docs/docs/resources/azure-ad/AADUser.md
@@ -11,7 +11,7 @@
 | **Roles** | Write | StringArray[] | The list of Azure Active Directory roles assigned to the user. | |
 | **UsageLocation** | Write | String | The country code the user will be assigned to | |
 | **LicenseAssignment** | Write | StringArray[] | The account SKU Id for the license to be assigned to the user | |
-| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used | |
+| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates. | |
 | **City** | Write | String | The City name of the user | |
 | **Country** | Write | String | The Country name of the user | |
 | **Department** | Write | String | The Department name of the user | |