From 5e32b3953454d792720880e3db9555dd6c2b3b73 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Thu, 30 Mar 2023 17:38:33 +0200 Subject: [PATCH 01/12] removed broken/duplicate configuration part --- .../2-CreateNewAdministrativeUnit.ps1 | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAdministrativeUnit/2-CreateNewAdministrativeUnit.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAdministrativeUnit/2-CreateNewAdministrativeUnit.ps1 index d09f4fdecc..b1ac3d9df3 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/AADAdministrativeUnit/2-CreateNewAdministrativeUnit.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAdministrativeUnit/2-CreateNewAdministrativeUnit.ps1 @@ -3,17 +3,6 @@ This example is used to test new resources and showcase the usage of new resourc It is not meant to use as a production baseline. #> -Configuration Example -{ - param - ( - [Parameter(Mandatory = $true)] - [PSCredential] - $credsGlobalAdmin - ) - - Import-DscResource -ModuleName Microsoft365DSC - Configuration Example { param From b0ea99e2296061e88b4aed1c81fdc20e0f9e5e19 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Sun, 2 Apr 2023 22:01:25 +0200 Subject: [PATCH 02/12] ignore password property when updating an exisiting user --- .../MSFT_AADUser/MSFT_AADUser.psm1 | 69 ++++++++++--------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 5c9c2d5426..6cbff99f90 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -462,51 +462,58 @@ function Set-TargetResource } #endregion - if ($null -ne $Password) + if ($user.UserPrincipalName) { - $passwordValue = $Password.GetNetworkCredential().Password + Write-Verbose -Message "Updating Office 365 User $UserPrincipalName Information" + + if ($null -ne $Password) + { + Write-Verbose -Message "PasswordProfile property will not be updated" + } + + $CreationParams.Add('UserId', $UserPrincipalName) + Update-MgUser @CreationParams } else { - try + + if ($null -ne $Password) { - # This only works in PowerShell 5.1 - $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2) + $passwordValue = $Password.GetNetworkCredential().Password } - catch + else { - $TokenSet = @{ - U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ' - L = [Char[]]'abcdefghijklmnopqrstuvwxyz' - N = [Char[]]'0123456789' - S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~' + try + { + # This only works in PowerShell 5.1 + $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2) } + catch + { + $TokenSet = @{ + U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ' + L = [Char[]]'abcdefghijklmnopqrstuvwxyz' + N = [Char[]]'0123456789' + S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~' + } - $Upper = Get-Random -Count 5 -InputObject $TokenSet.U - $Lower = Get-Random -Count 5 -InputObject $TokenSet.L - $Number = Get-Random -Count 5 -InputObject $TokenSet.N - $Special = Get-Random -Count 5 -InputObject $TokenSet.S + $Upper = Get-Random -Count 5 -InputObject $TokenSet.U + $Lower = Get-Random -Count 5 -InputObject $TokenSet.L + $Number = Get-Random -Count 5 -InputObject $TokenSet.N + $Special = Get-Random -Count 5 -InputObject $TokenSet.S - $StringSet = $Upper + $Lower + $Number + $Special + $StringSet = $Upper + $Lower + $Number + $Special - $stringPassword = (Get-Random -Count 15 -InputObject $StringSet) -join '' - $passwordValue = ConvertTo-SecureString $stringPassword -AsPlainText -Force + $stringPassword = (Get-Random -Count 15 -InputObject $StringSet) -join '' + $passwordValue = ConvertTo-SecureString $stringPassword -AsPlainText -Force + } } - } - $PasswordProfile = @{ - Password = $passwordValue - } - $CreationParams.Add('PasswordProfile', $PasswordProfile) + $PasswordProfile = @{ + Password = $passwordValue + } + $CreationParams.Add('PasswordProfile', $PasswordProfile) - if ($user.UserPrincipalName) - { - Write-Verbose -Message "Updating Office 365 User $UserPrincipalName Information" - $CreationParams.Add('UserId', $UserPrincipalName) - Update-MgUser @CreationParams - } - else - { Write-Verbose -Message "Creating Office 365 User $UserPrincipalName" $CreationParams.Add('AccountEnabled', $true) $CreationParams.Add('MailNickName', $UserPrincipalName.Split('@')[0]) From a080340a4292af8a00c5b8d95790e0379c2303c2 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Sun, 2 Apr 2023 22:01:48 +0200 Subject: [PATCH 03/12] added note on password property usage --- docs/docs/resources/azure-ad/AADUser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/resources/azure-ad/AADUser.md b/docs/docs/resources/azure-ad/AADUser.md index 41da535e54..cdfa5e0fdd 100644 --- a/docs/docs/resources/azure-ad/AADUser.md +++ b/docs/docs/resources/azure-ad/AADUser.md @@ -11,7 +11,7 @@ | **Roles** | Write | StringArray[] | The list of Azure Active Directory roles assigned to the user. | | | **UsageLocation** | Write | String | The country code the user will be assigned to | | | **LicenseAssignment** | Write | StringArray[] | The account SKU Id for the license to be assigned to the user | | -| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used | | +| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used. Property will only be used when creating the user and not on subsequent updates. If password is not supplied for a new resource a new random password will be generated. | | | **City** | Write | String | The City name of the user | | | **Country** | Write | String | The Country name of the user | | | **Department** | Write | String | The Department name of the user | | From eb157c6d5bb17cb16fa651c3e31e281e09bc1ba6 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Sun, 2 Apr 2023 22:01:48 +0200 Subject: [PATCH 04/12] added note on password property usage --- docs/docs/resources/azure-ad/AADUser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/resources/azure-ad/AADUser.md b/docs/docs/resources/azure-ad/AADUser.md index 41da535e54..b33fe966cd 100644 --- a/docs/docs/resources/azure-ad/AADUser.md +++ b/docs/docs/resources/azure-ad/AADUser.md @@ -11,7 +11,7 @@ | **Roles** | Write | StringArray[] | The list of Azure Active Directory roles assigned to the user. | | | **UsageLocation** | Write | String | The country code the user will be assigned to | | | **LicenseAssignment** | Write | StringArray[] | The account SKU Id for the license to be assigned to the user | | -| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used | | +| **Password** | Write | PSCredential | The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates. | | | **City** | Write | String | The City name of the user | | | **Country** | Write | String | The Country name of the user | | | **Department** | Write | String | The Department name of the user | | From 3fa08b29f3896692c5d69192bd672c3639c282b4 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Mon, 3 Apr 2023 08:56:17 +0200 Subject: [PATCH 05/12] entry for #3093: AADUser password property usage --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78c9bb4f62..21bb04bced 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,8 @@ * [BREAKING CHANGE] Remove deprecated parameter PreferredDataLocation* EXOAntiPhishPolicy * [BREAKING CHANGE] Remove deprecated parameters EnableAntispoofEnforcement and TargetedDomainProtectionAction + * Password property will only used with New-MgUser and ignored for updates + FIXES [#3093](https://github.com/microsoft/Microsoft365DSC/issues/3093) * EXOGroupSettings * Initial Release FIXES [#3089](https://github.com/microsoft/Microsoft365DSC/issues/3089) From 7d995d4ba74d92ecc2392fbdb7b944a94ed9717c Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Tue, 4 Apr 2023 09:33:41 +0200 Subject: [PATCH 06/12] add assembly in case password is generated, only for PowerShell v5 --- .../DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 6cbff99f90..f1aaedd3d7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -485,7 +485,8 @@ function Set-TargetResource { try { - # This only works in PowerShell 5.1 + # This only works in PowerShell 5. + Add-Type -AssemblyName System.Web $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2) } catch From 07bff5efa91ac797ac8c24a5e23f57a0a41dd852 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Tue, 4 Apr 2023 10:10:05 +0200 Subject: [PATCH 07/12] properly check for null values --- .../Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index f1aaedd3d7..056bf2052e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -462,7 +462,7 @@ function Set-TargetResource } #endregion - if ($user.UserPrincipalName) + if ($null -ne $user.UserPrincipalName) { Write-Verbose -Message "Updating Office 365 User $UserPrincipalName Information" From 1ced50870243d5f858b8c0eca7d6c771ad5dd478 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Tue, 4 Apr 2023 10:10:39 +0200 Subject: [PATCH 08/12] generated password in PowerShell > v5 are now 30 chars long --- .../Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 056bf2052e..1b92df93a9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -505,7 +505,7 @@ function Set-TargetResource $StringSet = $Upper + $Lower + $Number + $Special - $stringPassword = (Get-Random -Count 15 -InputObject $StringSet) -join '' + $stringPassword = (Get-Random -Count 30 -InputObject $StringSet) -join '' $passwordValue = ConvertTo-SecureString $stringPassword -AsPlainText -Force } } From 8042fe84ade085831f02735d37578d0a3262bb3a Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Tue, 4 Apr 2023 10:24:03 +0200 Subject: [PATCH 09/12] pick enough chars from the token sets to get a 30 char password --- .../DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 1b92df93a9..358e3844f8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -498,10 +498,10 @@ function Set-TargetResource S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~' } - $Upper = Get-Random -Count 5 -InputObject $TokenSet.U - $Lower = Get-Random -Count 5 -InputObject $TokenSet.L - $Number = Get-Random -Count 5 -InputObject $TokenSet.N - $Special = Get-Random -Count 5 -InputObject $TokenSet.S + $Upper = Get-Random -Count 8 -InputObject $TokenSet.U + $Lower = Get-Random -Count 8 -InputObject $TokenSet.L + $Number = Get-Random -Count 8 -InputObject $TokenSet.N + $Special = Get-Random -Count 8 -InputObject $TokenSet.S $StringSet = $Upper + $Lower + $Number + $Special From fc89f4f370323aadab28ecf12477d26f6d9c250e Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Thu, 6 Apr 2023 15:23:06 +0200 Subject: [PATCH 10/12] check for PowerShell Version before trying to generate a password using [System.Web] --- .../DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 index 358e3844f8..3094b6342a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1 @@ -483,13 +483,12 @@ function Set-TargetResource } else { - try + if ($PSVersionTable.PSVersion.Major -eq 5) { - # This only works in PowerShell 5. Add-Type -AssemblyName System.Web $passwordValue = [System.Web.Security.Membership]::GeneratePassword(30, 2) } - catch + else { $TokenSet = @{ U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ' From 10f3618046ef142fc40029831bcce15eeecaebd0 Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Thu, 6 Apr 2023 15:25:19 +0200 Subject: [PATCH 11/12] add note on password property as well --- .../DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof index 5b4c2ad1c7..851d9385bf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof @@ -8,7 +8,7 @@ class MSFT_AADUser : OMI_BaseResource [Write, Description("The list of Azure Active Directory roles assigned to the user.")] String Roles[]; [Write, Description("The country code the user will be assigned to")] String UsageLocation; [Write, Description("The account SKU Id for the license to be assigned to the user")] String LicenseAssignment[]; - [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used"), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used. The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates."), EmbeddedInstance("MSFT_Credential")] String Password; [Write, Description("The City name of the user")] String City; [Write, Description("The Country name of the user")] String Country; [Write, Description("The Department name of the user")] String Department; From 054fd03715183dee7c4138843eaffb06400d2c3d Mon Sep 17 00:00:00 2001 From: Adrian von Buttlar Date: Wed, 12 Apr 2023 08:28:22 +0200 Subject: [PATCH 12/12] removed duplicate sentence --- .../DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof index 851d9385bf..22f7dab03e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.schema.mof @@ -8,7 +8,7 @@ class MSFT_AADUser : OMI_BaseResource [Write, Description("The list of Azure Active Directory roles assigned to the user.")] String Roles[]; [Write, Description("The country code the user will be assigned to")] String UsageLocation; [Write, Description("The account SKU Id for the license to be assigned to the user")] String LicenseAssignment[]; - [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used. The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates."), EmbeddedInstance("MSFT_Credential")] String Password; + [Write, Description("The password for the account. The parameter is a PSCredential object, but only the Password component will be used. If Password is not supplied for a new resource a new random password will be generated. Property will only be used when creating the user and not on subsequent updates."), EmbeddedInstance("MSFT_Credential")] String Password; [Write, Description("The City name of the user")] String City; [Write, Description("The Country name of the user")] String Country; [Write, Description("The Department name of the user")] String Department;