microsoft · ykuijs · Aug 21, 2024 · Aug 19, 2024 · Aug 21, 2024
@@ -2,6 +2,13 @@
 
 # UNRELEASED
 
+* AADConditionalAccessPolicy
+  * Fixes an issue where the `AuthenticationFlows` property changed in Graph
+    and updates on the documentation for the possible values of `TransferMethods`.
+    FIXES [#4961](https://github.com/microsoft/Microsoft365DSC/issues/4961)
+    FIXES [#4960](https://github.com/microsoft/Microsoft365DSC/issues/4960)
+    FIXES [#4734](https://github.com/microsoft/Microsoft365DSC/issues/4734)
+    FIXES [#4725](https://github.com/microsoft/Microsoft365DSC/issues/4725)
 * EXOAuthenticationPolicyAssignment
   * Removes the 1000 user limit when exporting authentication policy assignments
     FIXES [#4956](https://github.com/microsoft/Microsoft365DSC/issues/4956)

@@ -1519,15 +1519,23 @@ function Set-TargetResource
         if ($currentParameters.ContainsKey('TransferMethods'))
         {
             #create and provision TransferMethods condition object if used
+            $authenticationFlows = if ([System.String]::IsNullOrEmpty($TransferMethods))
+            {
+                $null
+            }
+            else
+            {
+                @{
+                    transferMethods = $TransferMethods
+                }
+            }
             if (-not $conditions.Contains('authenticationFlows'))
             {
-                $conditions.Add('authenticationFlows', @{
-                        transferMethods = $TransferMethods
-                    })
+                $conditions.Add('authenticationFlows', $authenticationFlows)
             }
             else
             {
-                $conditions.authenticationFlows.Add('transferMethods', $TransferMethods)
+                $conditions.authenticationFlows = $authenticationFlows
             }
 
         }
@@ -1972,10 +1980,28 @@ function Test-TargetResource
     $ValuesToCheck = $PSBoundParameters
     $ValuesToCheck.Remove('Id') | Out-Null
 
-    $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-        -Source $($MyInvocation.MyCommand.Source) `
-        -DesiredValues $PSBoundParameters `
-        -ValuesToCheck $ValuesToCheck.Keys
+    # If no TransferMethod is specified, ignore it
+    # If a TransferMethod is specified, check if it is equal to the current value
+    # while ignoring the order of the values
+    if (-not $PSBoundParameters.ContainsKey('TransferMethods') -or
+        $null -eq (Compare-Object -ReferenceObject $TransferMethods.Split(',') -DifferenceObject $CurrentValues.TransferMethods.Split(',')))
+    {
+        $ValuesToCheck.Remove('TransferMethods') | Out-Null
+        $TestResult = $true
+    }
+    else
+    {
+        Write-Verbose -Message "TransferMethods are not equal: [$TransferMethods] - [$($CurrentValues.TransferMethods)]"
+        $TestResult  = $false
+    }
+
+    if ($TestResult)
+    {
+        $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
+            -Source $($MyInvocation.MyCommand.Source) `
+            -DesiredValues $PSBoundParameters `
+            -ValuesToCheck $ValuesToCheck.Keys
+    }
 
     Write-Verbose -Message "Test-TargetResource returned $TestResult"
 

@@ -44,7 +44,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled;
     [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode;
     [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
-    [Write, Description("Names of the associated authentication flow transfer methods")] String TransferMethods;
+    [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods;
     [Write, Description("Authentication context class references.")] String AuthenticationContexts[];
     [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;