diff --git a/.github/workflows/CodeCoverage.yml b/.github/workflows/CodeCoverage.yml index 0a7594ab97..17bdc6aec7 100644 --- a/.github/workflows/CodeCoverage.yml +++ b/.github/workflows/CodeCoverage.yml @@ -14,30 +14,10 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v2 - - name: Install Dependencies - shell: powershell - run: | - $VerbosePreference = 'Continue' - [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 - - $manifest = Import-PowerShellDataFile "./Modules/Microsoft365DSC/Microsoft365DSC.psd1" - $dependencies = $manifest.RequiredModules - foreach ($dependency in $dependencies) - { - Write-Verbose -Message "Installing Module {$($dependency.ModuleName)} Version {$($dependency.RequiredVersion)}" - Install-Module $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -Force -SkipPublisherCheck -AllowClobber -Scope AllUsers -Verbose - try - { - Import-Module $dependency.ModuleName -Force -Verbose - } - catch - { - Write-Verbose -Message $_ - } - } - name: Run Test Harness shell: powershell run: | + Import-Module PnP.PowerShell -Force Install-Module Pester -Force [System.Environment]::SetEnvironmentVariable('M365DSCTelemetryEnabled', $false, [System.EnvironmentVariableTarget]::Machine); Import-Module './Tests/TestHarness.psm1' -Force; diff --git a/.github/workflows/Unit Tests.yml b/.github/workflows/Unit Tests.yml index 6639b16115..3a1db08ae4 100644 --- a/.github/workflows/Unit Tests.yml +++ b/.github/workflows/Unit Tests.yml @@ -14,33 +14,16 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v2 - - name: Install Dependencies - shell: powershell - run: | - $VerbosePreference = 'Continue' - [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 - - $manifest = Import-PowerShellDataFile "./Modules/Microsoft365DSC/Dependencies/Manifest.psd1" - $dependencies = $manifest.Dependencies - $i = 1 - foreach ($dependency in $dependencies) - { - Write-Progress -Activity "Scanning Dependencies" -PercentComplete ($i / $dependencies.Count * 100) - try - { - Install-Module $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -AllowClobber -Force - } - catch - { - Write-Host "Could not update {$($dependency.ModuleName)}" - } - $i++ - } - name: Run Test Harness shell: powershell run: | Get-Module -ListAvailable | Out-String + Install-Module PnP.PowerShell -Force Import-Module PnP.PowerShell -Force + + Install-Module Microsoft.PowerApps.Administration.PowerShell -Force + Import-Module Microsoft.PowerApps.Administration.PowerShell -Force + Install-Module Pester -Force -SkipPublisherCheck -RequiredVersion 5.0.4 [System.Environment]::SetEnvironmentVariable('M365DSCTelemetryEnabled', $false, [System.EnvironmentVariableTarget]::Machine); Import-Module './Tests/TestHarness.psm1' -Force; diff --git a/CHANGELOG.md b/CHANGELOG.md index 78c286b2a4..d67ba5b16a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ # Change log for Microsoft365DSC +# 1.22.119.1 + +* EXOOrganizationConfig + * Added support for the new SendFromAliasEnabled parameter; +* EXORoleAssignmentPolicy + * Fixed logic to update roles assigned to an existing policy; + FIXES #1538 +MISC + * Updated logic for Report generation so that it no longer requires the + same module version as defined in the configuration installed on the + system where the report is being generated from. + # 1.22.112.1 * TeamsMeetingPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.psm1 index 02970e3bb2..58ba62dc0b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.psm1 @@ -248,6 +248,10 @@ function Get-TargetResource [System.String[]] $RemotePublicFolderMailboxes, + [Parameter()] + [System.Boolean] + $SendFromAliasEnabled, + [Parameter()] [System.String] $SiteMailboxCreationURL, @@ -388,12 +392,13 @@ function Get-TargetResource PublicFolderShowClientControl = $ConfigSettings.PublicFolderShowClientControl ReadTrackingEnabled = $ConfigSettings.ReadTrackingEnabled RemotePublicFolderMailboxes = $ConfigSettings.RemotePublicFolderMailboxes + SendFromAliasEnabled = $ConfigSettings.SendFromAliasEnabled SiteMailboxCreationURL = $ConfigSettings.SiteMailboxCreationURL SmtpActionableMessagesEnabled = $ConfigSettings.SmtpActionableMessagesEnabled VisibleMeetingUpdateProperties = $ConfigSettings.VisibleMeetingUpdateProperties WebPushNotificationsDisabled = $ConfigSettings.WebPushNotificationsDisabled WebSuggestedRepliesDisabled = $ConfigSettings.WebSuggestedRepliesDisabled - Credential = $Credential + Credential = $Credential ApplicationId = $ApplicationId CertificateThumbprint = $CertificateThumbprint CertificatePath = $CertificatePath @@ -698,6 +703,10 @@ function Set-TargetResource [System.String[]] $RemotePublicFolderMailboxes, + [Parameter()] + [System.Boolean] + $SendFromAliasEnabled, + [Parameter()] [System.String] $SiteMailboxCreationURL, @@ -1035,6 +1044,10 @@ function Test-TargetResource [System.String[]] $RemotePublicFolderMailboxes, + [Parameter()] + [System.Boolean] + $SendFromAliasEnabled, + [Parameter()] [System.String] $SiteMailboxCreationURL, @@ -1167,7 +1180,7 @@ function Export-TargetResource { $Params = @{ IsSingleInstance = 'Yes' - Credential = $Credential + Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.schema.mof index 3a54c27a43..8f838343ac 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOrganizationConfig/MSFT_EXOOrganizationConfig.schema.mof @@ -60,6 +60,7 @@ class MSFT_EXOOrganizationConfig : OMI_BaseResource [Write, Description("The PublicFolderShowClientControl parameter enables or disables access to public folders in Microsoft Outlook.")] Boolean PublicFolderShowClientControl; [Write, Description("The ReadTrackingEnabled parameter specifies whether the tracking for read status for messages in an organization is enabled. The default value is $false.")] Boolean ReadTrackingEnabled; [Write, Description("The RemotePublicFolderMailboxes parameter specifies the identities of the public folder objects (represented as mail user objects locally) corresponding to the public folder mailboxes created in the remote forest. The public folder values set here are used only if the public folder deployment is a remote deployment.")] String RemotePublicFolderMailboxes[]; + [Write, Description("The SendFromAliasEnabled parameter allows mailbox users to send messages using aliases (proxy addresses). It does this by disabling the rewriting of aliases to their primary SMTP address. This change is implemented in the Exchange Online service")] Boolean SendFromEmailAliasEnabled; [Write, Description("The SiteMailboxCreationURL parameter specifies the URL that's used to create site mailboxes. Site mailboxes improve collaboration and user productivity by allowing access to both SharePoint documents and Exchange email in Outlook 2013 or later.")] String SiteMailboxCreationURL; [Write, Description("The SmtpActionableMessagesEnabled parameter specifies whether to enable or disable action buttons in email messages in Outlook on the web.")] Boolean SmtpActionableMessagesEnabled; [Write, Description("The VisibleMeetingUpdateProperties parameter specifies whether meeting message updates will be auto-processed on behalf of attendees. Auto-processed updates are applied to the attendee's calendar item, and then the meeting message is moved to the deleted items. The attendee never sees the update in their inbox, but their calendar is updated.")] String VisibleMeetingUpdateProperties; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXORoleAssignmentPolicy/MSFT_EXORoleAssignmentPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXORoleAssignmentPolicy/MSFT_EXORoleAssignmentPolicy.psm1 index 49a80dce20..6ee291d4ed 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXORoleAssignmentPolicy/MSFT_EXORoleAssignmentPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXORoleAssignmentPolicy/MSFT_EXORoleAssignmentPolicy.psm1 @@ -251,9 +251,20 @@ function Set-TargetResource elseif ($Ensure -eq "Present" -and $currentRoleAssignmentPolicyConfig.Ensure -eq "Present" -and $null -ne (Compare-Object -ReferenceObject $($currentRoleAssignmentPolicyConfig.Roles) -DifferenceObject $Roles)) { Write-Verbose -Message "Role Assignment Policy '$($Name)' already exists, but roles attribute needs updating." - Write-Verbose -Message "Remove Role AssignmentPolicy before recreating because Roles attribute cannot be change with Set cmdlet" - Remove-RoleAssignmentPolicy -Identity $Name -Confirm:$false - New-RoleAssignmentPolicy @NewRoleAssignmentPolicyParams + $differences = Compare-Object -ReferenceObject $($currentRoleAssignmentPolicyConfig.Roles) -DifferenceObject $Roles + foreach ($difference in $differences) + { + if ($difference.SideIndicator -eq '=>') + { + Write-Verbose -Message "Adding Role {$($difference.InputObject)} to Role Assignment Policy {$Name}" + New-ManagementRoleAssignment -Role $($difference.InputObject) -Policy $Name + } + elseif ($difference.SideIndicator -eq '<=') + { + Write-Verbose -Message "Removing Role {$($difference.InputObject)} from Role Assignment Policy {$Name}" + Remove-ManagementRoleAssignment -Identity "$($difference.InputObject)-$Name" + } + } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/MSFT_TeamsChannel.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/MSFT_TeamsChannel.psm1 index 518a03025d..7bf7e0f5d8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/MSFT_TeamsChannel.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/MSFT_TeamsChannel.psm1 @@ -197,7 +197,7 @@ function Set-TargetResource $CurrentParameters = $PSBoundParameters - $team = Get-TeamByName $TeamName + $team = Get-TeamByName ([System.Net.WebUtility]::UrlEncode($TeamName)) if ($team.Length -gt 1) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/MSFT_TeamsUser.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/MSFT_TeamsUser.psm1 index f14a4b65ee..bf403edc5c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/MSFT_TeamsUser.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/MSFT_TeamsUser.psm1 @@ -61,7 +61,7 @@ function Get-TargetResource try { Write-Verbose -Message "Checking for existance of Team User $User" - $team = Get-TeamByName $TeamName -ErrorAction SilentlyContinue + $team = Get-TeamByName ([System.Net.WebUtility]::UrlEncode($TeamName)) -ErrorAction SilentlyContinue if ($null -eq $team) { return $nullReturn @@ -182,7 +182,7 @@ function Set-TargetResource $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' -InboundParameters $PSBoundParameters - $team = Get-TeamByName $TeamName + $team = Get-TeamByName ([System.Net.WebUtility]::UrlEncode($TeamName)) Write-Verbose -Message "Retrieve team GroupId: $($team.GroupId)" diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index 07b3690058..f7fb2eb487 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2022-01-12 +# Generated on: 2022-01-19 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.22.112.1' + ModuleVersion = '1.22.119.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -131,11 +131,15 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = "* TeamsMeetingPolicy - * Added support for property WhoCanRegister; - FIXES #1483 - * DEPENDENCIES - * Updated MSCloudLoginAssistant to 1.0.83;" + ReleaseNotes = "* EXOOrganizationConfig + * Added support for the new SendFromAliasEnabled parameter; + * EXORoleAssignmentPolicy + * Fixed logic to update roles assigned to an existing policy; + FIXES #1538 + MISC + * Updated logic for Report generation so that it no longer requires the + same module version as defined in the configuration installed on the + system where the report is being generated from." # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false diff --git a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 index 3c86a48316..34c476980b 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 @@ -110,7 +110,7 @@ function Update-M365DSCAllowedGraphScopes [System.String] $Type, - [Parameter(Mandatory = $true)] + [Parameter()] [ValidateSet('Global', 'China', 'USGov', 'USGovDoD', 'Germany')] [System.String] $Environment = 'Global' diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReport.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReport.psm1 index 192b8ce06a..e0b59c87dc 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReport.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReport.psm1 @@ -30,7 +30,11 @@ function New-M365DSCConfigurationToHTML if ([System.String]::IsNullOrEmpty($ParsedContent)) { $TemplateFile = Get-Item $ConfigurationPath - $ParsedContent = ConvertTo-DSCObject -Path $ConfigurationPath + $fileContent = Get-Content $ConfigurationPath -Raw + $startPosition = $fileContent.IndexOf(" -ModuleVersion") + $endPosition = $fileContent.IndexOf("`r", $startPosition) + $fileContent = $fileContent.Remove($startPosition, $endPosition - $startPosition) + $ParsedContent = ConvertTo-DSCObject -Content $fileContent $TemplateName = $TemplateFile.Name.Split('.')[0] } else @@ -211,7 +215,11 @@ function New-M365DSCConfigurationToExcel $report.Range("A1:C1").Borders.Weight = -4138 $row = 2 - $parsedContent = ConvertTo-DSCObject -Path $ConfigurationPath + $fileContent = Get-Content $ConfigurationPath -Raw + $startPosition = $fileContent.IndexOf(" -ModuleVersion") + $endPosition = $fileContent.IndexOf("`r", $startPosition) + $fileContent = $fileContent.Remove($startPosition, $endPosition - $startPosition) + $ParsedContent = ConvertTo-DSCObject -Content $fileContent foreach ($resource in $parsedContent) { $beginRow = $row @@ -391,11 +399,19 @@ function Compare-M365DSCConfigurations if (-not $SourceObject) { - [Array] $SourceObject = ConvertTo-DSCObject -Path $Source + $fileContent = Get-Content $Source -Raw + $startPosition = $fileContent.IndexOf(" -ModuleVersion") + $endPosition = $fileContent.IndexOf("`r", $startPosition) + $fileContent = $fileContent.Remove($startPosition, $endPosition - $startPosition) + [Array] $SourceObject = ConvertTo-DSCObject -Content $fileContent } if (-not $DestinationObject) { - [Array] $DestinationObject = ConvertTo-DSCObject -Path $Destination + $fileContent = Get-Content $Destination -Raw + $startPosition = $fileContent.IndexOf(" -ModuleVersion") + $endPosition = $fileContent.IndexOf("`r", $startPosition) + $fileContent = $fileContent.Remove($startPosition, $endPosition - $startPosition) + [Array] $DestinationObject = ConvertTo-DSCObject -Content $FileContent } # Loop through all items in the source array diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index c7598ea7f9..13c936d058 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -636,10 +636,6 @@ function Start-M365DSCConfigurationExtract -Cert "cert:\LocalMachine\my\$($LCMConfig.CertificateID)" ` -Type CERT ` -NoClobber | Out-Null - Add-ConfigurationDataEntry -Node "localhost" ` - -Key "CertificateFile" ` - -Value "M365DSC.cer" ` - -Description "Path of the certificate used to encrypt credentials in the file." } catch { @@ -648,6 +644,10 @@ function Start-M365DSCConfigurationExtract -EventID 1 -Source $($MyInvocation.MyCommand.Source) } } + Add-ConfigurationDataEntry -Node "localhost" ` + -Key "CertificateFile" ` + -Value "M365DSC.cer" ` + -Description "Path of the certificate used to encrypt credentials in the file." $outputConfigurationData = $OutputDSCPath + "ConfigurationData.psd1" New-ConfigurationDataDocument -Path $outputConfigurationData } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 4ff410ed1e..5bd79fb54e 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -941,6 +941,16 @@ function Export-M365DSCConfiguration #region Telemetry $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Event", "Extraction") + + if (-not [System.String]::IsNullOrEmpty($TenantId)) + { + $data.Add("Tenant", $TenantId) + } + else + { + $tenant = $Credential.UserName.Split('@')[1] + $data.Add("Tenant", $tenant) + } $data.Add("Path", [System.String]::IsNullOrEmpty($Path)) $data.Add("FileName", $null -ne [System.String]::IsNullOrEmpty($FileName)) $data.Add("Components", $null -ne $Components) @@ -966,7 +976,7 @@ function Export-M365DSCConfiguration } # Clear the Connection Cache from MSCloudLoginAssistant - $Global:MsCloudLoginConnectionProfile = $null + #$Global:MsCloudLoginConnectionProfile = $null # Make sure we are not connected to Microsoft Graph on another tenant try @@ -2138,7 +2148,11 @@ function Assert-M365DSCBlueprint if ((Test-Path -Path $LocalBluePrintPath)) { # Parse the content of the BluePrint into an array of PowerShell Objects - $parsedBluePrint = ConvertTo-DSCObject -Path $LocalBluePrintPath + $fileContent = Get-Content $LocalBluePrintPath -Raw + $startPosition = $fileContent.IndexOf(" -ModuleVersion") + $endPosition = $fileContent.IndexOf("`r", $startPosition) + $fileContent = $fileContent.Remove($startPosition, $endPosition - $startPosition) + $parsedBluePrint = ConvertTo-DSCObject -Content $fileContent # Generate an Array of Resource Types contained in the BluePrint $ResourcesInBluePrint = @() diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOOrganizationConfig.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOOrganizationConfig.Tests.ps1 index f6280bff77..7814b1c12f 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOOrganizationConfig.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOOrganizationConfig.Tests.ps1 @@ -72,6 +72,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DefaultPublicFolderDeletedItemRetention = "30.00:00:00"; ByteEncoderTypeFor7BitCharsets = 0; ActivityBasedAuthenticationTimeoutInterval = "06:00:00"; + SendFromAliasEnabled = $false DefaultGroupAccessType = "Private"; } @@ -89,6 +90,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DefaultPublicFolderMovedItemRetention = "07.00:00:00"; DefaultPublicFolderDeletedItemRetention = "30.00:00:00"; ByteEncoderTypeFor7BitCharsets = 0; + SendFromAliasEnabled = $false ActivityBasedAuthenticationTimeoutInterval = "06:00:00"; DefaultGroupAccessType = "Private"; } @@ -128,6 +130,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DefaultPublicFolderDeletedItemRetention = "30.00:00:00"; ByteEncoderTypeFor7BitCharsets = 0; ActivityBasedAuthenticationTimeoutInterval = "06:00:00"; + SendFromAliasEnabled = $false DefaultGroupAccessType = "Public"; } @@ -147,6 +150,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ByteEncoderTypeFor7BitCharsets = 0; ActivityBasedAuthenticationTimeoutInterval = "06:00:00"; DefaultGroupAccessType = "Private"; + SendFromAliasEnabled = $false } } } @@ -187,6 +191,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DefaultGroupAccessType = "Public"; EWSAllowList = @("111"); EWSBlockList = @("222"); + SendFromAliasEnabled = $false } } @@ -217,6 +222,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ByteEncoderTypeFor7BitCharsets = 0; ActivityBasedAuthenticationTimeoutInterval = "06:00:00"; DefaultGroupAccessType = "Private"; + SendFromAliasEnabled = $false } } } diff --git a/docs/docs/about/changelog.md b/docs/docs/about/changelog.md deleted file mode 100644 index e2e3747007..0000000000 --- a/docs/docs/about/changelog.md +++ /dev/null @@ -1,1273 +0,0 @@ -# Change log for Microsoft365DSC - -## 1.21.1006.3 - -### BREAKING CHANGES - -- AADApplication - - Removed support for the Oauth2AllowImplicitFlow, SamlMetadataUrl and - Oauth2AllowUrlPathMatching properties; -- AADMSGroup - - Renamed resource to AADGroup; -- AADMSGroupLifecyclePolicy - - Renamed resource to AADGroupLifecyclePolicy; -- AADPolicy - - Replaced resource by the new AADTokenLifetimePolicy one; - -### DEPENDENCIES - -- Added dependency on Microsoft.Graph.Applications; -- Added dependency on Microsoft.Graph.Groups; -- Added dependency on Microsoft.Graph.Identity.DirectoryManagement; -- Added dependency on Microsoft.Graph.Identity.SignIns; -- Removing dependency on AzureADPreview; -- Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.137; -- Updated MicrosoftTeams to version 2.6.0; -- Updated MSCloudLoginAssistant to version 1.0.72; - -### MISC - -- Renamed the GlobalAdminAccount parameter to Credential across all resources; -- Revamped entire Azure AD Workload to leverage Microsoft Graph; -- New -LaunchWebUI switch for Export-M365DSCConfiguration will launch the - new web-based UI. The old GUI has been removed. -- Removal of the -Quiet switch for the Export-M365DSCConfiguration cmdlet; -- Renaming the ComponentsToExtract property from the Export-M365DSCConfiguration - cmdlet to Components; - -## 1.21.922.1 - -- AADApplication - - - Fix issue where export will only export 100 apps - -- EXOSafeLinksPolicy - - Added support for CustomNotificationText, EnableOrganizationBranding, and - UseTranslatedNotificationText properties; -- SPOSite - - Fixed issue when deleting site and confirm parameter -- DEPENDENCIES - - Updated MSCloudLoginAssistant to version 1.0.68; - -## 1.21.915.1 - -- EXOAntiPhishPolicy - - Added support for EnableFirstContactSafetyTips & EnableViaTag; -- EXOAtpPolicyForO365 - - Added support for AllowSafeDocsOpen; -- EXOHostedContentFilterPolicy - - Added support for HighConfidencePhishAction; -- EXOHostedOutboundSpamFilterPolicy - Added support for RecipientLimitInternalPerHour, RecipientLimitPerDay, - RecipientLimitExternalPerHour, ActionWhenThresholdReached & AutoForwardingMode; -- EXOHostedOutboundSpamFilterRule - Initial release; -- IntuneAppConfigurationPolicy - - Added support for the CustomSettings property; -- IntuneDeviceCompliancePolicyWindows10 - - Removed the App Secret and Application ID from the output; - - Added DefenderEnabled to the Resource; -- IntuneDeviceConfigurationWindows10 - - Initial release; -- DEPENDENCIES; - - Updated Microsoft.Graph.Authentication to version 1.7.0; - - Added dependency on Microsoft.Graph.DeviceManagement; - - Added dependency on Microsoft.Graph.DeviceManagement.Administration; - - Added dependency on Microsoft.Graph.DeviceManagement.Enrolment; - - Added dependency on Microsoft.Graph.Devices.CorporateManagement; - - Updated Microsoft.Graph.Planner to version 1.7.0; - - Updated Microsoft.Graph.Teams to version 1.7.0; - - Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.136; - - Updated MSCloudLoginAssistant to version 1.0.67; - -## 1.21.908.1 - -- PPTenantSettings - - Initial Release; -- DEPENDENCIES; - - Updated MSCloudLoginAssistant to version 1.0.64; -- MISC - - Fixing duplicate teams names in reports; - -## 1.21.901.1 - -- DEPENDENCIES; - - Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.133; - - Updated MicrosoftTeams to version 2.5.1; -- MISC - - Additional display alignment fixes for Export; - -## 1.21.825.1 - -- SPOTenantSettings - - Added the DisabledWebpartIds & ConditionalAccessPolicy properties; -- DEPENDENCIES; - - Updated AzureADPreview to version 2.0.2.138; - - Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.131; - - Updated Microsoft.Teams to version 2.5.0; -- MISC - - Additional display alignment fixes for Export; - -## 1.21.804.1 - -- SCDLPComplianceRule - - Fixed issue where SCDLPCompliance rule failed when using senstitivy labels; -- DEPENDENCIES; - - Updated MSCloudLoginAssistant to version 1.0.62; -- MISC - - Added support for ApplicationSecret in SPO resources; - - Revamped the entire display from an Export; - -## 1.21.728.1 - -- DEPENDENCIES; - - Updated MSCloudLoginAssistant to version 1.0.59; - - Updated PnP.PowerShell to version 1.7.0; -- MISC - - Added support for Service Principal Authentication for all Intune resources; - - Deprecated GUI and added reference to new Web based GUI; - -## 1.21.721.1 - -- AADMSGroup - - Fixed an issue where the Visibility parameter was never properly returned - which always threw a detected drift when used. -- EXOJournalRule - - Initial Release. -- SPOSite - - Fixed the StorageQuotaWarningLevel value returned by the Get-TargetResource - function. - -## 1.21.714.1 - -- EXOHostedContentFilterPolicy - - Fixed issues with null values falsely detected as drifts; - ISSUE #1165 -- DEPENDENCIES - - Removed dependency on Microsoft.Graph.Groups.Planner; - - Updated Microsoft.Graph.Teams to version 1.6.1; - - Updated MSCloudLoginAssistant to version 1.0.54; -- MISC - - Allowed for Desired and Current values to be captured by the Telemetry engine - if an organization is using a custom App Insights account; - ISSUE #1222 - -## 1.21.707.1 - -- EXODkimSigningConfig - - Change the logic to remove an entry to disable it instead since the - cmdlet didn't exist to remove it. - ISSUE #1253 -- EXOHostedContentFilterPolicy - - Fixed the value type for the senders addresses, regions and domains; - ISSUE #1165 -- EXOOutboundConnector - - Fixed the creation logic to include ValidationRecipients; - ISSUE #1165 -- EXOSharedMailbox - - Improved speed of extraction and removed warning about maximum 1,000 - items retrieved; -- DEPENDENCIES - - Updated Microsoft.PowerApps.Administration.PowerShell to 2.0.127; -- MISC - - Delta Report - Fixes to compare null arrays properly and report as - a discrepancy. - ISSUES #1178 & #1249 - -## 1.21.630.1 - -- O365User - - Fix where export was throwing an error about an empty DSCBlock - ISSUE #1275; -- SPOTenantSettings - - Added support for specifying MarkNewFilesSensitiveByDefault - -## 1.21.616.1 - -- SPOSiteAuditSettings - - Fixed issue with Export where property Ensure was added - when an access forbidden error was encountered; -- DEPENDENCIES - - Updated Microsoft.Graph.Authentication to version 1.6.0; - - Updated Microsoft.Graph.Planner to version 1.6.0; - - Updated Microsoft.Graph.Teams to version 1.6.0; - -## 1.21.609.2 - -- Fixed dependency on Microsoft.Graph.Authentication for - version 1.5.0. - -## 1.21.609.1 - -- TeamsUpgradePolicy - - Fixes to how we are retrieving users assigned to the - Global Upgrade Policy. -- DEPENDENCIES - - Updated ExchangeOnlineManagement to version 2.0.5; - - Updated Microsoft.Graph.Planner to version 1.5.0; - - Updated Microsoft.Graph.Teams to version 1.5.0; - - Updated Microsoft.PowerApps.Administration.PowerShell - to version 2.0.126; - - Updated PnP.PowerShell to version 1.6.0; - -## 1.21.602.1 - -- AADMSGroups - - Fix for the export where the MailNickName was being prompted; -- EXOManagementRole - - BREAKING: Now requires the Parent property as Mandatory; -- TeamsChannel - - Fixed an issue where content was dedup and boolean - values were appended to the exported content; -- TeamsUpgradePolicy - - Improved performance retrieving users assigned to policy; -- MISC - - Fix for Teams authentication. Improvements on session - reuse. - -## 1.21.526.2 - -- EXOSafeAttachmentRule -- Fixed issue #1213 Policy X already has rule Y associated with it - if rule exists already -- MSFT_IntuneDeviceCompliancePolicyAndroid - - New resource -- MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile - - New resource -- MSFT_IntuneDeviceCompliancePolicyMacOS - - New resource -- MSFT_IntuneDeviceCompliancePolicyiOs - - New resource -- EXOTransportRule - - Fix #1230 Changed ExceptIfSenderInRecipientList to array - -## 1.21.519.2 - -- AzureADRoleDefinition - - Fix an issue where deprecated roles were not increasing - the index which resulted in an incorrect count being - displayed during the extraction. -- EXORoleAssignmentPolicy - - Added missing ErrorAction value in the Export; -- TeamsTenantDialPlan - - Fixed issue around normalization rules export; -- SPOTenantSettings - - Fix issue with typo and dup property issue #1219 -- MISC - - Forces a Global load of the new MicrosoftTeams module for - Teams resources; - -## 1.21.519.1 - -- TeamsClientConfiguration - - Fixed an issue where the RestrictedSenderList was not properly - being converted to a comma separated string. - Issue #1191 -- DEPENDENCIES - - Updated AzureADPreview to version 2.0.2.136; - -## 1.21.512.1 - -- EXOOfflineAddresBook - - Fixed issue in Set-TargetResource where ConfiguredAttributes - was passed and resulted in an error. -- SCDLPComplianceRule - - Added several new parameters - - Fixed several bugs on extract - -## 1.21.505.1 - -- EXOTransportRule - - Adding ExceptIfSCLOver and SCLOver. - - Fixes SubjectOrBodyContainsWords parameter not being an array. - - Fixes DateTime formating on ExpiryDate and ActivationDate - -## 1.21.428.2 - -- EXOTransportRule - - Fixed typo in accepted value for ApplyHtmlDisclaimerLocation; -- IntuneAppConfigurationPolicy - - Revamp of Telemetry; - - Using shorter cmdlets names; -- IntuneDeviceCompliancePolicyAndroid - - Initial Release; -- IntuneDeviceCompliancePolicyAndroidWorkProfile - - InitialRelease -- IntuneDeviceCompliancePolicyiOs - - Using shorter cmdlet names; -- IntuneDeviceConfigurationPolicyiOS - - Using shorter cmdlet names; -- IntuneDeviceEnrollmentPlatformRestriction - - Revamp of Telemetry; - - Using Shorter cmdlet names; - -## 1.21.421.2 - -- MISC - - Updated the SkipModuleReload logic for a dozen of EXO modules - which were failing authentication; - -## 1.21.421.1 - -- AADConditionalAccessPolicy - - Fix to allow 'undefined' as a value for multiple parameters; -- EXOTransportRule - - Fixed schema to support Service Principal Auth; -- TeamsChannelTab - - Fixed typo in parameter 'TeamId'; -- MISC - - Refactor of all EXO resources to fixes for Set-TargetResource - functions where Service Principal was used to authenticate; - - Refactored connections across all resources to help with - Telemetry regarding what auth method users are leveraging. - -## 1.21.414.2 - -- AADConditionalAccessPolicy - - Fixed an issue with the default values for device states; -- EXOHostedContentFilterPolicy - - Fixed issue where EndUserSpamNotificationCustomFromName was - not properly returned from the Get-TargetResource function; -- EXOTransportRule - - New resource; -- O365AdminAuditLogConfig - - Fixed issue where the Set-TargetResource stopped being - executed if an error was encountered; -- TeamsTeam - - Fix format issue with owner issue # 1143 -- DEPENDENCIES - - Updated AzureADPreview to version 2.0.2.134; - - Updated Microsoft.Graph.Authentication to version 1.4.2; - - Updated Microsoft.Graph.Planner to version 1.4.2; - - Updated Microsoft.Graph.Teams to version 1.4.2; - - Updated Microsoft.PowerApps.Administration.PowerShell to version - 2.0.112; - - Updated MSCloudLoginAssistant to version 1.0.51; - - Updated PnP.PowerShell to version 1.5.0; - -## 1.21.407.1 - -- AADConditionalAccessPolicy - - BREAKING: Renamed the 'includeDeviceStates' and 'excludeDeviceStates' - parameters to 'includeDevices' and 'excludeDevices'; -- TeamsMeetingPolicy - - The Set-CsTeamsMeetingPolicy would fail if recording settings are - changed while the AllowCloudRecording is set to false; -- MISC - - Fixed issue in most EXO resources where AzureAD App information - was not returned by the Get-TargetResource function; - -## 1.21.331.1 - -- AADApplication - - Added support for API Permissions; -- EXOSharedMailbox - - Improved how we are retrieving all shared mailboxes in the - Export-TargetResource function. -- ODSettings - - Fixed and issue with ExcludedFileExtensions; -- SCDLPComplianceRule - - Fixed issue where only the first SIT Action was exported; -- SPOSiteDesign - - Added support for GrouplessTeamSite web template. -- SPOSiteScript - - Fixed issue where an existin site script could not be updated. - - Made parameter GlobalAdminAccount in Get-TargetResource - optional. -- SPOTheme - - Fixed issue where removal of a theme would throw an error. - - Corrected variable name to properly show the theme name in verbose message - when removing a theme. -- MISC - - Fixed issue with ODSettings and ExcludedFileExtensions - -## 1.21.317.1 - -- DEPENDENCIES - - Updated Exchange Management to version 2.0.4 (REDO); - - Updated MSCloudLoginAssistant to version 1.0.50; -- MISC - - Fixed issue when using CertificatePath and CertificatePassword - for SPO resource; - -## 1.21.224.1 - -- DEPENDENCIES - - Rolled-back ExchangeOnlineManagement to 2.0.3; - -## 1.21.217.1 - -- SPOSite - - Fixed an issue related to new cmdlets in PnP.PowerShell; -- DEPENDENCIES - - Updated ExchangeOnlineManagement to 2.0.4; - - Updated PNP.PowerShell to 1.3.0; - -## 1.21.203.1 - -- SPOSiteDesignRights - - Fixed an issue that was preventing this resource from - being exported; -- SPOBrowserIdleSignout - - Initial Release; -- TeamsTenantDialPlan - - Fixed an issue with the way Voice Normalization Rules were handled; -- MISC - - Fix to the Delta Report Generator to properly handle TeamsPSTNUsage; - - Fixed various Export Verbose format issues; -- DEPENDENCIES - - Updated Microsoft.Graph.Authentication to version 1.3.1; - - Updated Microsoft.Graph.Planner to version 1.3.1; - - Updated Microsoft.Graph.Teams to version 1.3.1; - - Updated MSCloudLoginAssistant to version 1.0.48; - -## 1.21.127.1 - -- AADNamedLocation - - Initial Release; -- DEPENDENCIES - - Updated PnP.PowerShell to version 1.2.0; - - Updated Microsoft.PowerApps.Administration.PowerShell to - 1.0.208; - -## 1.21.120.1 - -- DEPENDENCIES - - Updated MSCloudLoginAssistant to version 1.0.45; - - Replaced the SharePointPnPPowerShellOnline dependency by the new - PnP.PowerShell core module; - -## 1.21.113.1 - -- AADTenantDetails - - Fixes an issue where the Set would fail if Service Principal - was used. - (Issue [#1002](https://github.com/microsoft/Microsoft365DSC/issues/1002)) -- AADRoleDefinition - - Filters out role definitions without any assigned permissions. - Fixes Issue #1007; -- DEPENDENCIES - - Updated Microsoft.PowerApps.Administration.PowerShell - to 2.0.104; - -## 1.20.1223.1 - -- SPOHubSite - - Changed Export logic to make the url parameterized - - Updated Get method to prevent throwing an exception - when the specified site doesn't exist -- SPOSite - - Updated logic to not process the HubUrl parameter - when this is equal to the Url parameter. - - Updated export logic to not export the HubUrl - parameter when this is equal to the Url parameter. - - Fixed issue with incorrectly applying the LocaleId -- SPOSiteAuditSettings - - Changed Export logic to make the url parameterized -- SPOSiteGroup - - Changed Export logic to make the url parameterized - - Updated logic to output more explainable troubleshooting - messages -- M365DscReverse - - Added the GlobalAccount Parameter to the example - that is outputted after using the Export GUI - -## 1.20.1216.1 - -- AADConditionalAccessPolicy - - Initial Release; -- EXOSafeLinksRule - - Fixed typo in a try/catch clause; -- O365User - - Added support for removing existing users with - Ensure = 'Absent'; -- TeamsChannelTab - - Initial Release; - -## 1.20.1209.1 - -- IntuneAppProtectionPolicyiOS - - Initial Release; -- IntuneDeviceCompliancePolicyiOS - - Initial Release; -- IntuneDeviceConfigurationPolicyiOS - - Initial Release; -- IntuneDeviceEnrollmentPlatformRestriction - - Initial Release; -- IntuneDeviceEnrollmentLimitRestriction - - Initial Release; -- TeamsTenantDialPlan - - Performance Improvements: retrieve all Voice Normalization - Rule at once and then iterated through them instead of - retrieving them for every instance. -- DEPENDENCIES - - Upgraded ExchangeOnlineManagement to version 2.0.3; - - Upgraded Microsoft.Graph.Authentication to version 1.2.0; - - Upgraded Microsoft.Graph.Planner to version 1.2.0; - - Upgraded SharePointPnPPowerShellOnline to version - 3.28.2012.0; - -## 1.20.1202.1 - -- EXOOwaMailboxPolicy - - Fixed an issue trying to remove a policy; -- TeamsMessagingPolicy - - Added AllowUserEditMessage property. -- TeamsMeetingPolicy - - Added 'OrganizerOnly' as a support value for property - AutoAdmittedUsers. - - Temporarly removed the use of AllowAnonymousUsersToDialOut - since it is currently disabled on the API side. -- EXPORT - - Fixed an issue where an Export using the -Workloads - parameter with a Service Principal did not export - any resource; -- DEPENDENCIES - - Upgrade AzureADPreview to version 2.0.2.129; - -## 1.20.1125.1 - -- AADRoleDefinition - - Initial Release; -- O365User - - Fixes an issue where only the first O365User instance - extracted had the PSCredential Password property set - correctly; -- TeamsMeetingPolicy - - Added the AllowBreakoutRooms, TeamsCameraFarEndPTZMode - & AllowMeetingReactions parameters; -- DEPENDENCIES - - MSCloudLoginAssistant Updated to 1.0.42; - - Microsoft.PowerApps.Administration.PowerShell Updated - to 2.0.99; -- MISC - - Moved the check for new version of module into the - Export-M365DSCConfiguration function for performance - improvements; - -## 1.20.1118.1 - -- EXOMalwareFilterPolicy - - Fix an issue when the CustomFromAddress is empty; - (Issue #901) -- EXORemoteDomain - - Fixed an issue where only non-null parameters are - used in the Set-TargetResource resource; - (Issue #898) -- SCRetentionEventType - - Initial Release; -- SPOSiteScript - - BREAKING CHANGE: Title is now the primary key for the - resource and Service Principal is now supported for - authentication. -- MODULES - - M365DSCStringEncoding - New resource to handle encoding issues in exported content; - (Issue #904) - - M365DSCLogEngine - Added Export-M365DiagnosticData function to export diagnostic - information to a Zip file. - -## 1.20.1111.1 - -- AADPolicy - Initial Release; -- Fixes an issue with SCRetentionCompliancePolicy where - the wrong parameter sets was being passed for creation. - (Issue #890) - -## 1.20.1104.1 - -- AADMSGroup - - Added parameter IsAssignableToRole Issue #879 - - Fixed issue on Set Issue #863 -- EXOHostedContentFilterPolicy - - Deprecated ZapEnabled property and added PhishZapEnabled - and SpamZapEnabled instead. -- MISC - - Added checks for mandatory Authentication parameters before - attempting an Export. - - Deprecated the Assert-M365DSCTemplate cmdlet; - - Added Telemetry for version of PowerShell used; - - Added a timeout on new version check from the - PowerShell Gallery; - - Fixed Unit Test stubs; - -## 1.20.1028.1 - -- EXOOutboundConnector - - Fixed issue #821; -- O365OrgCustomizationSetting - - Fixes an issue where the resource was not being exported; -- O365User - - Added additional information in the error log for when - we try to set an invalid license -- ODSettings - - Removed AD group guid dependency issue # 862 -- SPOTenantSettings - - Parameter RequireAcceptingAccountMatchInvitedAccount - is now deprecated (Issue #864) -- SPOSharingSettings - - Fixed issue # 855 - - Fixed issue # 866 changed domains to array - - Fixed issue where trying to set anonymous link types if - sharing not properly configured issue #865 -- SPOTheme - - Fixed issue where Palette was not being properly extracted as - an array of CIMInstances. -- TeamsTeam - - Added support for visibility HiddenMembership -- MODULES - - M365DSCUtil - - Fixed an issue where function Test-M365DSCObjectHasProperty was missing - (Issue #861) - - M365DSCReverse - - Fixed an issue where passing in the file name and using the GUI for - extraction did not store the file at the specified location (Issue #810) - - Fixed and issue where the -GenerateInfo parameter would always generate - a link to the same resource. - - Added current version module in the Export file. -- MISC - - Added Authentication Type used to the Telemetry Engine. -- DEPENDENCIES - - AzureADPreview Updated to 2.0.2.119 - - DSCParser Updated to 1.3.0.0 - - Microsoft.Graph.Authentication Updated to 1.1.0 - - Microsoft.Graph.Planner Updated to 1.1.0 - - Microsoft.PowerApps.Administration.PowerShell Updated - to 2.0.96; - -## 1.20.1021.1 - -- AADTenantDetails - - Fixed issue where IsSingleInstance was not returned from - the Get-TargetResource method; -- MISC - - Fix to how Telemetry is retrieving module version; - - Added additional error troubleshooting information - to telemetry (dependencies version). - -## 1.20.1016.1 - -- Fixed a permissions issue with the - Install-M365DSCDevBranch cmdlet (Issue #699 & #826) -- DEPENDENCIES - - MSCloudLoginAssistant Updated to 1.0.41; - - SharePointPnPPowerShellOnline Updated to 3.26.2010.0; -- MISC - - Improved Error log to include StackTrace for additional - info to help troubleshooting errors. - -## 1.20.1014.1 - -- TeamsVoiceRoute - - Initial Release - -## 1.20.1007.1 - -- TeamsCallingPolicy - - Added new supported properties; -- TeamsMeetingPolicy - - Added new supported properties; -- TeamsTeam - - Added new supported properties; - -## 1.20.930.1 - -- IntuneAppConfigurationPolicy - - Initial Release; -- DEPENDENCIES - - Rolled back ExchangeOnlineManagement to 2.0.1 - - Microsoft.PowerApps.Administration.PowerShell updated - to 2.0.85; - - Microsoft.Graph.Authentication updated to 1.0.1; - - Microsoft.Graph.Groups.Planner updated to 1.0.1; -- MISC - - Refactored error handling to various EXO resources; - - Renamed method Test-Microsoft365DSCParameterState to - Test-M365DSCParameterState to align with naming standard; - - Fixed issue #777 with export of SCDLPComplianceRule; - -## 1.20.923.1 - -- IntuneDeviceCategory - - Initial Release; -- SPOSite - - Fixed an issue where updating a site's properties - would throw an error complaining about the object - not being in a correct state. -- DEPENDENCIES - - AADPreview Updated to 2.0.2.117; - - ExchangeOnlineManagement Updated to 2.0.3; - - MSCloudLoginAssistant Updated to 1.0.40; - - ReverseDSC Updated to 2.0.0.7; -- Misc - - Removed EncryptionTemplateID from SCSensitivityLabel (Issue #758) - - Added AzureAD app support SPOSiteDesign - - Added possibility to provide a custom header to Blueprint - assessment and delta reports. - -## 1.20.916.1 - -- AADServicePrincipal - - Initial Release (Issue #492) -- EXOAvailabilityAddressSpace - - Fixed an issue where if the user didn't have proper permissions - the entire Export process would stop; -- EXOAvailabilityConfig - - Fixed an issue where if the user didn't have proper permissions - the entire Export process would stop; -- EXOEmailAddressPolicy - - Fixed an issue where if the user didn't have proper permissions - the entire Export process would stop; -- DEPENDENCIES - - MicrosoftTeams Updated to 1.1.6; - - MSCloudLoginAssistant Updated to 1.0.38; - - Updated Microsoft.PowerApps.Administration.PowerShell to 2.0.81; -- MISC - - Fixed issue with warning about unsupported resources in the - Export mode based on authentication selected. - - Fixes an issue in the Install-M365DSCDevBranch function - where if the manifest file had a leading 0 in the version - number (e.g. 1.20.0902.1), it would create the folder as - a version with the '0' where the Gallery trims it. - (Issue #685) - -## 1.20.909.1 - -- EXOApplicationAccessPolicy - - Added some error handling around the - Get-ApplicationAccessPolicy cmdlet - (Issue #702); - \*EXOSharedMailbox - - Fixed an issue where Aliases were not properly removed - (Issue #749); -- TeamsCallingPolicy - - Added support for the AllowWebPSTNCalling and Description - properties; -- TeamsChannel - - Fixed an error in the Export when trying to connect using - only an Azure AD Application without any credentials - (Issue #754); -- TeamsClientConfiguration - - Added support for the AllowEgnyte property - (Issue #744); -- TeamsUser - - Fixed an issue where for large tenants the Export could - failed due to a percentage of completion greater than - 100% for the Write-Progress - (Issue #722); -- MISC - - Fixed an issue where the OD checkbox was always disabled - in the GUI; - - Changed the logic of the Unselect All button in the GUI - so that it doesn't unselect the authentication checkboxes; - - Fixed an issue where SPOHubSite was left selected in the - Export GUI even when unselecting the entire SPO Workload - (Issue #735); - - Fixed an issue where if no Destination Path was provided - after an export, it would fail. It now defaults to the - current location - (Issue #698); - - Fixed issue SCSensitivityLabel on EncryptionRightsDefinitions parameters - format (Issue #758) -- DEPENDENCIES - - MSCloudLoginAssistant Updated to 1.0.34; - - Microsoft.PowerApps.Administration.PowerShell Updated to 2.0.77; - - SharePointPnPPowerShellOnline Updated to 3.25.2009.1; - -## 1.20.902.1 - -- O365User - - Fixed an issue where we were trying to assign an empty - license to a user if an empty array was passed for - LicenseAssignment. -- SCComplianceSearchAction - - Added 'Preview' as a supported value for Action; -- ReverseDSC - - Fixed an issue where a newline was missing in the - credentials section when a certificate password was - specified; -- MISC - - Added a new Assert-M365DSCBlueprint function to generate - discrepency report between export of tenant and a BluePrint; -- Metadata - - Updated DSCParser Module to version 1.2.0.0; - - Updated Microsoft.Graph.Authentication Module to version - 0.9.1; - - Updated Microsoft.Graph.Groups.Planner Module to version - 0.9.1; - - Updated Microsoft.Graph.Identity.ConditionalAccess Module - to version 0.9.1; - - Updated Microsoft.Graph.Planner Module to version - 0.9.1; - - Updated Microsoft.PowerApps.Administration.PowerShell Module - to version 0.9.1; - - Updated SharePointPnPPowerShellOnline Module to version - 3.24.2008.1; - -## 1.20.805.1 - -- EXOAvailabilityConfig - - Fixed an issue with the Test-TargetResource where if a full - username (with '@') was specified for the OrgWideAccount, it - would always return false; -- EXOMobileDeviceMailboxPolicy - - Fixed an error where if no MinPasswordLength was specified - the Set-TargetResource threw n error trying to create a new - policy; -- EXOInboundConnector - - Fixed an issue where ResourceName was null during the export; -- EXOOutboundConnector - - Fixed an issue where ResourceName was null during the export; -- ODSettings - - Fixed an issue where the GrooveBlockOption setting was never - set properly; -- SCSensitivityLabel - - Added new parameters - -## 1.20.730.2 - -- AADMSGroup - - Fixed an issue where if GroupID was not passed, we could end up - with duplicate teams. -- MISC - - If a newer version of the module is available in the PowerShell - Gallery, a notification will be displayed to the user; - -## 1.20.730.1 - -- AADApplication - - Removed the ObjectId parameter from the list of parameters - checked in the Test-TargetResource; -- AADGroupsSettings - - Fixed an issue where the values returned by Get-TargetResource were - always set to true due to an invalid cast; -- O365User - - Fixed an issue where no licenses specified resulted in an error; -- Metadata - - Updated MSCloudLoginAssistant Module to version 1.0.32; - -## 1.20.723.1 - -- MISC - - Update to the Telemetry engine to capture information about tenant; - -## 1.20.722.1 - -- AADApplication - - Fix an issue where a new AzureAD Application was not created - if ObjectId was speficied; -- O365User - - Fixed an issue where the PasswordNeverExpires value returned - was incorrect; -- SPOAPP - - Added property Path as a key for the SPOApp resource to - prevent conflict where two solutions could have the same - name; -- MISC - - Renamed the event log to M365DSC to avoid journal conflicts; -- Metadata - - - Updated Microsoft.Graph.Authentication module version to 0.7.1; - - Updated Microsoft.PowerApps.Administration.PowerShell version to - 2.0.72; - - Updated SharePointPnPPowerShellOnline version to 3.23.2007.1; - -- SPOSiteScript; - - Initial Release; - -## 1.20.716.1 - -- MISC - - Added visual indicators for the Export feature; -- EXOMalwareFilterPolicy - - Fixed an issue where the value for the for the Action - returned by the Get included 'Text' and should not have; -- EXOOutboundConnector - - Fixed an issue where the ConnectorSource value returned - was empty. Now defaulting to Default. -- O365User - - Fixed issue with PasswordNeverExpires having incorrect value -- PlannerBucket - - Initial Release; -- PlannerPlan - - Initial Release; -- PlannerTask - - Initial Release; -- Metadata - - Updated ExchangeOnline module version to 1.0.1; - - Updated Microsoft.Graph module version to 0.7.0; - - Updated Microsoft.Graph.Identity.ConditionalAccess - module version to 0.7.0; - - Updated Microsoft.PowerApps.Administration.PowerShell - module version to 2.0.70; - - Updated MSCloudLoginAssistant Module to version 1.0.30; - - Updated SharePointPnPPowerShellOnline module to version 3.23.2007.0; - - Updated ReverseDSC module version to 2.0.0.4; - - Updated SharePointPnPPowerShellOnline module to - version 3.22.2006.2; - - Updated all Unit Tests to Pester 5; - - Added support for Service Principal for PowerPlatforms, - SPO & OneDrive, Exchange Online and Office 365 resources; - -## 1.20.0603.1 - -- Microsoft365Dsc - - Improved event log function -- EXOEmailAddressPolicy - - Converted hardcoded tenant name into variables; -- EXOHostedContentFilterPolicy - - Added 'NoAction' as a valid input for property BulkSpamAction; -- EXOInboundConnector - - Fixed an issue where if the connector was created with a source - of 'AdminUI', we now convert it to 'Default' in the Get function; -- EXOOutboundConnector - - Fixed an issue where if the connector was created with a source - of 'AdminUI', we now convert it to 'Default' in the Get function; -- TeamsTenantDialPlan - - Fixed an issue extraction plans without any normalization rules; -- Modules - - - M365DSCUtil: - - Fixed an issue in Test-Microsoft365DSCParameterState where - the same array of object was always being compared; - - Issue 612 - Fixed an extra '}' in the event log output; - -- Metadata - - Updated AzureADPreview to 2.0.2.102; - - Updated MSCloudLoginAssistant to 1.0.23; - - Updated Microsoft.PowerApps.Administration.PowerShell - to 2.0.64; - - Updated ReverseDSC to 2.0.0.3; - - Updated SharePointPnPPowerShellOnline to 3.21.2005.2; -- Misc - - Azure DevOPS Pipelines and AppVeyor Tests converted to GitHub - Actions; - -## 1.0.5.128 - -- AADGroupsNamingPolicy - - Added support for AzureAD Application Authentication; -- AADGroupsSettings - - Added support for AzureAD Application Authentication; - - Fixed issue where properties were returned as string instead - of boolean; -- AADMSGroup - - Initial Release; -- AADMSGroupLifecyclePolicy - - Added support for AzureAD Application Authentication; -- TeamsChannel - - Added support for AzureAD Application Authentication; -- TeamsTeam - - Added support for AzureAD Application Authentication; -- TeamsTenantDialPlan - - Initial Release; -- TeamsUser - - Added support for AzureAD Application Authentication; -- Modules - - Added M365DSCAgent; - - Added M365DSCReport; -- Metadata - - Updated Microsoft.PowerApps.Administration.PowerShell to 2.0.57; - - Updated MicrosoftTeams to 1.0.6; - - Updated MSCloudLoginAssistant to 1.0.14; - - Introduced dependency on the EXchangeOnlineManagement module; - - Introduced dependency on the Microsoft.Graph.Authentication module; - - Introduced dependency on the Microsoft.Graph.Identity.ConditionalAccess - module; - - Introduced dependency on the DSCParser module; - -## 1.0.4.39 - -- Re-branding to Microsoft365DSC - - All components re-branded; -- AADMSGroupLifecyclePolicy - - Initial Release; -- AADGroupsNamingPolicy - - Initial Release; -- AADGroupsSettings - - Initial Release; -- AADMSGroupLifecyclePolicy - - Initial Release; -- SCAuditConfigurationPolicy - - Fix issue with the Remove scenario; -- SCDLPCompliancePolicy - - Fix issue with the Remove scenario; -- SCFilePropertyAuthority - - Fix issue with the Remove scenario; -- SCFilePlanPropertyCategory - - Fix issue with the Remove scenario; -- SCFilePlanPropertyCitation - - Fix issue with the Remove scenario; -- SCFilePlanPropertyDepartment - - Fix issue with the Remove scenario; -- SCFilePlanPropertyReferenceId - - Fix issue with the Remove scenario; -- SCFilePlanPropertySubCategory - - Fix issue with the Remove scenario -- SCRetentionCompliancePolicy - - Fix issue with Teams Policy in the Get; -- SPOPropertyBag - - Fixed an issue where false positive drifts were being detected; -- SPOSiteAuditSettings - - Generalized the URL not to capture hardcoded dmomains; -- SPOSiteGroup - - Fixed an issue where now, groups with Null owners are not extracted; - - Generalized the URL not to capture hardcoded dmomains; -- TeamsCallingPolicy - - Removed the AllowCalling parameter since it is no longer supported; - - Fixed an issue with Policies without tags in their name (e.g. Global); -- TeamsMessagingPolicy - - Fixed and issue where the Global policy was always flagged as having - a drift; -- TeamsUpgradePolicy - - Initial Release; -- M365DSCUtil - - Added the new Assert-M365DSCTemplate cmdlet to assess remote templates; -- ReverseDSC - - Change to allow ComponentsToExtract without the 'chck' prefix; - - Introduction of Extraction Modes and Visual Indicators; - - Major refactoring, having UI dynamic and items displayed by - Resources' names; -- Metadata - - Updated Microsoft.PowerApps.Administration.PowerShell to 2.0.56; - - Updated MicrosoftTeams dependency to 1.0.5; - - Updated MSCloudLoginAssistant dependency to 1.0.6; - - Updated SharePointPnPPowerShellOnline dependency to 3.20.2004.0; - -## 1.0.3.1723 - -- EXOHostedOutboundSpamFilterPolicy - - BREAKING CHANGE: Remove IsSingleInstance and added - Identity as key; -- SPOSite - - Refactor to use PnP and expose updated parameters; -- TeamsGuestMessagingConfiguration - - Added value NoRestriction for GiphyRatingValues; -- Metadata - - Removed dependencyon MSOnline; - - Updated MSCloudLoginAssistant dependency to 1.0.2; - - Updated SharePointPnPPowerShellOnline dependency to 3.18.2002.0; - - Updated Microsoft.PowerApps.Administration.PowerShell - dependency to 2.0.42; - -## 1.0.2.1583 - -- EXOAcceptedDomain - - Fixed an issue where the domains were not properly extracted - if multiple domain matches a similar pattern; -- EXOHostedOutboundSpamFilterPolicy - - Fixed an error where the resource was not being extracted via - the Graphical User Interface; -- SCComplianceTag - - Fix an issue where FilePlanProperty values returned - from Get-TargetResource where always empty; -- SCDLPComplianceRule - - Fixed an issue with multiple SensitiveInformation objects; - - Fixed an issue where extraction failed if the name of the - Sensitive Information property contained apostrophes; -- SCFilePlanPropertySubCategory - - Fixed an issue where the Sub-Categories were not properly extracted, - whenever the parent category is custom; -- TeamsEmergencyCallingPolicy - - Initial Release; -- TeamsEmergencyCallRoutingPolicy - - Initial Release; -- TeamsGuestCallingConfiguration - - Initial Release; -- TeamsGuestMeetingConfiguration - - Initial Release; -- TeamsGuestMessagingConfiguration - - Initial Release; -- TeamsMeetingBroadcastPolicy - - Initial Release; -- ReverseDSC - - Updated Graphical User Interface with new resources; - - Streamlined the looping logic to simplify development process - for new resources; -- Metadata - - Updated Microsoft.Online.SharePoint.PowerShell to version - 16.0.19515.12000; - - Updated ReverseDSC dependency to version 2.0.0.2; - - Updated SharePointPnPPowerShellOnline to version 3.17.2001.2; -- SPOHomeSite - - Initial Release; - -## 1.0.1.1395 - -- EXOOrganizationConfig - - Initial Release; -- EXOClientAccessRule - - Fixed issue with Get-TargetResource not - returning all values; -- O365OrgCustomizationSetting - - Inital Release; -- PPPowerAppsEnvironment - - Initial Release; -- SCAuditConfigurationSettings - - Initial Release; -- SCComplianceTag - - Changed ReviewerEmail to type String array; -- SCDLPComplianceRule - - Fixed issue with the extraction of NotifyAllowOverride; -- SCFilePlanPropertyAuthority - - Initial Release; -- SCFilePlanPropertyCategory - - Initial Release; -- SCFilePlanPropertyCitation - - Initial Release; -- SCFilePlanPropertyDepartment - - Initial Release; -- SCFilePlanPropertyReferenceID - - Initial Release; -- SCFilePlanPropertySubCategory - - Initial Release; -- SPOPropertyBag - - Added multithreading; -- SPOSiteGroup - - Initial Release; -- SPOSharingSettings - - Added ExistingExternalUserSharingOnly as a supported value - for SharingCapabilities; -- SPOTheme - - Fixed an issue with the Set-TargetResource - still using SPO management shell cmdlets instead of PnP; -- SPOUserProfileProperty - - Introduced Multi-Threading -- TeamsCallingPolicy - - Initial Release; -- TeamsMeetingBroadcastConfiguration - - Initial Release; -- TeamsMeetingConfiguration - - Initial Release; -- TeamsMeetingPolicy - - Initial Release; -- TeamsMessagingPolicy - - Initial Release; -- TeamsUpgradeConfiguration - - Initial Release; -- TeamsUser - - Introduced Multi-Threading; - - Fixed an issue with User's Principal Name; -- Metadata - - Updated MicrosoftTeams dependency to version 1.0.3; - - Updated MSCloudLoginAssistant dependency to version - 0.8.2; - - Updated SharePointPnPPowerShellOnline dependency - to version 3.16.1912.0; - - Updated ReverseDSC dependency to version 2.0.0.0; -- Misc - - Added new Telemetry Engine; - - Added new Dynamic Stubs Generation feature; - -## 1.0.0.1048 - -- SCCaseHoldPolicy - - New Resource; -- SCComplianceCase - - New Resource; -- SCComplianceSearch - - New Resource; -- SCComplianceSearchAction - - New Resource; -- SCDLPComplianceRule - - New Resource; -- SPOPropertyBag - - New Resource; -- SPOSiteAuditSettings - - New Resource; -- SPOTenantCDNPolicy - - New Resource; -- Reverse - - Added workload selectors to the GUI interface; -- Metadata - - Updated MSCloudLoginAssistant dependency - to version 0.8.3; - - Updated ReverseDSC dependency - to version 1.9.4.6; - - Updated Microsoft.Online.SharePoint.PowerShell dependency - to version 16.0.19223.12000; - - Updated MicrosoftTeams dependency to version 1.0.0.2; - - Updated SharePointPnPPowerShellOnline dependency - to version 3.14.1910.0 - -## 1.0.0.846 - -- Modules - - ReverseDSC - - Added all missing Security and Compliance items; -- EXOATPPolicyForO365 - - Fixed issue where we now extract any policy, - not just default; -- SCDLPCompliancePolicy - - New Resource; -- SCRetentionCompliancePolicy - - Changed logic to update existing Policy; -- Metadata - - Updated SharePointPnPPowerShellOnline dependency - to version 3.12.1908.1; - - Updated MSCloudLoginAssistant dependency to - version 0.6; - -## 1.0.0.776 - -- BREAKING CHANGES - - ODSettings - - IsSingleInstance is now a Mandatory parameter; - - Removed CentralAdminUrl as a parameter; - - SPOAccessControlSettings - - Removed CentralAdminUrl as a parameter; - - SPOAPP - - Removed CentralAdminUrl as a parameter; - - SPOHubSite - - Removed CentralAdminUrl as a parameter; - - SPOSearchManagedProperty - - Removed CentralAdminUrl as a parameter; - - SPOSearchResultSource - - Removed CentralAdminUrl as a parameter; - - SPOSharingSettings - - Removed CentralAdminUrl as a parameter; - - SPOSite - - Removed CentralAdminUrl as a parameter; - - SPOSiteDesign - - Removed CentralAdminUrl as a parameter; - - SPOSiteDesignRights - - Removed CentralAdminUrl as a parameter; - - SPOTenantSettings - - Removed CentralAdminUrl as a parameter; - - SPOTheme - - Removed CentralAdminUrl as a parameter; -- Metadata - - Updated version dependency for MSCloudLoginAssistant - to 0.5.8; -- Modules - - ReverseDSC - - Fixed some issues with the abstraction of tenant name - when the -Quiet switch is used; -- SPOApp - - Change logic for detection when no App Catalog exist; - -## 1.0.0.744 - -- GENERAL - - Updated Dependency on SharePointPnPPowerShellOnline - to version 3.11.1907.0 -- BREAKING CHANGES - - O365Group - - ManagedBy is now a mandatory property; - - SPOSite - - Owner is now a mandatory property -- Modules - - Added embedded Log Engine -- SCRetentionCompliancePolicy - - Initial Release; -- SCRetentionComplianceRule - - Initial Release -- SCSupervisoryReviewPolicy - - Initial Release -- SCSupervisoryReviewRule - - Initial Release -- SPOSite - - Added default value for Storage Quota; - - Fixed an issue with site creation that could result in infinite loops; diff --git a/docs/docs/resources/exchange/EXOOrganizationConfig.md b/docs/docs/resources/exchange/EXOOrganizationConfig.md index 5408f746e5..153cc466ac 100644 --- a/docs/docs/resources/exchange/EXOOrganizationConfig.md +++ b/docs/docs/resources/exchange/EXOOrganizationConfig.md @@ -63,6 +63,7 @@ | **PublicFolderShowClientControl** | Write | Boolean | The PublicFolderShowClientControl parameter enables or disables access to public folders in Microsoft Outlook. || | **ReadTrackingEnabled** | Write | Boolean | The ReadTrackingEnabled parameter specifies whether the tracking for read status for messages in an organization is enabled. The default value is $false. || | **RemotePublicFolderMailboxes** | Write | StringArray[] | The RemotePublicFolderMailboxes parameter specifies the identities of the public folder objects (represented as mail user objects locally) corresponding to the public folder mailboxes created in the remote forest. The public folder values set here are used only if the public folder deployment is a remote deployment. || +| **SendFromEmailAliasEnabled** | Write | Boolean | The SendFromAliasEnabled parameter allows mailbox users to send messages using aliases (proxy addresses). It does this by disabling the rewriting of aliases to their primary SMTP address. This change is implemented in the Exchange Online service || | **SiteMailboxCreationURL** | Write | String | The SiteMailboxCreationURL parameter specifies the URL that's used to create site mailboxes. Site mailboxes improve collaboration and user productivity by allowing access to both SharePoint documents and Exchange email in Outlook 2013 or later. || | **SmtpActionableMessagesEnabled** | Write | Boolean | The SmtpActionableMessagesEnabled parameter specifies whether to enable or disable action buttons in email messages in Outlook on the web. || | **VisibleMeetingUpdateProperties** | Write | String | The VisibleMeetingUpdateProperties parameter specifies whether meeting message updates will be auto-processed on behalf of attendees. Auto-processed updates are applied to the attendee's calendar item, and then the meeting message is moved to the deleted items. The attendee never sees the update in their inbox, but their calendar is updated. || diff --git a/docs/docs/user-guide/get-started/apply-config.md b/docs/docs/user-guide/get-started/apply-config.md deleted file mode 100644 index e21a6f4d1e..0000000000 --- a/docs/docs/user-guide/get-started/apply-config.md +++ /dev/null @@ -1,23 +0,0 @@ -Microsoft365DSC is a [PowerShell Desired State Configuration](https://docs.microsoft.com/en-us/powershell/scripting/dsc/overview/overview?view=powershell-7) (DSC) module. Just like for any DSC configuration, Microsoft365DSC configurations need to be compiled into a .MOF file before they can be applied. - -To compile the configuration file, do the following: - -1. Move to the location where the extracted files reside for example: - -```powershell -cd C:\Microsoft365DSC\ -``` - -2. Execute the ps1 file within PowerShell: - -```powershell - .\M365TenantConfig.ps1 -``` - -3. Provide the Tenant Admin password. - -A .mof file will be compiled and will represent the Microsoft 365 tenant for example localhost.mof. This localhost.mof file can be re-run against a different tenant and will automatically sync all the configurations that were extracted to the new tenant. The mof file will be located in its own folder and this folder will be named based on the Configuration name within the .ps1 configuration file. In order to apply the compiled configuration against your Microsoft 365 tenant, you will need to call into the **Start-DSCConfiguration** PowerShell cmdlet. For example, if your configuration was named M365TenantConfig, you can apply the configuration by running the following command: - -```powershell -Start-DSCConfiguration M365TenantConfig -Wait -Verbose -Force -``` diff --git a/docs/docs/user-guide/get-started/assess-tenants-blueprint.md b/docs/docs/user-guide/get-started/assess-tenants-blueprint.md deleted file mode 100644 index 3027911f50..0000000000 --- a/docs/docs/user-guide/get-started/assess-tenants-blueprint.md +++ /dev/null @@ -1,7 +0,0 @@ -It is important to understand here that we use the term **Blueprint** loosely. A blueprint is nothing but a verified and validated Microsoft365DSC configuration file. These Blueprints are configuration files that have been reviewed and approved by an entity and have the .m365 extension. Note that it is completely possible to use any other .ps1 configuration as a blueprint to assess a tenant. In fact you can extract the configuration from a tenant (using the steps in the above section), and use that extracted configuration to assess any other tenant against it. PowerShell Desired State Configuration (DSC) let's you assess an environment against any given compiled DSC configuration without actually applying it on the environment. If you wish to assess the state of your Microsoft 365 tenant against a blueprint you can either use a local blueprint or use an hosted blueprint hosted in a public repository such as GitHub. - -To assess a tenant against a local blueprint (.m365 or .ps1), you can use the following PowerShell command. Running the command will prompt you to provide the administrator credentials of the tenant you wish to assess the blueprint against. - -```powershell -Assert-M365DSCBluePrint -BlueprintUrl {local path or URL to the Blueprint} -OutputReportPath {path to where to save the .html file} -``` diff --git a/docs/docs/user-guide/get-started/complete-story.md b/docs/docs/user-guide/get-started/complete-story.md new file mode 100644 index 0000000000..4a696d7773 --- /dev/null +++ b/docs/docs/user-guide/get-started/complete-story.md @@ -0,0 +1,287 @@ +This article is a complete guide to installing, deploying and using Microsoft365DSC. Microsoft365DSC is an open-source solution that’s available for free on GitHub. It is led by Microsoft engineers and maintained by the community. Official documentation for the solution is available on the official site at https://Microsoft365DSC.com. Microsoft365DSC is the declarative form of Microsoft 365 tenant’s configuration. It is to the Microsoft 365 environment what Azure Resource Manager templates (ARM) are to Azure. It allows you to represent your tenant’s configuration-as-code using PowerShell Desired State Configuration (DSC), use it to automatically configure your Microsoft tenants in the described state, take snapshots of existing tenants into DSC declarative code, generate reports out of those snapshots, continuously monitor all your Microsoft 365 tenants for configuration drifts and be alerted when drifts are detected, clone the configuration of an existing tenant onto another and compare the configuration between one or multiple tenants. + +# Prerequisites +Microsoft365DSC is supported for PowerShell version 5.1 and 7.1. Support for newer versions of PowerShell is not yet offered since these have now decoupled the DSC engine into its own separate module and require additional work from the team. It is however on the roadmap as a priority item for the later part of Calendar Year of 2022. + +To get the best experience, it is recommended that you use the Windows Terminal to run and execute Microsoft365DSC. All screenshots provided in this article are using the Windows Terminal. This tool allows you to quickly switch between PowerShell versions and provide better support for icons and symbols that are used throughout Microsoft365DSC’s experience. + +## Microsoft Graph Permissions +Most components of the Microsoft365DSC solution are using the Microsoft Graph PowerShell SDK under the cover to authenticate and interact with Microsoft 365. By default, if you are using Microsoft365DSC without using your own Azure Active Directory application instance, the tool will automatically use the Microsoft Graph PowerShell application instance to authenticate. + + ![image](https://user-images.githubusercontent.com/2547149/149792907-fb23e825-d1a5-4391-b67d-3e13e576dbd8.png) + +In order to be able to interact with these components, you need to grant your application or the Microsoft Graph PowerShell one the proper permissions against the Microsoft Graph scope. To determine what permission what permissions are required by a given component that uses Microsoft Graph, you can use the **Get-M365DSCCompiledPermissionList** cmdlet and pass in the list of parameters for which you wish to grant permissions for. + + ![image](https://user-images.githubusercontent.com/2547149/149797417-379d8590-852d-4888-85f7-3b0f7bf7460f.png) + +Doing so will return an object with two properties. The ReadPermissions property contains a list of the minimal permissions that need to be granted for the app to be able to read information about the selected components. These are the permissions you want to grant if you are taking a snapshot of the configuration of an existing tenant. The second property, UpdatePermissions, contains the minimal permissions required to interact with and configure the selected components. You will need to grant your application these permissions if you are trying to apply a configuration onto a tenant. + +If you are trying to interact with all available components in Microsoft365DSC, you can get a complete picture of all permissions required across all resources by running the following line of PowerShell. + +``` +Get-M365DSCCompiledPermissionList -ResourceNameList (Get-M365DSCAllResources) +``` +![image](https://user-images.githubusercontent.com/2547149/149797453-3f7ea11c-f7d3-4431-b65f-2fe1ab815871.png) + +The **Get-M365DSCAllResources** cmdlet will return a list of all components available inside of the Microsoft365DSC solution which will then by passed in the Get-M365DSCCompiledPermissionList cmdlet which will compile the resulting permissions needed for the list of components it receives, in occurrence all of them. These permissions need to be granted to your application instance, either using the Azure portal or automating the process via PowerShell. + +We provide an easy way of consenting permissions to the Microsoft Graph PowerShell application in your tenant with the **Update-M365DSCAllowedGraphScopes** cmdlet. This cmdlet accepts either a list of components to grant the permissions for or can grant it for all resources if the **-All** switch is used. You also need to specify what type of permissions, Read or Update, you wish to grant it using the **-Type** parameter. + +![image](https://user-images.githubusercontent.com/2547149/149797611-409a38ae-953e-4fc4-9751-4183c7ad7497.png) + +Executing the cmdlet will prompt you to authenticate using an administrator account that has access to consent permissions to Azure AD applications in your environment. + +# How to Install +While the source code of the solution is open-sourced on GitHub at https://github.com/Microsoft.Microsoft365DSC, the releases of the solutions are being published to the PowerShell Gallery. This means that the tool can be installed onto any machine by running the following command: +``` +Install-Module Microsoft365DSC -Force +``` + ![image](https://user-images.githubusercontent.com/2547149/149797724-c4f87cc1-2fa1-4812-81ef-c31c69c26376.png) + +Executing this command can take a minute or two. Microsoft365DSC depends on several other modules to function properly. For example, it uses the MSCloudLoginAssistant module to delegate all authentication logic to the various workloads, it leverages a dozen Microsoft Graph PowerShell module to interact with various configuration settings, etc. Newer versions of Microsoft365DSC no longer download all the required prerequisites by default. When you install the Microsoft365DSC, you only get the core components. It is our recommendation that you run the following command to update all dependencies on the system after installing the module: + +``` +Update-M365DSCDependencies +``` + ![image](https://user-images.githubusercontent.com/2547149/149797877-bb59cb8b-6d39-4f14-8912-ca2a1f1ea851.png) + +Running the above command will automatically read the list of dependencies from the [root]/Dependencies/Manifest.psd1 file, check to see if they are installed on the machine with the proper version, and if not it will automatically download them and install them from the PowerShell Gallery. + +Depending on your configuration and on the version of PowerShell you are using, the installed modules may be put in different locations. The process of installing a PowerShell module from the PowerShell Gallery really just comes down to downloading the files from the gallery as a zip, extracting them and copying to a location on the system that is associated with PowerShell via environment variables. The following command will allow you to view the version of any given PowerShell module on a system along with its associated version: +``` +Get-Module Microsoft365DSC -ListAvailable | select ModuleBase, Version +``` + ![image](https://user-images.githubusercontent.com/2547149/149798129-051dba57-95b8-4916-8109-5d5445fd0737.png) + +# Authentication +It is also very important for users to understand the authentication process of Microsoft365DSC. The solution supports connecting to the various workloads for either applying the configuration, monitoring it for configuration drifts or taking a snapshot of an existing configuration. It supports authenticating using either a set of credentials for a user, to use a Service Principal by specifying parameters such as an Azure Active Directory (AD) Application ID, or a combination of both. + +The recommendation is to use Service Principal whenever possible because it offers the most granular levels of security and doesn’t introduce the risk of having to send high privileged credentials across the wire to authenticate. However, not all workloads supported by Microsoft365DSC are currently able to handle Service Principal authentication. Currently, the Security and Compliance and Microsoft Teams workload unfortunately do not support authenticating using the Service Principal of an Azure Active Directory Application. The following picture gives you an overview of what authentication mechanisms are supported by each workload and what underlying module is being used to authenticate for each. + ![image](https://user-images.githubusercontent.com/2547149/149798164-6e95848a-9405-40f5-aa3c-dc0063ba02d3.png) + +As you can see from the picture above, Credentials while being the least preferred option for security reasons, is the only option that works across all supported workloads. It is also important to clarify the difference between the Teams and the Skype for Business Online entries in the picture above. If we take a look a few months back, to manage Microsoft Teams using PowerShell you needed two different modules: one for the collaboration part of Microsoft Teams (the MicrosoftTeams PowerShell module) and one for the Skype For Business components (SkypeOnlineConnector). While the collaboration aspect of Teams, which includes Teams and Channels is accessible through Service Principal authentication, other components such as all Teams administrative policies are still only available through the Skype for Business part of the new combined MicrosoftTeams module and therefore don’t work with service principal authentication. + +We are having discussions with the various product groups that are responsible for these PowerShell modules inside of Microsoft to have better consistency across all workloads on how to authenticate. Items highlighted in green in the table above, are workloads for which we use the Microsoft Graph PowerShell SDK to authenticate against. Our plan is to update the underlying logic of every component inside of Microsoft365DSC to leverage that SDK as new APIs become available on Microsoft Graph. + +It is possible for a configuration to use a mix of credentials and Service Principals to authenticate against the various workloads. For example, if you decide to keep a master configuration for all of you tenant’s configuration, you could have Azure AD components use the Service Principal of an app you’ve created to authenticate, and further down in the configuration have your Security and Compliance components use credentials. That approach is perfectly fine, but we’d recommend to try and split different workloads across different configuration files in this case to make it easier to manage. + +It is also important to note that we’ve added logic inside of the command that allows you to take a snapshot of your current’s tenant configuration to warn you when the components you are trying to capture can’t be accessed based on the authentication model you’ve selected. For example, if you are trying to take a snapshot of both Azure AD and Security and Compliance components, but are authenticating using a Service Principal, the tool will warn you that the Security and Compliance components can’t be captured and that they will be ignored. In this case, the resulting capture would only contain the Azure AD components because those are the only ones the tool can get access to using Service Principal. +![image](https://user-images.githubusercontent.com/2547149/149798269-70a82229-f8c9-4645-bf57-5419b721ea92.png) + +# Taking a Snapshot of Existing Tenant +The first thing that most folks using the solution will want to do is take a snapshot of an existing tenant they have access to and that they are familiar with. As soon as you install the Microsoft365DSC module on a system, it will automatically get access to run the **Export-M365DSCConfiguragtion** PowerShell cmdlet which is the main command for initiating a snapshot of an existing configuration. In previous versions of the module, simply running the above cmdlet would automatically launch a Graphical User Interface that would allow you to pick and choose the components you wanted to capture the configuration for as part of your snapshot and initiate the capture process. Newer versions of the module have moved to an unattended process by default, meaning that running the cmdlet will expect additional parameters by default and will then attempt to initiate the snapshot process automatically without further human interaction. + +Initiating the snapshot process via the **Export-M365DSCConfiguration** cmdlet will begin by authenticating against all required workloads. The first thing it will do is compile a list of all components it is about to capture and figure out what workload they are part of. Then it will automatically authenticated against each one using the authentication parameters provided. + +## Web Based User Interface +While the default process has changed with recent versions of the module, you can still use a newly revamped, web-based User Interface to help you build the PowerShell command to execute based on the components you wish to capture. To launch this new web interface, simply use the **-LaunchWebUI** switch when calling the Export-M365DSCConfiguration cmdlet. This will automatically launch a new web browser interface and navigate you to https://Export.Microsoft365DSC.com +![image](https://user-images.githubusercontent.com/2547149/149798448-3a01db84-3a6e-4a97-9d65-11bfcaca20eb.png) + + +From the interface, simply select the components you want, and click on the **Generate** button at the top right. This will open a new prompt that will allow you to copy the PowerShell command you need to run to capture a snapshot of the selected components via Microsoft365DSC. Simply copy this command and paste it in your PowerShell console to initiate the capture process. +![image](https://user-images.githubusercontent.com/2547149/149798483-d8dac9ea-5498-4870-ab60-be497111e92e.png) + + +## Unattended Capture +As mentioned above, Microsoft365DSC now defaults to an unattended capture process when running the Export-M365DSCConfiguration cmdlet. To quickly get started, simply open a new PowerShell console and type in the cmdlet. By default, if you don’t provide any additional parameters to the cmdlet, it will try to use credentials to authenticate against the various workloads. In the case where no additional authentication parameters are provided, Microsoft365DSC will prompt you for credentials and will use those credentials to authenticate throughout the capture process. + + ![image](https://user-images.githubusercontent.com/2547149/149798516-916a822a-242e-4288-b1d9-f24b1812ed3c.png)![image](https://user-images.githubusercontent.com/2547149/149798528-b8580be6-62c6-4ce0-9193-2f928f4f3791.png) + +You could always pass in the credentials in as a variable, which will bypass the credential prompt and automatically initiate the export process when calling the cmdlet. +E.g. + +``` +$creds = Get-Credential +Export-M365DSCConfiguration -Credential $creds +``` + + ![image](https://user-images.githubusercontent.com/2547149/149798704-328e8355-fafc-4748-a277-1224009b0515.png) + +The same process applies if you are trying to authenticate using a Service Principal. In this case you would need to pass in the ApplicationID and TenantID parameter and decide whether to use an ApplicationSecret or a CertificateThumbprint. + ![image](https://user-images.githubusercontent.com/2547149/149798742-569902f8-84fa-4360-82e7-fcb334f69b5d.png) +![image](https://user-images.githubusercontent.com/2547149/149798752-7335cc56-d09a-485d-8408-9ff12ebd89f6.png) + + +It is important to understand that the resulting file that contains the captured configuration will also implement the same authentication mechanism used by the capture process. For example, if you used credentials to capture the configuration, the resulting file will contain logic to capture credentials when it gets executed and every component it defines will also implement the **Credential** parameter. +![image](https://user-images.githubusercontent.com/2547149/149798788-d9e1f08b-6e18-46d3-b9ca-652c6c1a18bf.png) + + +In comparison, if you used a Service Principal to do the export, the resulting file will implement logic to receive information about the Azure AD application instance to use and every component defined within the file will as well. + ![image](https://user-images.githubusercontent.com/2547149/149798810-9e7ba15d-e8ae-4f64-8340-e4e950ef31cf.png) + +As we can see from the image above, the Service Principal fields' values are coming from the Configuration Data file that also get stored along the configuration file during the snapshot process. If you take a look at the folder where the resulting files were stored, you should see a file named ConfigurationData.psd1. This is where the value for the parameters above are defined. +![image](https://user-images.githubusercontent.com/2547149/149798970-fff1404b-6f48-4186-8acb-30299816de9d.png) + + +It is also important to note, the resulting file will always contain random GUID for the name of the resources in the DSC configuration. These are random and are only used to ensure we don’t have resource naming conflicts inside the configuration. They can be replaced by anything meaningful, as long as you don’t have two components of the same resource type named the same across your configuration. Names are meaningless in the world of DSC and are only used as a primary key when compiling your configuration. + ![image](https://user-images.githubusercontent.com/2547149/149799004-4e57c166-df00-4b43-a554-add1f03dee3e.png) + +## Available Parameters +The Microsoft365DSC tenant's configuration snapshot feature offers several options you can use to better control the output capture. This section provides an overview of each additional parameter that is available for the **Export-M365DSCConfiguration** cmdlet and how they can be used during the capture process + +### LaunchWebUI +As mentioned above, the moment this switch is present when calling the Export-M365DSCConfiguration cmdlet it will launch new browser window and navigate to the export user interface at https://export.microsoft365dsc.com. + +### FileName +This allows you to specify how you wish the resulting file to be named. Specify the name of the file, including the extension (e.g. .ps1). + ![image](https://user-images.githubusercontent.com/2547149/149799116-4942a0e9-4865-48be-a32e-7de683ea9264.png) + +Omitting to specify this parameter will name the resulting file as M365TenantConfig.ps1 + +### ConfigurationName +This parameter allows you to specify how the DSC configuration object, inside of the exported configuration file will be named. + ![image](https://user-images.githubusercontent.com/2547149/149799157-cb03fb1e-d3b6-4a39-b33c-959b1e3ccbde.png) + +Omitting to specify this parameter will result in the configuration object to be named as the file’s name (e.g. M365TenantConfig). + +### Path +Specifies the location where the resulting file will be stored. Omitting to specify this parameter will prompt the user to provide the destination path at the end of the capture process. + ![image](https://user-images.githubusercontent.com/2547149/149799199-5f8e454b-9d05-42da-9a7c-5a22cf39fe46.png) + +### Components +This parameter accepts an array containing the names of the components you want to capture as part of your snapshot. Omitting this parameter will default the capture process to capture all components that are part of the default components list (see parameter Mode). + ![image](https://user-images.githubusercontent.com/2547149/149799217-4f2c2bf8-1ceb-4e6c-a9a4-d8d989c1a05a.png) + +### Workloads +This component accepts an array containing the names of various workloads you wish to capture the components for as part of your snapshot process. Users need to specify the acronym of the workloads, which can be any of: +* **AAD** – Azure Active Directory +* **EXO** – Exchange Online +* **O365** – Office 365 administration +* **Intune** – Intune +* **OD** – OneDrive +* **Planner** – Planner +* **PP** – Power Platform +* **SC** – Security and Compliance +* **SPO** – SharePoint Online +* **Teams** – Microsoft Teams + ![image](https://user-images.githubusercontent.com/2547149/149799340-8019c321-5115-4edd-8c2e-d98588fb09bb.png) + +By default, specifying a workload will only export components that are part of the default component list (see Mode). If you want to capture every component available for a given workload, you will need to combine this parameter with **-Mode Full**. + +### Mode +This parameter allows users to specify what set of components they wish to capture as part of their snapshot process. By default, Microsoft365DSC will exclude some components from the capture process either because these are likely to take a very long time to export (e.g. SPOPropertyBag) or that they are more related to data than actual configuration settings (e.g. Planner Tasks, SPOUserProfileProperty, etc.). Available modes are: +* Lite +* Default +* Full +And off course, omitting to specify this parameter will default to the **default** mode. +To keep track of what resources are available in what mode, Microsoft365DSC defines two global variables which contain the list of resources unique to this extraction mode: **$Global:DefaultComponents** and **$Global:FullComponents** +![image](https://user-images.githubusercontent.com/2547149/149799484-cda8c84e-971e-446a-b247-b58c40f08a6a.png) + + +This means that the **Lite** extraction mode will contain all resources with the exception of those listed in Default and Full. The **Default** mode will include all resources from the Lite mode, plus the SPOApp and SPOSiteDesign components, and **Full** will include every resource available in the project. + +### MaxProcesses +There are a few components inside of Microsoft365DSC for which parallelism has been implemented as part of their snapshot process to improve speed. This parameter allows user to specify how many parallel threads should be created during the capture process. Components leveraging parallelism are: SPOPropertyBag, SPOUserProfileProperty and TeamsUser. The specified value for this parameter has to be between **1** and **100**. Instances of the components will be equally divided amongst the various threads. + ![image](https://user-images.githubusercontent.com/2547149/149799619-509d7526-eba0-4ccc-b028-aeb012a2275a.png) +![image](https://user-images.githubusercontent.com/2547149/149799632-06ae6b61-4bbc-4cf8-8102-1c008d805205.png) + +While there are advantages to implementing multithreading for the snapshot process, there are many disadvantages as well such as not being able to properly view ongoing progress inside threads and added complexity to the design of the resources. After weighting in the pros can cons of implementing this approach across all components to speed up the entire capture process, we’ve opted to keep the design of the resources simpler (no use parallelism) for maintenance purposes and to ensure users have a consistent way of view progress during the snapshot process. + +### GenerateInfo +This parameter allows users to specify whether or not comments should be added as part of the exported file to provide additional information about the various types of components captured. + ![image](https://user-images.githubusercontent.com/2547149/149799667-9cfc5e09-c7c4-460e-979e-3c3f1129abc2.png) + +# Deploying Configurations +This section explains how you can take a Microsoft365DSC configuration file you’ve written (or captured using the snapshot feature) and apply the settings it defines onto a Microsoft 365 tenant. It is very important to understand that at this stage, we are using PowerShell Desired State (DSC) out-of-the-box and that the process of applying a DSC configuration is not something specific to Microsoft365DSC. + +## Compiling and Validating the Configuration +The first step in trying to deploy a DSC configuration is to compile the configuration file into what we call a Managed Object Format (MOF) file. To do so, simply execute the .ps1 file that contains your configuration. The process of compiling your configuration will also perform some level of validation on the configuration such as ensuring that every component defined in the file has all of their mandatory parameters defined and that there are no typos in components or property names. If the compilation process is successful, you should see a mention that the .mof file was created. This file gets created in the same location where your configuration file is located by default and will create a new folder based on the name of the configuration object defined within your file. + ![image](https://user-images.githubusercontent.com/2547149/149799734-204e64d7-19d5-4f5b-a62c-90fcb04213a0.png) +![image](https://user-images.githubusercontent.com/2547149/149799745-ff76dcc4-a4d4-4c43-8f76-9f29873e5d18.png)![image](https://user-images.githubusercontent.com/2547149/149799755-5880b2c7-545a-45c5-b4d7-36c99ecaff31.png) + + +# Securing your Compiled Configuration +In the case where you are using credentials to authenticate to your tenant, you will be prompted to provide credentials at compilation time for your configuration. By default, these credentials will be stored as plain text in the resulting MOF file, which is a big security concern. + +![image](https://user-images.githubusercontent.com/2547149/149799792-6656a848-cc46-487c-9c77-a141aec63e30.png) + + +To remediate to this, PowerShell DSC lets us use an encryption certificate to encrypt information about credentials in the MOF files. To make this process easier for users, Microsoft365DSC defines a function named **Set-M365DSCAgentCertificateConfiguration** which will automatically generate an encryption certificate and configure the PowerShell DSC engine on the system to use it for encrypting the MOF files. The cmdlet will return the Thumbprint for the newly generated certificate. + +![image](https://user-images.githubusercontent.com/2547149/149799811-a6f64a8b-bcb8-4cdc-8c80-d7d68849ea25.png) + +You can also have the cmdlet generate the private key for the certificate by using the **-GeneratePFX** switch and specifying a password with the **-Password** parameter. This will require you to also specify the **-ForceRenew** parameter so that a brand new certificate gets emitted. + +![image](https://user-images.githubusercontent.com/2547149/149799898-7a5b36ad-634a-41c3-aaa3-abc1ca7d8848.png) + +Once the certificate has been configured every time you do a snapshot of an existing tenant’s configuration, a new M365DSC.cer certificate file will be stored in the same repository as the configuration files. The ConfigurationData.psd1 will also contain a new entry under the localhost node that will point to this certificate, effectively telling DSC to use this file to encrypt credentials when compiling. + + ![image](https://user-images.githubusercontent.com/2547149/149799919-7b594207-f435-491d-a424-c3f15447294c.png) + +If you compile your configuration using the new certificate and take a look at your MOF file, you should see that the password for the credential object was successfully encrypted and is no longer showing in plaintext. + + ![image](https://user-images.githubusercontent.com/2547149/149799949-163c0ba6-8bd9-4ec5-acab-9597ae77966f.png) + +## Deploying the Configuration +To initiate the deployment of a configuration onto a Microsoft 365 tenant, you need to use the out-of-the-box cmdlet provided by PowerShell DSC named **Start-DSCConfiguration**. By default, this cmdlet will execute as a background job. If you wish to monitor the execution of the process, you need to use the **-Wait** switch, which will make the process synchronous. We also recommend using the **-Verbose** switch with the command to get additional details on the progression of the process. The cmdlet takes in the path to the folder that contains the compiled .MOF file. + +e.g. +``` +Start-DSCConfiguration C:\DemoM365DSC\M365TenantConfig -Wait -Verbose -Force +``` + +Executing the cmdlet will automatically authenticate against the affected workload using the authentication parameters provided at compilation time and will apply the configuration settings defined in the file. + ![image](https://user-images.githubusercontent.com/2547149/149800095-28010b6b-8b7c-4c2b-85fd-f0614294fb50.png) + +It is normal for this process to take several minutes if not hours to complete, based on how many components are defined in your configuration. It is important to understand that once the configuration completes its deployment, this will configure the PowerShell DSC engine on the current system to due frequent checks against your Microsoft 365 tenant to check for configuration drifts. By default, the engine will wake up every 15 minutes (minimum value possible). For more details on how to configure this, please refer to Configuring the Local Configuration Manager. If you simply want to apply the configuration on the tenant as a one off and prevent the system form doing frequent checks for configuration drifts, you can remove the configuration you’ve applied from memory by running the following PowerShell commands: +``` +Stop-DSCConfiguration -Force +Remove-DSCConfigurationDocument -Stage Current +``` + ![image](https://user-images.githubusercontent.com/2547149/149800178-ea830872-446a-4e97-9cda-068d9eef7266.png) + +# Monitoring for Configuration Drifts +Once a configuration has been applied to a Microsoft 365 tenant using Microsoft365DSC, the local system will perform regular checks to analyze the configuration of the remote tenant against what its desired state should be and detect any configuration drifts. This feature comes from PowerShell DSC out-of-the-box and is not something specific to Microsoft365DSC. By default the DSC engine on the system where the configuration was applied from will check for configuration drifts every 15 minutes. If a drift in configuration is detected, it will log it in Event Viewer on the machine by default. Detected drifts will get logged under the **M365DSC** log journal in Event Viewer. Microsoft365DSC provide very detailed entries in event viewer that help you identify exactly in what component a drift was detected as well as what property was detected to have drifted. + ![image](https://user-images.githubusercontent.com/2547149/149800220-a67f31ef-3cc3-46bd-b462-3099ce0c89d6.png) + +Just like for any DSC module, you can also configure the DSC engine to automatically attempt to automatically fix detected drift and bring the tenant back into its desired state. This is referred to as the DSC configuration mode. To learn more about how you can configure the DSC engine to automatically fix detected drift, please refer to Configuring the Local Configuration Manager. + +# Cloning Tenant's Configuration +This feature of Microsoft365DSC is not a true standalone feature; it is a combination of existing features to unlock a new scenario for users. Since Microsoft365DSC is able to take a snapshot of any Microsoft 365 tenant and because we can deploy a Microsoft365DSC configuration onto any tenant, we can easily clone the configuration of any tenant over another one (or another set of tenants). When you take a snapshot of an existing tenant, the extracted configuration file doesn’t contain any information that is specific to the source tenant. It abstracts it all into variables, which make the configuration generic instead of unique for a particular tenant. It is then at compilation time that you provide information about the environment onto which this configuration will be applied to. + +For example, let's assume you are trying to clone the configuration of Tenant A onto Tenant B. You would start by capturing the existing configuration of tenant A using credentials or a Service Principal that exists and has rights on Tenant A. This will generate the configuration file containing all the configuration settings for Tenant A. Then at compilation time, when trying to compile the extracted configuration into a MOF file, you will need to provide credentials or a Service Principal that has access to Tenant B. Then all that is left to do is to deploy the configuration onto Tenant B to have all the configurations settings from tenant A applied onto it. + +# Generating Reports from Configurations +Microsoft365DSC makes it very easy to generate user friendly reports from any configuration, whether you wrote it yourself or generated it using the configuration snapshot feature. The solution allows you to generate both HTML and Excel reports from existing files. To generate and Excel reports however, you need to have Office installed on the machine that you are trying to generate the report from. To generate reports, simply use the **New-M365DSCReportFromConfiguration** and specify what type of report you want using the **Type** parameter (specify HTML or Excel). The cmdlet also requires you to specify the full path to the .ps1 configuration file you want to generate the report from using the **-ConfigurationPath** parameter and specify where you wish to store the generated report using the **-OutputPath** parameter. + +Trying to generate an Excel report from a configuration will automatically launch the Excel client as part of the process. Users will see data being loaded progressively into it and once the generation processes has finished, columns will automatically be resized to fit the content. The report will also automatically put the key mandatory parameter (e.g. primary key) of each resource in bold and do some styling of the output. report. + ![image](https://user-images.githubusercontent.com/2547149/149800400-e44efd1c-77a9-4b9c-8c43-c3b05f139714.png) + +Generating an HTML report will generate a different result. It will create the report file at the location specified by the **OutputPath** parameter, but it won’t actually launch the report in a browser. The **New-M365DSCReportFromConfiguration** cmdlet, when used for HTML reports will also return the raw HTML content of the report as seen in the image below. + ![image](https://user-images.githubusercontent.com/2547149/149800454-466920fd-0fb0-48fd-b5b2-873c3cb00b28.png) +![image](https://user-images.githubusercontent.com/2547149/149800462-c3ab5699-4991-48b3-89cc-3f48e36d8a86.png) + + + +# Comparing Configurations +The Microsoft365DSC solution has a built-in engine to compare configurations and generate a delta report in HTML that shows the discrepancies between the two. You can either use it to compare the configuration between 2 files or you can use it to compare a configuration against another tenant and see how it defers from that tenant’s current configuration. + +## Comparing 2 Configuration Files +Using the **New-M365DSCDeltaReport** cmdlet, you can specify the two configuration files you wish to compare using the **-Source** and **-Destination** parameters. You then need to specify where you wish to store the resulting HTML report using the **-OutputPath** parameter. Consider the following example, where I've taken two configuration snapshots of my tenant over a period of 6 months apart. I wish to determine what configuration settings have changed over that period of time. Using the **New-M365DSCDeltaReport** cmdlet, I can easily compare the two and generate a delta report as shown in the image below. +![image](https://user-images.githubusercontent.com/2547149/149800668-d0c6ab84-703f-4b46-a17e-8603388ca190.png) + + +You can also decide to customize the generated report by injecting your own HTML into its header. To do so, simply specify the location of the HTML file to inject in the header of the report using the **-HeaderFilePath** parameter. The example shown in the following picture shows how to add your customer header to a delta report. +![image](https://user-images.githubusercontent.com/2547149/149800692-614c5463-906f-4d1f-9acf-d52c0794121f.png) + + +## Comparing a Configuration Against Another Tenant +Using Microsoft365DSC, you can compare any configuration file against the current configuration of any other given Microsoft 365 tenant. This can be very useful in comparing the configuration between two tenants in scenarios like mergers and acquisitions. For example, let’s assume you are trying to compare the configuration of Tenant A with the one from Tenant B. You can start by taking a snapshot of both tenants, and then use this feature to compare it against the configuration of Tenant B using the **New-M365DSCDeltaReport** cmdlet. + +# Integrating with Azure DevOPS +Microsoft365DSC takes all its sense when used as part of DevOPS processes within the enterprise. You can use it to automate your Microsoft 365 Change Management process so that any requested configuration changes to tenants get tracked via systems like Azure DevOPS and GitHub and use them to automate the deployment of your changes across your various tenants when a change is approved. While this article doesn’t cover the process of integrating Microsoft365DSC with these systems, our team has written a great whitepaper to help you get started with integrating Microsoft365DSC with Azure DevOPS. + +# Support +As mentioned at the beginning of this document, Microsoft365DSC is an open-source solution led by Microsoft engineers and maintained by the community. This means that it is not supported via Microsoft's support. If you need help getting started, need to report a bug or request new features to be added, you will need to use the Issues section of the official GitHub repository to do so. The team is meeting on a weekly basis to review items and prioritize fixes. If you require immediate attention for a blocking issue and that you have a Premiere or Unified support contract with Microsoft, you can always talk to your account team to leverage hours in your contract to have an engineer assigned to expedite the process. + +# Telemetry +By default, Microsoft365DSC is sending telemetry back to Microsoft to help the team improve the solution in a pro-active manner. Information is all captured using Azure Application Insights. We are capturing information about what operations are being called the more often, information about any errors encountered, authentication type most commonly used, PowerShell versions used, etc. Users can decide to stop sending telemetry back to Microsoft at any given point by opting out. To do so, simply run the following PowerShell command: +``` +Set-M365DSCTelemetryOption -Enabled $false +``` +**Note** that this is a per machine setting. Therefore, if you are executing Microsoft365DSC on different systems within your organization, this command will have to be executed on each one. +Organizations can also decide to capture telemetry from Microsoft365DSC using their own Application Insights account (without sending any data back to Microsoft). The **Set-M365DSCTelemetryOption** cmdlet lets you specify what Application Insights account you wish to send telemetry back to using the **-InstrumentationKey** parameter. + + ![image](https://user-images.githubusercontent.com/2547149/149800998-71bf37ff-ff82-4627-8893-7465d689f0fe.png) + +Users can also specify a custom name for their solution using the **-ProjectName** parameter. This will ensure that every telemetry reported back to the Application Insights account gets tagged with the project name under **customDimensions.ProjectName**. diff --git a/docs/docs/user-guide/get-started/extract-config.md b/docs/docs/user-guide/get-started/extract-config.md deleted file mode 100644 index daf9ebf16d..0000000000 --- a/docs/docs/user-guide/get-started/extract-config.md +++ /dev/null @@ -1,27 +0,0 @@ -The moment you install the Microsoft365DSC module onto a machine, a new PowerShell cmdlet, **Export-M365DSCConfiguration** is made available. The Export-M365DSCConfiguration cmdlet exposes several parameters to help you customize the extraction experience. The following table lists all the parameters available: - -| Parameter Name | Type | Description | Description | -|--------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------| -| -LaunchWebUI | Switch | Launches a new web browser and navigates to the Web based Graphical User Interface. | Export-M365DSCConfiguration -LaunchWebUI | -| -Credential | PSCredential | Specifies the credentials to use to perform the configuration's extraction. If you omit this parameter, the user will be prompted to provide credentials before executing the extraction. | $creds = Get-Credential Export-M365DSCConfiguration -Credential $creds | -| -Components | String Array | The -ComponentsToExtract parameter allows you to specify a granular list of components you wish to extract. The components need to be listed by their associated resource name. For a complete list of all resources supported, please refer to the List of Resources wiki pages on our GitHub repository. | Export-M365DSCConfiguration-Components @("EXOMailboxSettings", "TEAMSCallingPolicy", "SCDLPComplianceRule") | -| -Workloads | String Array | The -Workloads parameter allows you to specify a list of workloads you wish to extract ALL components from. Accepted valus are: EXO - For Exchange Online O365 - For Office 365 administrative components OD - For OneDrive PP - For Power Platform SC - For Security and Compliance SPO - For SharePoint Online TEAMS - For Teams | Export-M365DSCConfiguration -Workloads @("TEAMS", "SPO") | -| -FileName | String | Specifies the name of the extracted .ps1 configuration file. If the -Path is not specified along with the -FileName parameter, the file will be created in the current folder where the extraction process was triggered from. If omitted, the default name will be M365TenantConfig.ps1. | Export-M365DSCConfiguration -FileName "MyTenantExtract.ps1" | -| -Path | String | Specifies the location where the extracted .ps1 configuration file will be located. If omitted, the file will be created in the current folder where the extraction process was triggered from. | Export-M365DSCConfiguration -Path "C:\DSCExtracts\" | -| -ConfigurationName | String | Specifies the name of the configuration inside the extracted file. If omitted, the dafault value will be M365TenantConfig. This represents the actual name given to the Configuration object inside the .ps1 file extracted, and by default will always be the name of the compiled configuration folder. | Export-M365DSCConfiguration -ConfigurationName "MyTenantConfig" | -| -MaxProcesses | Number (integer) | Certain resources support parallelism to help speed up their extraction processes. Resources such as TEAMSUser, SPOPropertyBag and SPOUserProfileProperty split up the extraction process over multiple parallel threads. By default, Microsoft365DSC will attempt to create up to 16 parallel threads. By specifying this parameter, you can control the maximum number of parallel threads these resources will spin off. Note that,as an example, if you speficy a value of 20 and that there are only 12 instances of a given resources, that only 12 threads will be spun off. | Export-M365DSCConfiguration -MaxProcesses 12 | - - - -**NOTE**: While Microsoft365DSC fully supports Multi Factor Authentication (MFA) when extracting the configuration, it does not support MFA when pushing a configuration to a target tenant (Automate). - -To get a full list of all components support by Microsoft365DSC, please refer to our [Resources List](https://github.com/microsoft/Microsoft365DSC/wiki/Resources-List) on our GitHub repository. - -Once the extraction completes it will prompt you to enter in a file location where the extractions will be stored. If the path entered does not exist, the tool will create it. The following files with the extracted data will be placed in the file location specified: - -**ConfigurationData.psd1** contains information about the tenant, and let's you abstract additional values in your configuration (advanced topic). - -**M365TenantConfig.ps1** file that represents the configuration of the tenant. This file has the information that was extracted. - - - diff --git a/docs/docs/user-guide/get-started/generate-reports.md b/docs/docs/user-guide/get-started/generate-reports.md deleted file mode 100644 index b9248ea937..0000000000 --- a/docs/docs/user-guide/get-started/generate-reports.md +++ /dev/null @@ -1,11 +0,0 @@ -Whether you wrote your own Microsoft365DSC configuration or you've exported it from an existing tenant, you can convert it to either an HTML or Excel report. Both these reports are read-only, and values changed in the Excel report will not update values in your tenant. To generate reports from an existing configuration, you need to use the **New-M365DSCReportFromConfiguration** cmdlet. This cmdlet let's you specify what type of report you wish to generate (HTML or Excel), specify the path to the configuration you are generating the report for and the destination path where you wish to store the generated report. - -```powershell -New-M365DSCReportFromConfiguration -Type Excel -ConfigurationPath c:\DSC\PathToMyConfig.ps1 -OutputPath c:\whatever\Report.xlsx -New-M365DSCReportFromConfiguration -Type HTML -ConfigurationPath c:\DSC\PathToMyConfig.ps1 -OutputPath c:\whatever\Report.html -``` -Microsoft365DSC also allows you to generate discrepancy reports between two configurations. The discrepancy report will identify the differences between the two configuration into an HTML format. - -```powershell -New-M365DSCDeltaReport -Source 'C:\DSC\SourceConfig.ps1' -Destination 'C:\DSC\DestinationConfig.ps1' -OutputPath 'C:\Output\Delta.html' -``` diff --git a/docs/docs/user-guide/get-started/graph-permissions.md b/docs/docs/user-guide/get-started/graph-permissions.md deleted file mode 100644 index 5e8a3879c4..0000000000 --- a/docs/docs/user-guide/get-started/graph-permissions.md +++ /dev/null @@ -1,31 +0,0 @@ -Microsoft365DSC is using several other modules to connect to Microsoft 365, for example the MicrosoftTeams or PnP Powershell modules. Some of the resources are using Microsoft Graph API modules, like the Intune and the (recently converted) Azure Active Directory resources. The idea for Microsoft365DSC is that all modules will be converted to use the Graph API modules as soon as they are available for that workload. This means authentication will be consistent across all workload and at the same time has to follow the authentication possibilities of the Graph API. - -## Authentication and permissions - -The Graph API has two different authentication implementations: - -1. Delegated permissions: Here a username/password is used to authenticate. - - This option is using an AzureAD app in the background to call the Graph API. However the effective permissions will be the intersection of the delegated permissions **and** the user privileges. By default, the Graph app has no permissions meaning it can't access anything and therefore won't work. You have to grant these permissions to the app before using them. Consent for these permissions can be given [by the user himself](https://docs.microsoft.com/en-us/graph/auth-v2-user) or by an admin for all users in the tenant. - - For example: If your account only has permissions on three SharePoint sites, only these sites can be retrieved. Even when the AzureAD app has Sites.FullControll.All permissions granted. - - ![Infographic](../../Images/PermissionsGraphDelegatedApp.png){ align=center width=500 } - - To update the delegated permissions on the Graph app, you can use the "***Update-M365DSCAllowedGraphScopes***" cmdlet and specify the resources you are using. This will read the required permissions for those resources and update those on the Graph app. - - **NOTE:** It is possible to specify your own App registration when using Delegated permissions, but if you don't the generic Graph app is created and used. - -2. Application permissions: Here authentication is done using app credentials (either a secret or certificate). - - This option requires [your own app to be registered in Azure AD](https://docs.microsoft.com/en-us/graph/auth-register-app-v2). You can specify what permissions you want your app to have or even create an app for each workloads if necessary. Effective permissions will always be the granted permissions (an user context does not exist). Only [admins can grant these permissions](https://docs.microsoft.com/en-us/graph/auth-v2-service). - - **NOTE:** This is the easiest option to use. - - ![Infographic](../../Images/PermissionsM365DSCApp.png){ align=center width=500 } - -**IMPORTANT**: Applications with high privileges should be monitored closely. In practice there are advantages to use conditional access policies for these applications to limit access to specific sources or user accounts. - -For more information, check these articles: -- [Authentication and authorization basics for Microsoft Graph](https://docs.microsoft.com/en-us/graph/auth/auth-concepts) -- [Microsoft Graph permissions reference](https://docs.microsoft.com/en-us/graph/permissions-reference) diff --git a/docs/docs/user-guide/get-started/install-first-module.md b/docs/docs/user-guide/get-started/install-first-module.md deleted file mode 100644 index 6e931af5d8..0000000000 --- a/docs/docs/user-guide/get-started/install-first-module.md +++ /dev/null @@ -1,11 +0,0 @@ -Open a PowerShell console (run as Administrator) from any machine. Microsoft365DSC requires that the machine be running at least PowerShell version 4.0+, but we stronly recommend having PowerShell 5.1. In the PowerShell console, run the following command to install the module: - -```powershell -Install-Module Microsoft365DSC -Force -``` - -When this is run, PowerShell is pinging the PowerShell gallery, getting the Microsoft365DSC module and will then download and install it locally on the machine. It will download the required components such as the SharePoint PNP module, Azure Active Directory module, the Exchange Online Management Shell, as well as other dependent modules. - -![import-module](../../Images/ImportModule.png) - -Note: It is important that the machine that executes the configuration has internet connectivity back to the Microsoft 365 tenant you are trying to configure or extract the configuration from. diff --git a/docs/docs/user-guide/get-started/monitor-tenants.md b/docs/docs/user-guide/get-started/monitor-tenants.md deleted file mode 100644 index 5f55eff388..0000000000 --- a/docs/docs/user-guide/get-started/monitor-tenants.md +++ /dev/null @@ -1 +0,0 @@ -Once a configuration has been applied to a tenant, the machine from which it was pushed becomes what we commonly call an M365DSC agent. This means that while this machine remains active, it will perform regular (every 15 minutes by default) to assess the tenant against the configuration that was applied, and checks for any configuration drifts. By default, when a configuration drift is detected, the agent will simply log a new error in Event Viewer under **Applications and Services Logs > Microsoft365DSC.** This default behavior can be changed by configuring the Local Configuration Manager (LCM) of the agent. Other behaviors include not taking any actions when configuration drifts are detected or automatically fixing drifts when they get detected. For more information on how to configure the agent's LCM, please refer to the [Configuring the Local Configuration Manager](https://docs.microsoft.com/en-us/powershell/scripting/dsc/managing-nodes/metaConfig?view=powershell-7) article. diff --git a/docs/docs/user-guide/get-started/write-first-config.md b/docs/docs/user-guide/get-started/write-first-config.md deleted file mode 100644 index c23d12726d..0000000000 --- a/docs/docs/user-guide/get-started/write-first-config.md +++ /dev/null @@ -1,40 +0,0 @@ -## Write your First Microsoft365DSC Configuration - -With Microsoft365DSC, you write your configuration for an Microsoft 365 tenant just like you'd be writing any other DSC configuration. If you don't feel comfortable writing your configuration from scratch, we recommend starting by extracting the configuration from an existing tenant and using this as a baseline to modify/add your own set of configuration. Please refer to the [Extracting Configuration from an Existing Microsoft 365 Tenant](extract-config.md) for more information. - -A Microsoft365DSC configuration is a PowerShell script (.ps1) file that defines a Configuration object. Most Microsoft365DSC configuration should be run on the current machine (localhost) and will have a structure similar to the following: - -```sh - Configuration NameOfTheConfiguration - { - Import-DSCResource -ModuleName Microsoft365DSC - $GlobalAdminAccount = Get-Credential - Node localhost - { - - } - } - NameOfTheConfiguration -``` - -The last line of the above code simply calls into the **Configuration Object** as if it was a function. This will initiate a compilation operation on the current configuration. If you decide to name your configuration something other than "NameOfTheConfiguration" you will need to update that line accordingly as well. - -Now that we have the skeleton for our configuration, we need to start populating it with configuration blocks we call DSC Resources Blocks. In the Microsoft365DSC taxonomy, a **resource** is a component of a workload that can be configured. For example, SPOSite is the resource to configure a SharePoint Online site collection, SCDLPComplianceRule is the resource to configure a Security and Compliance Center Data Loss Prevention (DLP) Rule, etc. Each one of these resources further defines properties that they can manage. In the case of the SPOSite resource for example, properties such as the URL, Title, Storage Quota, etc. acan all be managed by the resource. If we build on this example, I can define a new SharePoint Online site collection using the following DSC Resource Block: - -```sh - SPOSite MyHRSite - { - Title = "Human Resources" - Url = "https://sites/HR" - Owner = "admin@" - Template = "STS#3" - GlobalAdminAccount = $GlobalAdminAccount - Ensure = "Present" - } - -``` -The above DSC Resource Block could be inserted inside the **Node** section of the configuration frame we've convered above. In our example, we are defining a SharePoint Online site collection with title Human Resources and a given URL, owner alias and Template. The DSC Resource Block is given a name of MyHRSite which is meaningless in the bigger scheme of things. DSC simply requires that all instances of a given resource have DSC resource blocks with unique names. Therefore within the same configuration you cannont have two SPOSite DSC Resource Blocks named MyHRSite, but you could have a SPOSite and a SCDLPComplianceRule resource block both named **MyHRSite** without any issues. - -You will also notice from the example above that we are defining a **GlobalAdminAccount** property, passing it the obtained credentials for our tenant's admin account. This property is required for every DSC Resource Block and specifies what account to impersonate when configuring or analyzing the Microsoft 365 tenant. The other property in the resource block is **Ensure**. Most resources that can be used to create instances of a component have that property available. It can either be set to **Present** or **Absent**. If the above example had the property set to Absent, it would mean that a site collection should never exist at the specified URL. If there was such an existing site, Microsoft365DSC would remove it. Omitting to specify this property on resources that support it will default to a value of 'Present'. - -For a full list of all DSC resources supported by Microsoft365DSC, their associated properties and examples on how to use them, please refer to our [List of Resources](https://github.com/microsoft/Microsoft365DSC/wiki/Resources-List) on the wiki of our GitHub repository. diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 10bd47de2e..7782e0e0f2 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -5,17 +5,8 @@ nav: - 'Introduction': 'index.md' - 'What is Microsoft365DSC?': 'home/what-is-M365DSC.md' - User Guide: - - 'Get Started': - - 'How to install': 'user-guide/get-started/install-first-module.md' - - 'Write your First Microsoft365DSC Configuration': 'user-guide/get-started/write-first-config.md' - - 'Extracting Configuration from an Existing Microsoft 365 Tenant': 'user-guide/get-started/extract-config.md' - - 'Apply a Configuration to your Microsoft 365 Tenant': 'user-guide/get-started/apply-config.md' - - 'Monitor Tenants for Configuration Drifts': 'user-guide/get-started/monitor-tenants.md' - - 'Assess Tenants Against a Blueprint': 'user-guide/get-started/assess-tenants-blueprint.md' - - 'Generating Reports': 'user-guide/get-started/generate-reports.md' - - 'Configuring Graph Permissions': 'user-guide/get-started/graph-permissions.md' - - Advanced: - - 'How to Create a M365DSC Blueprint': 'user-guide/advanced/create-blueprint.md' + - 'Get Started': 'user-guide/get-started/complete-story.md' + - Advanced: 'user-guide/advanced/create-blueprint.md' - Contributing: - 'Guidelines': 'contributing/contribution-guidelines.md' - 'Getting started': 'contributing/getting-started.md' @@ -38,7 +29,7 @@ nav: - 'Teams': 'resources/teams' - About: - 'Why Microsoft365DSC': 'about/why.md' - - 'Changelog': 'about/changelog.md' + - 'Changelog': https://github.com/microsoft/Microsoft365DSC/blob/master/CHANGELOG.md" target="_blank - 'License': 'about/license.md' - 'Community Resources': 'about/community-resources.md' plugins: