microsoft
/
Microsoft365DSC
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'Dev' into user/sasistla/SCDeviceTenantRule

This commit is contained in:
Yorick Kuijs 2024-11-06 08:29:47 +01:00 коммит произвёл GitHub
Родитель 47c040e338 f7cbfa689e
Коммит b9a0a72cf2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
431 изменённых файлов: 62528 добавлений и 2527 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

178
CHANGELOG.md
Просмотреть файл

@ -2,43 +2,215 @@
# UNRELEASED
* AADServicePrincipal
* Added support for KeyCredentials and PasswordCredentials.
* Added support for SAML.
* Fixed issue with Owners.
* AADAccessReviewDefinition
* Initial release.
* AADAccessReviewPolicy
* Initial release.
* AADAuthenticationMethodPolicyExternal
* Initial release.
* AADClaimsMappingPolicy
* Initial release.
* AADConditionalAccessPolicy
* FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282)
* Added support for InsiderRiskLevels.
* AADCustomSecurityAttributeDefinition
* Fixed missing permissions in settings.json
* AADEnrichedAuditLogs
* Initial release.
* AADFederationConfiguration
* Initial release.
* AADFilteringPolicy
* Initial release.
* AADFilteringPolicyRule
* Initial release.
* AADFilteringProfile
* Initial release.
* AADGroup
* Added support for custom roles assignment.
FIXES [#5322](https://github.com/microsoft/Microsoft365DSC/issues/5322)
* AADHomeRealmDiscoveryPolicy
* Initial Release
* AADIdentityAPIConnector
* Initial release.
* AADIdentityB2XUserFlow
* Initial release.
* AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension
* Initial release.
* AADIdentityGovernanceProgram
* Initial release.
* AADIdentityAPIConnector
* AADIdentityProtectionPolicySettings
* Initial release.
* AADNamedLocationPolicy
* Fixed issue where duplicate names were not detected correctly.
* AADNetworkAccessForwardingProfile
* Initial release.
* AADNetworkAccessForwardingPolicy
* Initial release.
* AADNetworkAccessSettingConditionalAccess
* Initial release.
* AADNetworkAccessSettingCrossTenantAccess
* Initial release.
* AADOnPremisesPublishingProfilesSettings
* Initial release.
* AADOrganizationCertificateBasedAuthConfiguration
* Initial release.
* AADRemoteNetwork
* Initial release.
* AADRoleEligibilityScheduleRequest
* Fixes for Custom roles.
FIXES [#5330](https://github.com/microsoft/Microsoft365DSC/issues/5330)
* Fixes to remove elegibility schedule for custom roles.
FIXES [#5331](https://github.com/microsoft/Microsoft365DSC/issues/5331)
* AADRoleManagementPolicyRule
* Initial release.
* AADServicePrincipal
* Added the notes field.
* FIXES [#5312](https://github.com/microsoft/Microsoft365DSC/issues/5312)
* AADSocialIdentityProvider
* Fixed missing permissions in settings.json
* AADUserFlowAttribute
* Initial Release
* AADVerifiedIdAuthority
* Initial release.
* AADVerifiedIdAuthorityContract
* Initial release.
* AzureBillingAccountsAssociatedTenant
* Initial release.
* AzureBillingAccountsRoleAssignment
* Initial release.
* AzureDiagnosticSettings
* Initial release.
* AzureDiagnosticSettingsCustomSecurityAttribute
* Initial release.
* AzureSubscription
* Renamed parameters and added logic flow to create new subscriptions.
* AzureVerifiedIdFaceCheck
* Initial release.
* DefenderDeviceAuthenticatedScanDefinition
* Initial release.
* EXOActiveSyncMailboxPolicy
* Initial release.
* EXOArcConfig
* Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers`
when it has an array
* EXOMailboxAuditBypassAssociation
* Initial release.
* EXOMailboxSettings
* Added support for AddressBookPolicy, RetentionPolicy, RoleAssignmentPolicy
and SharingPolicy.
* EXOServicePrincipal
* Initial release.
* EXOTenantAllowBlockListItems
* Fixed `Test-TargetResource` to correctly mark when this resource is removed
* EXOTenantAllowBlockListSpoofItems
* Initial release.
* IntuneAccountProtectionLocalUserGroupMembershipPolicy
* Updates values in `UserSelectionType`.
FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318)
* IntuneAntivirusPolicyLinux
* Initial release.
* IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr
* Initial release.
* IntuneAppCategory
* Fixed retrieval of resource which could then result in multiple categories
being created with same name.
* IntuneAppleMDMPushNotificationCertificate
* Initial release.
* IntuneDerivedCredential
* Fixed export and deployment when `NotificationType` had more than one option
selected
* Fixed retrieval of resource when it cannot be found by `Id`
* Added a few verbose messages
* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile
* Initial release.
* IntuneEndpointDetectionAndResponsePolicyWindows10
* Fixes an issue with `AutoFromConnector` as the Configuration package type.
FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246)
* IntuneMobileThreatDefenseConnector
* Initial release.
* IntuneSecurityBaselineDefenderForEndpoint
* Initial release.
* IntuneSettingCatalogCustomPolicyWindows10
* Fixes an issue with limited results when more than 25 results are present.
* Intune workload
* Fixed missing permissions in settings.json
* M365DSCRuleEvaluation
* Changed the name of the Key property from ResourceName to ResourceTypeName.
While this is considered a breaking change, the old property name was
breaking the DSCParser process. The impact of this breaking the parsing
process is important enough to justify an out-of-band breaking change of
this resource.
* ODSettings
* Deprecated property NotifyOwnersWhenInvitationsAccepted.
FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979)
* PPPowerAppsEnvironment
* FIXES [#5207](https://github.com/microsoft/Microsoft365DSC/issues/5207)
* PPTenantSettings
* Updated to support latest settings.
* SCInsiderRiskPolicy
* Added support for property MDATPTriageStatus.
* Added support for GPUUtilizationLimit and CPUUtilizationLimit.
* SCPolicyConfig
* Initial release.
* SCSensitivityLabel
* Fixed issue with setting label priority
FIXES [#5266](https://github.com/microsoft/Microsoft365DSC/issues/5266)
* SentinelAlertRule
* Initial release.
* SentinelThreatIntelligenceIndicator
* Initial release.
* SCDeviceTenantPolicy
* Initial Release.
* SPOSharingSettings
* Deprecated property RequireAcceptingAccountMatchInvitedAccount.
FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979)
* SPOTenantSettings
* Added support for AllowSelectSGsInODBListInTenant,
DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList,
AllowSelectSecurityGroupsInSPSitesList,
ExemptNativeUsersFromTenantLevelRestricedAccessControl properties.
* TenantDefaultTimezone changed to String instead of Array.
* TeamsMeetingPolicy
* Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking,
AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls,
ContentSharingInExternalMeetings, Copilot, CopyRestriction,
DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange,
VoiceIsolation
* TeamsOrgWideAppSettings
* Fixed an issue where ManagedIdentity wasn't define in the methods' signatures.
FIXES [#5188](https://github.com/microsoft/Microsoft365DSC/issues/5188)
* M365DSCDRGUtil
* Fixes an issue where non-unique properties were not combined
properly with their respective parent setting.
* MISC
* Fixed references to graph.microsoft.com with dynamic domain name based on target cloud.
Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup,
AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10,
IntuneAccountProtectionLocalUsersGroupMembershipPolicy, IntuneAccountProtectionPolicy,
IntuneAppProtectionPolicyiOS,IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10,
IntuneDeviceConfigurationSCEPCertificatePolicyWindows10, IntuneDeviceConfigurationWiredNetworkPolicyWindows10,
IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets,
IntuneSettingCatalogCustomPolicyWindows10, M365DSCRGUtil
* Exponential performance improvements by reducing complexity and roundtrips.
* Changed the logic that appends GUID in the resource name when primary key is not found during an
export. We will only append a GUID if the IsSingleInstance property is not found on the resource.
* Add check in AADGroupSettings for NewUnifiedGroupWritebackDefault not existing in Government by default
FIXES [#5213](https://github.com/microsoft/Microsoft365DSC/issues/5213)
* Fix static refrences to graph.microsoft.com
FIXES [#5339](https://github.com/microsoft/Microsoft365DSC/issues/5339)
AADNetworkAccessForwardingPolicy. AADOrganizationCertificateBasedAuthConfiguration,
AADAuthenticationMethodPolicyExternal, AADEnrichedAuditLogs
FIXES [#5340](https://github.com/microsoft/Microsoft365DSC/issues/5340)
IntuneDeviceManagementEnrollmentAndroidGooglePlay, IntuneAppleMDMPushNotificationCertificate
* Fixes static OData refrences to graph.microsoft.com
AADApplication, AADEntitlementManagementAccessPackage, AADEntitlementManagementConnectedOrganization
AADServicePrincipal
FIXES [#5342](https://github.com/microsoft/Microsoft365DSC/issues/5342)
* DEPENDENCIES
* Updated ExchangeOnlineManagement to version 3.6.0.
* Updated Microsoft.Graph to version 2.24.0.
* Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199.
* Updated MSCloudLoginAssistant to version 1.1.27
@ -91,6 +263,8 @@
* Initial release.
* IntuneDeviceConfigurationIdentityProtectionPolicyWindows10
* Added deprecation notice.
* IntuneDeviceManagementEnrollmentAndroidGooglePlay
* Initial release
* IntuneEndpointDetectionAndResponsePolicyWindows10
* Migrate to new Settings Catalog cmdlets.
* IntuneMobileAppsMacOSLobApp

330
Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.psm1 Normal file
Просмотреть файл

@ -0,0 +1,330 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsGroupOwnerManagementEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
$instance = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop
if ($null -eq $instance)
{
throw 'Could not retrieve the Access Review Policy'
}
$results = @{
IsSingleInstance = 'Yes'
IsGroupOwnerManagementEnabled = $instance.IsGroupOwnerManagementEnabled
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsGroupOwnerManagementEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$updateParameters = @{
IsGroupOwnerManagementEnabled = $IsGroupOwnerManagementEnabled
}
$updateJSON = ConvertTo-Json $updateParameters
Write-Verbose -Message "Updating the Entra Id Access Review Policy with values: $updateJSON"
Update-MgBetaPolicyAccessReviewPolicy -BodyParameter $updateParameters
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsGroupOwnerManagementEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaPolicyAccessReviewPolicy -ErrorAction Stop
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = 'Access Review Policy'
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

13
Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/MSFT_AADAccessReviewPolicy.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,13 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADAccessReviewPolicy")]
class MSFT_AADAccessReviewPolicy : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("If true, group owners can create and manage access reviews on groups they own.")] Boolean IsGroupOwnerManagementEnabled;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADAccessReviewPolicy
## Description
Use this resource to monitor the access review policy object.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADAccessReviewPolicy",
"description": "Use this resource to monitor the access review policy object.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "Policy.Read.All"
}
],
"update": [
{
"name": "Policy.ReadWrite.AccessReview"
}
]
}
}
}
}

3
Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1
Просмотреть файл

@ -260,8 +260,9 @@ function Set-TargetResource
$updateJSON = ConvertTo-Json $updateParameters
Write-Verbose -Message "Updating the Entra Id Admin Consent Request Policy with values: $updateJSON"
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/adminConsentRequestPolicy'
Invoke-MgGraphRequest -Method 'PUT' `
-Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' `
-Uri $Uri `
-Body $updateJSON | Out-Null
}

9
Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1
Просмотреть файл

@ -391,8 +391,9 @@ function Get-TargetResource
try
{
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($AADBetaApp.Id)/onPremisesPublishing"
$oppInfo = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/applications/$($AADBetaApp.Id)/onPremisesPublishing" `
-Uri $Uri `
-ErrorAction SilentlyContinue
}
catch
@ -924,7 +925,7 @@ function Set-TargetResource
{
$Type = 'directoryObjects'
}
$ObjectUri = 'https://graph.microsoft.com/v1.0/{0}/{1}' -f $Type, $diff.InputObject
$ObjectUri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'v1.0/{0}/{1}' -f $Type, $diff.InputObject
$ownerObject = @{
'@odata.id' = $ObjectUri
}
@ -1135,8 +1136,10 @@ function Set-TargetResource
$onPremisesPublishingValue.Add('singleSignOnSettings', $singleSignOnValues)
$onPremisesPayload = ConvertTo-Json $onPremisesPublishingValue -Depth 10 -Compress
Write-Verbose -Message "Updating the OnPremisesPublishing settings for application {$($currentAADApp.DisplayName)} with payload: $onPremisesPayload"
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/applications/$($currentAADApp.Id)/onPremisesPublishing"
Invoke-MgGraphRequest -Method 'PATCH' `
-Uri "https://graph.microsoft.com/beta/applications/$($currentAADApp.Id)/onPremisesPublishing" `
-Uri $Uri `
-Body $onPremisesPayload
}
#endregion

8
Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationMethodPolicyExternal/MSFT_AADAuthenticationMethodPolicyExternal.psm1
Просмотреть файл

@ -96,7 +96,7 @@ function Get-TargetResource
}
else
{
$response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/"
$response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/"
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
}
}
@ -300,7 +300,7 @@ function Set-TargetResource
{
Write-Verbose -Message "Updating the Azure AD Authentication Method Policy External with name {$($currentInstance.displayName)}"
$response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/"
$response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/"
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName}
$params.Remove('displayName') | Out-Null
@ -313,7 +313,7 @@ function Set-TargetResource
{
Write-Verbose -Message "Removing the Azure AD Authentication Method Policy External with Id {$($currentInstance.displayName)}"
$response = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/"
$response = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/"
$getValue = $response.authenticationMethodConfigurations | Where-Object -FilterScript {$_.displayName -eq $currentInstance.displayName}
Remove-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration -AuthenticationMethodConfigurationId $getValue.Id
@ -505,7 +505,7 @@ function Export-TargetResource
{
#region resource generator code
$desiredType = "#microsoft.graph.externalAuthenticationMethodConfiguration"
$getPolicy = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/"
$getPolicy = Invoke-MgGraphRequest -Method Get -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/policies/authenticationMethodsPolicy/"
$getValue = $getPolicy.AuthenticationMethodConfigurations | Where-Object -FilterScript {$_.'@odata.type' -eq $desiredType}
#endregion

636
Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.psm1 Normal file
Просмотреть файл

@ -0,0 +1,636 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
try
{
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
$getValue = $null
#region resource generator code
$getValue = Get-MgBetaPolicyClaimMappingPolicy -ClaimsMappingPolicyId $Id -ErrorAction SilentlyContinue
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Claims Mapping Policy with Id {$Id}"
if (-not [System.String]::IsNullOrEmpty($DisplayName))
{
$getValue = Get-MgBetaPolicyClaimMappingPolicy `
-Filter "DisplayName eq '$DisplayName'" `
-ErrorAction SilentlyContinue | Where-Object `
-FilterScript {
$_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.ClaimsMappingPolicy"
}
}
}
#endregion
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Claims Mapping Policy with DisplayName {$DisplayName}."
return $nullResult
}
$Id = $getValue.Id
Write-Verbose -Message "An Azure AD Claims Mapping Policy with Id {$Id} and DisplayName {$DisplayName} was found"
$complexDefinition = @()
foreach($getDefinitionJson in $getValue.Definition)
{
$getDefinition = ($getDefinitionJson | ConvertFrom-Json)
$ClaimsSchema = @()
foreach ($claimschema in $getDefinition.ClaimsMappingPolicy.ClaimsSchema)
{
$ClaimsSchema += @{
Source = $claimschema.Source
Id = $claimschema.Id
SamlClaimType = $claimschema.SamlClaimType
}
}
$ClaimsTransformation = @()
foreach ($claimtransformation in $getDefinition.ClaimsMappingPolicy.ClaimsTransformation)
{
$inputparams = @()
foreach ($inputparam in $claimtransformation.InputParameters)
{
$inputparams += @{
Value = $inputparam.Value
Id = $inputparam.Id
DataType = $inputparam.DataType
}
}
$outputClaimsObj = @()
foreach ($outclaim in $claimtransformation.OutputClaims)
{
$outputClaimsObj += @{
ClaimTypeReferenceId = $outclaim.ClaimTypeReferenceId
TransformationClaimType = $outclaim.TransformationClaimType
}
}
$ClaimsTransformation += @{
Id = $claimtransformation.Id
TransformationMethod = $claimtransformation.TransformationMethod
InputParameters = $inputparams
OutputClaims = $outputClaimsObj
}
}
$complexDefinition += @{
ClaimsMappingPolicy = @{
Version = $getDefinition.ClaimsMappingPolicy.Version
IncludeBasicClaimSet = [bool]$getDefinition.ClaimsMappingPolicy.IncludeBasicClaimSet
ClaimsSchema = $ClaimsSchema
ClaimsTransformation = $ClaimsTransformation
}
}
}
$results = @{
#region resource generator code
Definition = $complexDefinition
IsOrganizationDefault = $getValue.IsOrganizationDefault
Description = $getValue.Description
DisplayName = $getValue.DisplayName
Id = $getValue.Id
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
#endregion
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating an Azure AD Claims Mapping Policy with DisplayName {$DisplayName}"
$createParameters = ([Hashtable]$BoundParameters).Clone()
$createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters
$createParameters.Remove('Id') | Out-Null
$keys = (([Hashtable]$createParameters).Clone()).Keys
foreach ($key in $keys)
{
if ($null -ne $createParameters.$key -and $createParameters.$key.GetType().Name -like '*CimInstance*')
{
$createParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $createParameters.$key
}
}
$complexDefinitions = $createParameters.Definition
$createParameters.Remove('Definition') | Out-Null
$createParameters.Definition = $complexDefinitions | ConvertTo-Json -Depth 10 -Compress:$true
$policy = New-MgBetaPolicyClaimMappingPolicy -BodyParameter $createParameters
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating the Azure AD Claims Mapping Policy with Id {$($currentInstance.Id)}"
$updateParameters = ([Hashtable]$BoundParameters).Clone()
$updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters
$updateParameters.Remove('Id') | Out-Null
$keys = (([Hashtable]$updateParameters).Clone()).Keys
foreach ($key in $keys)
{
if ($null -ne $pdateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*')
{
$updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.ClaimsMappingPolicyId
}
}
$complexDefinitions = $UpdateParameters.Definition
$UpdateParameters.Remove('Definition') | Out-Null
$UpdateParameters.Definition = $complexDefinitions | ConvertTo-Json -Depth 10 -Compress:$true
#region resource generator code
Update-MgBetaPolicyClaimMappingPolicy `
-ClaimsMappingPolicyId $currentInstance.Id `
-BodyParameter $UpdateParameters
#endregion
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing the Azure AD Claims Mapping Policy with Id {$($currentInstance.Id)}"
#region resource generator code
Remove-MgBetaPolicyClaimMappingPolicy -ClaimsMappingPolicyId $currentInstance.Id
#endregion
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of the Azure AD Claims Mapping Policy with Id {$Id} and DisplayName {$DisplayName}"
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
if ($CurrentValues.Ensure -ne $Ensure)
{
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
$ValuesToCheck.Remove('Id') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
#region resource generator code
[array]$getValue = Get-MgBetaPolicyClaimMappingPolicy `
-Filter $Filter `
-All `
-ErrorAction Stop
#endregion
$i = 1
$dscContent = ''
if ($getValue.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $getValue)
{
$displayedKey = $config.Id
if (-not [String]::IsNullOrEmpty($config.displayName))
{
$displayedKey = $config.displayName
}
Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline
$params = @{
Id = $config.Id
DisplayName = $config.DisplayName
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.Definition)
{
$complexMapping = @(
@{
Name = 'ClaimsMappingPolicy'
CimInstanceName = 'MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy'
IsRequired = $False
},
@{
Name = 'ClaimsSchema'
CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema'
IsRequired = $False
},
@{
Name = 'ClaimsTransformation'
CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation'
IsRequired = $False
},
@{
Name = 'InputParameters'
CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter'
IsRequired = $False
},
@{
Name = 'OutputClaims'
CimInstanceName = 'AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.Definition `
-CIMInstanceName 'MSFT_AADClaimsMappingPolicyDefinition' `
-ComplexTypeMapping $complexMapping
if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.Definition = $complexTypeStringResult
}
else
{
$Results.Remove('Definition') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.Definition)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Definition' -IsCIMArray:$True
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

64
Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/MSFT_AADClaimsMappingPolicy.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,64 @@
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter
{
[Write, Description("The value of the input parameters of the claims transformation in the claims mapping policy.")] String Value;
[Write, Description("The object identifier of the input parameters of the claims transformation in the claims mapping policy.")] String Id;
[Write, Description("The data type of the input parameters of the claims transformation in the claims mapping policy.")] String DataType;
};
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims
{
[Write, Description("The claim type reference ID of the output claims of the claims transformation in the claims mapping policy.")] String ClaimTypeReferenceId;
[Write, Description("The transformation type of the output claims of the claims transformation in the claims mapping policy.")] String TransformationClaimType;
};
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation
{
[Write, Description("The object identifier of the claims transformation in the claims mapping policy.")] String Id;
[Write, Description("The transformation method of the claims transformation in the claims mapping policy.")] String TransformationMethod;
[Write, Description("The list of input parameters of the claims transformation in the claims mapping policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationInputParameter")] String InputParameters[];
[Write, Description("The list of output claims of the claims transformation in the claims mapping policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformationOutputClaims")] String OutputClaims[];
};
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema
{
[Write, Description("The source name of the claims schema in the claims mapping policy.")] String Source;
[Write, Description("The object identifier of the claims schema in the claims mapping policy.")] String Id;
[Write, Description("The SAML claims type of the claims schema in the claims mapping policy.")] String SamlClaimType;
};
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy
{
[Write, Description("Set value of 1. Required.")] uint32 Version;
[Write, Description("If set to true, all claims in the basic claim set are emitted in tokens affected by the policy. If set to false, claims in the basic claim set are not in the tokens, unless they are individually added in the ClaimsSchema property of the same policy.")] Boolean IncludeBasicClaimSet;
[Write, Description("Defines which claims are present in the tokens affected by the policy, in addition to the basic claim set and the core claim set."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsSchema")] String ClaimsSchema[];
[Write, Description("Defines common transformations that can be applied to source data, to generate the output data for claims specified in the ClaimsSchema."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicyClaimsTransformation")] String ClaimsTransformation[];
};
[ClassVersion("1.0.0")]
class MSFT_AADClaimsMappingPolicyDefinition
{
[Write, Description("Rules and settings of the policy."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinitionMappingPolicy")] String ClaimsMappingPolicy;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADClaimsMappingPolicy")]
class MSFT_AADClaimsMappingPolicy : OMI_BaseResource
{
[Write, Description("A string collection containing a JSON string that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required."), EmbeddedInstance("MSFT_AADClaimsMappingPolicyDefinition")] String Definition[];
[Write, Description("If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.")] Boolean IsOrganizationDefault;
[Write, Description("Description for this policy. Required.")] String Description;
[Key, Description("Display name for this policy. Required.")] String DisplayName;
[Write, Description("The unique identifier for an entity. Read-only.")] String Id;
[Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADClaimsMappingPolicy
## Description
Azure AD Claims Mapping Policy

33
Modules/Microsoft365DSC/DSCResources/MSFT_AADClaimsMappingPolicy/settings.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"resourceName": "AADClaimsMappingPolicy",
"description": "This resource configures an Azure AD Claims Mapping Policy.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "Policy.Read.All"
}
],
"update": [
{
"name": "Policy.ReadWrite.ApplicationConfiguration"
}
]
},
"application": {
"read": [
{
"name": "Policy.Read.All"
}
],
"update": [
{
"name": "Policy.ReadWrite.ApplicationConfiguration"
}
]
}
}
}
}

127
Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
Просмотреть файл

@ -92,6 +92,23 @@ function Get-TargetResource
[System.String[]]
$ExcludeExternalTenantsMembers,
[Parameter()]
[System.String[]]
$IncludeServicePrincipals,
[Parameter()]
[System.String[]]
$ExcludeServicePrincipals,
[Parameter()]
[ValidateSet('include', 'exclude')]
[System.String]
$ServicePrincipalFilterMode,
[Parameter()]
[System.String]
$ServicePrincipalFilterRule,
#ConditionalAccessPlatformCondition
[Parameter()]
[System.String[]]
@ -202,6 +219,10 @@ function Get-TargetResource
[System.String]
$TransferMethods,
[Parameter()]
[System.String]
$InsiderRiskLevels,
#generic
[Parameter()]
[ValidateSet('Present', 'Absent')]
@ -642,6 +663,11 @@ function Get-TargetResource
ExcludeExternalTenantsMembershipKind = [System.String]$Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind
ExcludeExternalTenantsMembers = [System.String[]](@() + $Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.AdditionalProperties.members)
IncludeServicePrincipals = $Policy.Conditions.ClientApplications.IncludeServicePrincipals
ExcludeServicePrincipals = $Policy.Conditions.ClientApplications.ExcludeServicePrincipals
ServicePrincipalFilterMode = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Mode
ServicePrincipalFilterRule = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Rule
IncludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.IncludePlatforms)
#no translation needed, return empty string array if undefined
ExcludePlatforms = [System.String[]](@() + $Policy.Conditions.Platforms.ExcludePlatforms)
@ -687,6 +713,7 @@ function Get-TargetResource
TransferMethods = [System.String]$Policy.Conditions.AuthenticationFlows.TransferMethods
#Standard part
TermsOfUse = $termOfUseName
InsiderRiskLevels = $Policy.Conditions.InsiderRiskLevels
Ensure = 'Present'
Credential = $Credential
ApplicationSecret = $ApplicationSecret
@ -794,6 +821,23 @@ function Set-TargetResource
[System.String[]]
$ExcludeExternalTenantsMembers,
[Parameter()]
[System.String[]]
$IncludeServicePrincipals,
[Parameter()]
[System.String[]]
$ExcludeServicePrincipals,
[Parameter()]
[ValidateSet('include', 'exclude')]
[System.String]
$ServicePrincipalFilterMode,
[Parameter()]
[System.String]
$ServicePrincipalFilterRule,
#ConditionalAccessPlatformCondition
[Parameter()]
[System.String[]]
@ -904,6 +948,10 @@ function Set-TargetResource
[System.String]
$TransferMethods,
[Parameter()]
[System.String]
$InsiderRiskLevels,
#generic
[Parameter()]
[ValidateSet('Present', 'Absent')]
@ -1340,6 +1388,49 @@ function Set-TargetResource
$conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers)
}
Write-Verbose -Message 'Set-Targetresource: process includeServicePrincipals'
if ($currentParameters.ContainsKey('IncludeServicePrincipals'))
{
if (-not $conditions.ContainsKey('clientApplications')) {
$conditions.Add('clientApplications', @{})
}
$conditions.clientApplications.Add('includeServicePrincipals', $IncludeServicePrincipals)
}
Write-Verbose -Message 'Set-Targetresource: process excludeServicePrincipals'
if ($currentParameters.ContainsKey('ExcludeServicePrincipals'))
{
if (-not $conditions.ContainsKey('clientApplications')) {
$conditions.Add('clientApplications', @{})
}
$conditions.clientApplications.Add('excludeServicePrincipals', $ExcludeServicePrincipals)
}
Write-Verbose -Message 'Set-Targetresource: process servicePrincipalFilter'
if ($currentParameters.ContainsKey('ServicePrincipalFilterMode') -and $currentParameters.ContainsKey('ServicePrincipalFilterRule'))
{
#check if the custom attribute exist.
$customattribute = Invoke-MgGraphRequest -Method GET -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directory/customSecurityAttributeDefinitions"
$ServicePrincipalFilterRule -match "CustomSecurityAttribute.(?<attribute>.*) -.*"
$attrinrule = $matches.attribute
if ($customattribute.value.id -contains $attrinrule){
if (-not $conditions.ContainsKey('clientApplications')) {
$conditions.Add('clientApplications', @{})
}
$conditions.clientApplications.Add('servicePrincipalFilter', @{})
$conditions.clientApplications.servicePrincipalFilter.Add('mode', $ServicePrincipalFilterMode)
$conditions.clientApplications.servicePrincipalFilter.Add('rule', $ServicePrincipalFilterRule)
}
else{
$message = "Couldn't find the custom attribute $attrinrule in the tenant, couldn't add the filter to policy $DisplayName"
Write-Verbose -Message $message
New-M365DSCLogEntry -Message $message `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
}
}
Write-Verbose -Message 'Set-Targetresource: process platform condition'
if ($currentParameters.ContainsKey('IncludePlatforms') -or $currentParameters.ContainsKey('ExcludePlatforms'))
{
@ -1495,6 +1586,11 @@ function Set-TargetResource
}
}
if ($null -ne $InsiderRiskLevels)
{
$conditions.Add("insiderRiskLevels", $InsiderRiskLevels)
}
Write-Verbose -Message 'Set-Targetresource: process risk levels and app types'
Write-Verbose -Message "Set-Targetresource: UserRiskLevels: $UserRiskLevels"
If ($currentParameters.ContainsKey('UserRiskLevels'))
@ -1661,6 +1757,9 @@ function Set-TargetResource
$NewParameters.Add('sessionControls', $sessioncontrols)
#add SessionControls to the parameter list
}
Write-Host "newparameters: $($NewParameters | ConvertTo-Json -Depth 5)"
if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present')
{
Write-Verbose -Message "Set-Targetresource: Change policy $DisplayName"
@ -1668,7 +1767,9 @@ function Set-TargetResource
try
{
Write-Verbose -Message "Updating existing policy with values: $(Convert-M365DscHashtableToString -Hashtable $NewParameters)"
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($currentPolicy.Id)" -Body $NewParameters
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/conditionalAccess/policies/$($currentPolicy.Id)"
Invoke-MgGraphRequest -Method PATCH -Uri $Uri -Body $NewParameters
}
catch
{
@ -1691,7 +1792,8 @@ function Set-TargetResource
{
try
{
Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -Body $NewParameters
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identity/conditionalAccess/policies"
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $NewParameters
}
catch
{
@ -1829,6 +1931,23 @@ function Test-TargetResource
[System.String[]]
$ExcludeExternalTenantsMembers,
[Parameter()]
[System.String[]]
$IncludeServicePrincipals,
[Parameter()]
[System.String[]]
$ExcludeServicePrincipals,
[Parameter()]
[ValidateSet('include', 'exclude')]
[System.String]
$ServicePrincipalFilterMode,
[Parameter()]
[System.String]
$ServicePrincipalFilterRule,
#ConditionalAccessPlatformCondition
[Parameter()]
[System.String[]]
@ -1939,6 +2058,10 @@ function Test-TargetResource
[System.String]
$TransferMethods,
[Parameter()]
[System.String]
$InsiderRiskLevels,
#generic
[Parameter()]
[ValidateSet('Present', 'Absent')]

5
Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
Просмотреть файл

@ -21,6 +21,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
[Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[];
[Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
[Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[];
[Write, Description("Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed.")] String IncludeServicePrincipals[];
[Write, Description("Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed.")] String ExcludeServicePrincipals[];
[Write, Description("Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ServicePrincipalFilterMode;
[Write, Description("Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.")] String ServicePrincipalFilterRule;
[Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[];
[Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[];
[Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[];
@ -46,6 +50,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
[Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
[Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods;
[Write, Description("Authentication context class references.")] String AuthenticationContexts[];
[Write, Description("Insider risk levels conditions.")] String InsiderRiskLevels;
[Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
[Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;

12
Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json
Просмотреть файл

@ -27,6 +27,9 @@
},
{
"name": "User.Read.All"
},
{
"name": "CustomSecAttributeDefinition.Read.All"
}
],
"update": [
@ -47,6 +50,9 @@
},
{
"name": "User.Read.All"
},
{
"name": "CustomSecAttributeDefinition.Read.All"
}
]
},
@ -69,6 +75,9 @@
},
{
"name": "User.Read.All"
},
{
"name": "CustomSecAttributeDefinition.Read.All"
}
],
"update": [
@ -92,6 +101,9 @@
},
{
"name": "User.Read.All"
},
{
"name": "CustomSecAttributeDefinition.Read.All"
}
]
}

349
Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.psm1 Normal file
Просмотреть файл

@ -0,0 +1,349 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.String]
$Exchange,
[Parameter()]
[System.String]
$SharePoint,
[Parameter()]
[System.String]
$Teams,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResults = $PSBoundParameters
try
{
$instance = Get-MgBetaNetworkAccessSettingEnrichedAuditLog
$results = @{
IsSingleInstance = 'Yes'
Exchange = $instance.Exchange.Status
SharePoint = $instance.SharePoint.Status
Teams = $instance.Teams.Status
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.String]
$Exchange,
[Parameter()]
[System.String]
$SharePoint,
[Parameter()]
[System.String]
$Teams,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message 'Updating Enriched Audit Logs settings'
$values = @{
"@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogs"
exchange = @{
"@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings"
status = $ExchangeOnline
}
sharepoint = @{
"@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings"
status = $SharePoint
}
teams = @{
"@odata.type" = "#microsoft.graph.networkaccess.enrichedAuditLogsSettings"
status = $Teams
}
}
$body = ConvertTo-Json $values -Depth 10 -Compress
Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/networkAccess/settings/enrichedAuditLogs' -Method PATCH -Body $body
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.String]
$Exchange,
[Parameter()]
[System.String]
$SharePoint,
[Parameter()]
[System.String]
$Teams,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$i = 1
$dscContent = ''
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

14
Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/MSFT_AADEnrichedAuditLogs.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,14 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADEnrichedAuditLogs")]
class MSFT_AADEnrichedAuditLogs : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Accepted values are enabled or disabled.")] String Exchange;
[Write, Description("Accepted values are enabled or disabled.")] String SharePoint;
[Write, Description("Accepted values are enabled or disabled.")] String Teams;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADEnrichedAuditLogs
## Description
Configures advanced audit logs for Global Secure Access in Entra Id

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADEnrichedAuditLogs/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADEnrichedAuditLogs",
"description": "Configures advanced audit logs for Global Secure Access in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

8
Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementAccessPackage/MSFT_AADEntitlementManagementAccessPackage.psm1
Просмотреть файл

@ -355,7 +355,7 @@ function Set-TargetResource
foreach ($incompatibleAccessPackage in $IncompatibleAccessPackages)
{
$ref = @{
'@odata.id' = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage"
}
New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef `
@ -368,7 +368,7 @@ function Set-TargetResource
foreach ($IncompatibleGroup in $IncompatibleGroups)
{
$ref = @{
'@odata.id' = "https://graph.microsoft.com/beta/groups/$IncompatibleGroup"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/groups/$IncompatibleGroup"
}
New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef `
@ -485,7 +485,7 @@ function Set-TargetResource
foreach ($incompatibleAccessPackage in $toBeAdded.InputObject)
{
$ref = @{
'@odata.id' = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityGovernance/entitlementManagement/accessPackages/$incompatibleAccessPackage"
}
New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef `
@ -522,7 +522,7 @@ function Set-TargetResource
{
$ref = @{
'@odata.id' = "https://graph.microsoft.com/beta/groups/$incompatibleGroup"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/groups/$incompatibleGroup"
}
New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef `

8
Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementConnectedOrganization/MSFT_AADEntitlementManagementConnectedOrganization.psm1
Просмотреть файл

@ -446,7 +446,7 @@ function Set-TargetResource
$directoryObjectType=$directoryObject.AdditionalProperties."@odata.type"
$directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1
$directoryObjectRef=@{
"@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)"
"@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)"
}
New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef `
@ -459,7 +459,7 @@ function Set-TargetResource
$directoryObject = Get-MgBetaDirectoryObject -DirectoryObjectId $sponsor
$directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1
$directoryObjectRef=@{
"@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)"
"@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)"
}
New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef `
@ -515,7 +515,7 @@ function Set-TargetResource
$directoryObjectType=$directoryObject.AdditionalProperties."@odata.type"
$directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1
$directoryObjectRef=@{
"@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)"
"@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)"
}
New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef `
@ -553,7 +553,7 @@ function Set-TargetResource
$directoryObjectType=$directoryObject.AdditionalProperties."@odata.type"
$directoryObjectType=($directoryObject.AdditionalProperties."@odata.type").split(".")|select-object -last 1
$directoryObjectRef=@{
"@odata.id" = "https://graph.microsoft.com/beta/$($directoryObjectType)s/$($sponsor)"
"@odata.id" = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/$($directoryObjectType)s/$($sponsor)"
}
New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef `

485
Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.psm1 Normal file
Просмотреть файл

@ -0,0 +1,485 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$IssuerUri,
[Parameter()]
[System.String]
$MetadataExchangeUri,
[Parameter()]
[System.String]
$SigningCertificate,
[Parameter()]
[System.String]
$PassiveSignInUri,
[Parameter()]
[System.String]
$PreferredAuthenticationProtocol,
[Parameter()]
[System.String[]]
$Domains,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id}
}
if ($null -eq $instance)
{
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
}
}
else
{
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation'
$instances = Invoke-MgGraphRequest $uri -Method Get
if (-not [System.String]::IsNullOrEmpty($Id))
{
$instance = $instances.value | Where-Object -FilterScript {$_.Id -eq $Id}
}
if ($null -eq $instance)
{
$instance = $instances.value | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
}
}
if ($null -eq $instance)
{
return $nullResult
}
$results = @{
Id = $instance.id
DisplayName = $instance.displayName
IssuerUri = $instance.issuerUri
MetadataExchangeUri = $instance.metadataExchangeUri
PassiveSignInUri = $instance.passiveSignInUri
PreferredAuthenticationProtocol = $instance.preferredAuthenticationProtocol
Domains = $instance.domains.id
SigningCertificate = $instance.signingCertificate
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$IssuerUri,
[Parameter()]
[System.String]
$MetadataExchangeUri,
[Parameter()]
[System.String]
$SigningCertificate,
[Parameter()]
[System.String]
$PassiveSignInUri,
[Parameter()]
[System.String]
$PreferredAuthenticationProtocol,
[Parameter()]
[System.String[]]
$Domains,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$instanceParams = @{
"@odata.type" = "microsoft.graph.samlOrWsFedExternalDomainFederation"
displayName = $DisplayName
metadataExchangeUri = $MetadataExchangeUri
issuerUri = $IssuerUri
preferredAuthenticationProtocol = $PreferredAuthenticationProtocol
passiveSignInUri = $PassiveSignInUri
signingCertificate = $SigningCertificate
domains = @()
}
foreach ($domain in $domains)
{
$instanceParams.domains += @{
"@odata.type" = "microsoft.graph.externalDomainName"
id = $domain
}
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation'
Write-Verbose -Message "Creating federation configuration {$DisplayName}"
$body = ConvertTo-Json $instanceParams -Depth 10 -Compress
Invoke-MgGraphRequest -Uri $uri -Method POST -Body $body
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/$currentInstance.Id'
Write-Verbose -Message "Updating federation configuration {$DisplayName}"
$body = ConvertTo-Json $instanceParams -Depth 10 -Compress
Invoke-MgGraphRequest -Uri $uri -Method PATCH -Body $body
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/$currentInstance.Id'
Write-Verbose -Message "Removing federation configuration {$DisplayName}"
Invoke-MgGraphRequest -Uri $uri -Method DELETE
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$IssuerUri,
[Parameter()]
[System.String]
$MetadataExchangeUri,
[Parameter()]
[System.String]
$SigningCertificate,
[Parameter()]
[System.String]
$PassiveSignInUri,
[Parameter()]
[System.String]
$PreferredAuthenticationProtocol,
[Parameter()]
[System.String[]]
$Domains,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation'
[array] $Script:exportedInstances = Invoke-MgGraphRequest $uri -Method Get
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances.value)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $config.displayName
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
DisplayName = $config.displayName
Id = $config.Id
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

19
Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/MSFT_AADFederationConfiguration.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,19 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADFederationConfiguration")]
class MSFT_AADFederationConfiguration : OMI_BaseResource
{
[Key, Description("The display name of the SAML/WS-Fed based identity provider. Inherited from identityProviderBase.")] String DisplayName;
[Write, Description("Issuer URI of the federation server. Inherited from samlOrWsFedProvider.")] String IssuerUri;
[Write, Description("URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.")] String MetadataExchangeUri;
[Write, Description("URI that web-based clients are directed to when signing in to Microsoft Entra services. Inherited from samlOrWsFedProvider.")] String PassiveSignInUri;
[Write, Description("Preferred authentication protocol. The possible values are: wsFed, saml. Inherited from samlOrWsFedProvider.")] String PreferredAuthenticationProtocol;
[Write, Description("Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class.")] String SigningCertificate;
[Write, Description("List of associated domains.")] String Domains[];
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADFederationConfiguration
## Description
Configures federation in Entra Id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADFederationConfiguration/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADFederationConfiguration",
"description": "Configures federation in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "Domain.Read.All"
}
],
"update": [
{
"name": "IdentityProvider.ReadWrite.All"
}
]
}
}
}
}

419
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.psm1 Normal file
Просмотреть файл

@ -0,0 +1,419 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$Action,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
Write-Verbose -Message "Retrieving policy by id {$Id}"
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id}
}
if ($null -eq $instance)
{
Write-Verbose -Message "Retrieving policy by name {$Name}"
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name}
}
}
else
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
Write-Verbose -Message "Retrieving policy by id {$Id}"
$instance = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $Id -ErrorAction SilentlyContinue
}
if ($null -eq $instance)
{
Write-Verbose -Message "Retrieving policy by name {$Name}"
$instance = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $Name}
}
}
if ($null -eq $instance)
{
return $nullResult
}
$results = @{
Name = $instance.Name
Id = $instance.Id
Description = $instance.Description
Action = $instance.Action
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$Action,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$instanceParams = @{
name = $Name
action = $Action
description = $Description
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating new filtering policy {$Name}"
New-MgBetaNetworkAccessFilteringPolicy -BodyParameter $instanceParams
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating filtering policy {$Name}"
Update-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id `
-BodyParameter $instanceParams
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing filtering policy {$Name}"
Remove-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $currentInstance.Id
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$Action,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringPolicy -ErrorAction Stop
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $config.Name
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
Name = $config.Name
Id = $config.Id
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

16
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/MSFT_AADFilteringPolicy.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,16 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicy")]
class MSFT_AADFilteringPolicy : OMI_BaseResource
{
[Key, Description("Name of the policy.")] String Name;
[Write, Description("Unique identifier of the policy.")] String Id;
[Write, Description("Description for the policy.")] String Description;
[Write, Description("Action associated with the policy.")] String Action;
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADFilteringPolicy
## Description
Configures filtering policies in Entra Id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicy/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADFilteringPolicy",
"description": "Configures filtering policies in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

535
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.psm1 Normal file
Просмотреть файл

@ -0,0 +1,535 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$Policy,
[Parameter()]
[System.String]
$RuleType,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Destinations,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
$policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy}
if ($null -ne $policyInstance)
{
Write-Verbose -Message "Found existing Policy {$Policy}"
if (-not [System.String]::IsNullOrEmpty($Id))
{
Write-Verbose -Message "Retrieving Filtering Policy Rule by Id {$Id}"
$instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id `
-PolicyRuleId Id -ErrorAction SilentlyContinue
}
if ($null -eq $instance)
{
Write-Verbose -Message "Retrieving Filtering Policy Rule by Name {$Name}"
$instance = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id | Where-Object -FilterScript {$_.Name -eq $Name}
}
}
if ($null -eq $instance)
{
return $nullResult
}
$DestinationsValue = @()
foreach ($destination in $instance.AdditionalProperties.destinations)
{
if ($instance.AdditionalProperties.ruleType -eq 'fqdn')
{
$DestinationsValue += @{
value = $destination.value
}
}
elseif ($instance.AdditionalProperties.ruleType -eq 'webCategory')
{
$DestinationsValue += @{
name = $destination.name
}
}
}
$results = @{
Name = $instance.Name
Policy = $Policy
Id = $instance.Id
RuleType = $instance.AdditionalProperties.ruleType
Destinations = $DestinationsValue
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$Policy,
[Parameter()]
[System.String]
$RuleType,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Destinations,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
Write-Verbose -Message "Entering the Set-TargetResource function"
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$policyInstance = Get-MgBetaNetworkAccessFilteringPolicy | Where-Object -Filter {$_.Name -eq $Policy}
if ($RuleType -eq 'webCategory')
{
$instanceParams = @{
"@odata.type" = "#microsoft.graph.networkaccess.webCategoryFilteringRule"
name = $Name
ruleType = $RuleType
destinations = @()
}
foreach ($destination in $Destinations)
{
$instanceParams.destinations += @{
"@odata.type" = "#microsoft.graph.networkaccess.webCategory"
name = $destination.name
}
}
}
elseif ($RuleType -eq 'fqdn')
{
$instanceParams = @{
"@odata.type" = "#microsoft.graph.networkaccess.fqdnFilteringRule"
name = $Name
ruleType = $RuleType
destinations = @()
}
foreach ($destination in $Destinations)
{
$instanceParams.destinations += @{
"@odata.type" = "#microsoft.graph.networkaccess.fqdn"
value = $destination.value
}
}
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating new Filtering Policy Rule {$Name}"
New-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id `
-BodyParameter $instanceParams
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating Filtering Policy Rule {$Name}"
$instanceParams.Remove('ruleType') | Out-Null
Update-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id `
-PolicyRuleId $currentInstance.Id `
-BodyParameter $instanceParams
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing Filtering Policy Rule {$Name}"
Remove-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policyInstance.Id `
-PolicyRuleId $currentInstance.Id
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$Policy,
[Parameter()]
[System.String]
$RuleType,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Destinations,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($source.getType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-Not $testResult)
{
$testResult = $false
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$policies = Get-MgBetaNetworkAccessFilteringPolicy
$i = 1
$dscContent = ''
if ($policies.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($policy in $policies)
{
$displayedKey = $policy.Name
Write-Host " |---[$i/$($policies.Count)] $displayedKey" -NoNewline
$rules = Get-MgBetaNetworkAccessFilteringPolicyRule -FilteringPolicyId $policy.Id `
-ErrorAction SilentlyContinue
if ($rules.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
$j = 1
foreach ($rule in $rules)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $rule.Name
Write-Host " |---[$j/$($rules.Count)] $displayedKey" -NoNewline
$params = @{
Name = $rule.Name
Policy = $policy.Name
Id = $rule.Id
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($Results.Destinations)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Destinations -CIMInstanceName 'AADFilteringPolicyRuleDestination'
if ($complexTypeStringResult)
{
$Results.Destinations = $complexTypeStringResult
}
else
{
$Results.Remove('Destinations') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.Destinations)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Destinations' -IsCIMArray:$false
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$j++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
$i++
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

24
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/MSFT_AADFilteringPolicyRule.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,24 @@
[ClassVersion("1.0.0.0")]
class MSFT_AADFilteringPolicyRuleDestination
{
[Write, Description("Name of the destination.")] String name;
[Write, Description("FQDN value for the destination.")] String value;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringPolicyRule")]
class MSFT_AADFilteringPolicyRule : OMI_BaseResource
{
[Key, Description("Name of the rule.")] String Name;
[Key, Description("Name of the associated policy.")] String Policy;
[Write, Description("Unique Id for the rule.")] String Id;
[Write, Description("Type of rule.")] String RuleType;
[Write, Description("List of associated destinations with the rule."), EmbeddedInstance("MSFT_AADFilteringPolicyRuleDestination")] String Destinations[];
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADFilteringPolicyRule
## Description
Configures filtering rules in Entra Id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringPolicyRule/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADFilteringPolicyRule",
"description": "Configures filtering rules in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

530
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.psm1 Normal file
Просмотреть файл

@ -0,0 +1,530 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$State,
[Parameter()]
[System.UInt32]
$Priority,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
Write-Verbose -Message "Retrieving profile by Id {$Id}"
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id}
}
if ($null -eq $instance)
{
Write-Verbose -Message "Retrieving profile by Name {$Name}"
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name}
}
}
else
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
Write-Verbose -Message "Retrieving profile by Id {$Id}"
$instance = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -FilteringProfileId $Id -ErrorAction SilentlyContinue
}
if ($null -eq $instance)
{
Write-Verbose -Message "Retrieving profile by Name {$Name}"
$instance = Get-MgBetaNetworkAccessFilteringProfile -All -ExpandProperty Policies | Where-Object -FilterScript {$_.Name -eq $Name}
}
}
if ($null -eq $instance)
{
return $nullResult
}
$PolicyValue = @()
if ($null -ne $instance.Policies -and $instance.Policies.Length -gt 0)
{
$policyLinks = Get-MgBetaNetworkAccessFilteringProfilePolicy -FilteringProfileId $instance.Id -ExpandProperty Policy
foreach ($link in $policyLinks)
{
$policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -FilteringPolicyId $link.Policy.Id
if ($null -ne $policyInfo)
{
$entry = @{
State = $link.State
Priority = $link.AdditionalProperties.priority
LoggingState = $link.AdditionalProperties.loggingState
PolicyName = $policyInfo.Name
}
$PolicyValue += $entry
}
}
}
$results = @{
Name = $instance.Name
Id = $instance.Id
Description = $instance.Description
State = $instance.State
Priority = $instance.Priority
Policies = $PolicyValue
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$State,
[Parameter()]
[System.UInt32]
$Priority,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$instanceParams = @{
description = $Description
name = $Name
priority = $Priority
state = $State
policies = @()
}
foreach ($policy in $Policies)
{
$policyInfo = Get-MgBetaNetworkAccessFilteringPolicy -All | Where-Object -FilterScript {$_.Name -eq $policy.PolicyName}
if ($null -ne $policyInfo)
{
$entry = @{
"@odata.type" = "#microsoft.graph.networkaccess.filteringPolicyLink"
loggingState = $policy.LoggingState
priority = $policy.Priority
state = $policy.State
policy = @{
"@odata.type" = "#microsoft.graph.networkaccess.filteringPolicy"
id = $policyInfo.Id
}
}
$instanceParams.policies += $entry
}
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating new filtering profile {$Name}"
New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating filtering profile {$Name} by removing and recreating"
Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id
New-MgBetaNetworkAccessFilteringProfile -BodyParameter $instanceParams
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing filtering profile {$Name}"
Remove-MgBetaNetworkAccessFilteringProfile -FilteringProfileId $currentInstance.Id
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$State,
[Parameter()]
[System.UInt32]
$Priority,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($source.getType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-Not $testResult)
{
$testResult = $false
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaNetworkAccessFilteringProfile -ExpandProperty Policies -All -ErrorAction Stop
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $config.Name
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
Name = $config.Name
Id = $config.Id
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($Results.Policies)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Policies -CIMInstanceName AADFilteringProfilePolicyLink
if ($complexTypeStringResult)
{
$Results.Policies = $complexTypeStringResult
}
else
{
$Results.Remove('Policies') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.Policies)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Policies' -IsCIMArray:$true
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

27
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/MSFT_AADFilteringProfile.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,27 @@
[ClassVersion("1.0.0.0")]
class MSFT_AADFilteringProfilePolicyLink
{
[Write, Description("Logging state for the associated policy.")] String LoggingState;
[Write, Description("Priority of the associated policy.")] UInt32 Priority;
[Write, Description("State of the associated policy.")] String State;
[Write, Description("Name of the associated policy.")] String PolicyName;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADFilteringProfile")]
class MSFT_AADFilteringProfile : OMI_BaseResource
{
[Key, Description("Profile name.")] String Name;
[Write, Description("Unique identifier for the profile.")] String Id;
[Write, Description("Description of the profile.")] String Description;
[Write, Description("State of the profile.")] String State;
[Write, Description("Priority level for the profile.")] UInt32 Priority;
[Write, Description("List of filtering policy names associated with the profile."), EmbeddedInstance("MSFT_AADFilteringProfilePolicyLink")] String Policies[];
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADFilteringProfile
## Description
Configures filtering profiles in Entra Id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADFilteringProfile/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADFilteringProfile",
"description": "Configures filtering profiles in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

31
Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1
Просмотреть файл

@ -256,20 +256,19 @@ function Get-TargetResource
if ($Group.IsAssignableToRole -eq $true)
{
$AssignedToRoleValues = @()
# Note: only process directory roles and not group membership (if any)
foreach ($role in $($memberOf | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.directoryRole' }))
$roleAssignments = Get-MgBetaRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '$($Group.Id)'"
foreach ($assignment in $roleAssignments)
{
if ($null -ne $role.AdditionalProperties.displayName)
{
$AssignedToRoleValues += $role.AdditionalProperties.displayName
}
$roleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $assignment.RoleDefinitionId
$AssignedToRoleValues += $roleDefinition.DisplayName
}
}
# Licenses
$assignedLicensesValues = $null
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/groups/$($Group.Id)/assignedLicenses"
$assignedLicensesRequest = Invoke-MgGraphRequest -Method 'GET' `
-Uri "https://graph.microsoft.com/v1.0/groups/$($Group.Id)/assignedLicenses"
-Uri $uri
if ($assignedLicensesRequest.value.Length -gt 0)
{
@ -912,13 +911,7 @@ function Set-TargetResource
{
try
{
$role = Get-MgBetaDirectoryRole -Filter "DisplayName eq '$($diff.InputObject)'"
# If the role hasn't been activated, we need to get the role template ID to first activate the role
if ($null -eq $role)
{
$adminRoleTemplate = Get-MgBetaDirectoryRoleTemplate -All | Where-Object { $_.DisplayName -eq $diff.InputObject }
$role = New-MgBetaDirectoryRole -RoleTemplateId $adminRoleTemplate.Id
}
$role = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$($diff.InputObject)'"
}
catch
{
@ -933,15 +926,15 @@ function Set-TargetResource
if ($diff.SideIndicator -eq '=>')
{
Write-Verbose -Message "Assigning AAD group {$($currentGroup.DisplayName)} to Directory Role {$($diff.InputObject)}"
$DirObject = @{
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($currentGroup.Id)"
}
New-MgBetaDirectoryRoleMemberByRef -DirectoryRoleId ($role.Id) -BodyParameter $DirObject | Out-Null
New-MgBetaRoleManagementDirectoryRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $currentGroup.Id -DirectoryScopeId '/'
}
elseif ($diff.SideIndicator -eq '<=')
{
Write-Verbose -Message "Removing AAD group {$($currentGroup.DisplayName)} from Directory Role {$($role.DisplayName)}"
Remove-MgBetaDirectoryRoleMemberDirectoryObjectByRef -DirectoryRoleId ($role.Id) -DirectoryObjectId ($currentGroup.Id) | Out-Null
Write-Verbose "GroupId = $($currentGroup.Id)"
Write-Verbose "RoleDefinitionId = $($role.Id)"
$roleAssignment = Get-MgBetaRoleManagementDirectoryRoleAssignment -Filter "PrincipalId eq '$($currentGroup.Id)' and RoleDefinitionId eq '$($role.Id)'"
Remove-MgBetaRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $roleAssignment.Id
}
}
}

7
Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupsSettings/MSFT_AADGroupsSettings.psm1
Просмотреть файл

@ -138,7 +138,6 @@ function Get-TargetResource
GuestUsageGuidelinesUrl = $valueGuestUsageGuidelinesUrl.Value
AllowToAddGuests = [Boolean]::Parse($valueAllowToAddGuests.Value)
UsageGuidelinesUrl = $valueUsageGuidelinesUrl.Value
NewUnifiedGroupWritebackDefault = [Boolean]::Parse($valueNewUnifiedGroupWritebackDefault.Value)
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
@ -148,7 +147,11 @@ function Get-TargetResource
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
if (-not [System.String]::IsNullOrEmpty($valueNewUnifiedGroupWritebackDefault.Value))
{
$result.Add('NewUnifiedGroupWritebackDefault', [Boolean]::Parse($valueNewUnifiedGroupWritebackDefault.Value))
}
if (-not [System.String]::IsNullOrEmpty($AllowedGroupName))
{
$result.Add('GroupCreationAllowedGroupName', $AllowedGroupName)

567
Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.psm1 Normal file
Просмотреть файл

@ -0,0 +1,567 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
try
{
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
$getValue = $null
#region resource generator code
$getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy `
-Filter "DisplayName eq '$DisplayName'"
#endregion
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}."
return $nullResult
}
# if multiple objects with same name exist
if ($getValue -is [array]) {
Write-Verbose -Message "Multiple Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} found. Skipping Operation."
return $nullResult
}
Write-Verbose -Message "An Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName} was found"
$DefinitionArray = @()
foreach ($definitionValue in $getValue.definition) {
$value = ConvertFrom-Json $definitionValue
$DefinitionArray += @{
AccelerateToFederatedDomain = $value.HomeRealmDiscoveryPolicy.AccelerateToFederatedDomain
AllowCloudPasswordValidation = $value.HomeRealmDiscoveryPolicy.AllowCloudPasswordValidation
PreferredDomain = $value.HomeRealmDiscoveryPolicy.PreferredDomain
AlternateIdLogin = @{
Enabled = $value.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled
}
}
}
$results = @{
#region resource generator code
Definition = [Array]$DefinitionArray
IsOrganizationDefault = $getValue.isOrganizationDefault
Description = $getValue.description
DisplayName = $getValue.displayName
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
#endregion
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
# to get the id parameter
$getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy `
-Filter "DisplayName eq '$DisplayName'"
$newDefinitions = @()
foreach ($Def in $Definition) {
$HomeRealmDiscoveryPolicy = @{}
if ($null -ne $Def.AccelerateToFederatedDomain){
$HomeRealmDiscoveryPolicy.Add('AccelerateToFederatedDomain', $Def.AccelerateToFederatedDomain)
}
if ($null -ne $Def.AllowCloudPasswordValidation){
$HomeRealmDiscoveryPolicy.Add('AllowCloudPasswordValidation', $Def.AllowCloudPasswordValidation)
}
if ($null -ne $Def.PreferredDomain){
$HomeRealmDiscoveryPolicy.Add('PreferredDomain', $Def.PreferredDomain)
}
if ($null -ne $Def.AlternateIdLogin.Enabled){
$HomeRealmDiscoveryPolicy.Add('AlternateIdLogin', @{Enabled = $Def.AlternateIdLogin.Enabled})
}
$temp = @{
HomeRealmDiscoveryPolicy = $HomeRealmDiscoveryPolicy
}
$newDefinitions += ConvertTo-Json $temp -Depth 10 -Compress
}
$BoundParameters.Definition = $newDefinitions
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating an Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}"
$createParameters = ([Hashtable]$BoundParameters).Clone()
$createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters
#region resource generator code
$policy = New-MgBetaPolicyHomeRealmDiscoveryPolicy -BodyParameter $createParameters
#endregion
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}"
$updateParameters = ([Hashtable]$BoundParameters).Clone()
$updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters
#region resource generator code
Update-MgBetaPolicyHomeRealmDiscoveryPolicy `
-HomeRealmDiscoveryPolicyId $getValue.Id `
-BodyParameter $UpdateParameters
#endregion
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing the Azure AD Home Realm Discovery Policy with DisplayName {$($currentInstance.DisplayName)}"
#region resource generator code
Remove-MgBetaPolicyHomeRealmDiscoveryPolicy -HomeRealmDiscoveryPolicyId $getValue.Id
#endregion
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
#region resource generator code
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Definition,
[Parameter()]
[System.Boolean]
$IsOrganizationDefault,
[Parameter()]
[System.String]
$Description,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
#endregion
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of the Azure AD Home Realm Discovery Policy with DisplayName {$DisplayName}"
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
if ($CurrentValues.Ensure -ne $Ensure)
{
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
#region resource generator code
[array]$getValue = Get-MgBetaPolicyHomeRealmDiscoveryPolicy `
-Filter $Filter `
-All `
-ErrorAction Stop
#endregion
$i = 1
$dscContent = ''
if ($getValue.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $getValue)
{
$displayedKey = $config.DisplayName
if (-not [String]::IsNullOrEmpty($config.displayName))
{
$displayedKey = $config.displayName
}
elseif (-not [string]::IsNullOrEmpty($config.name))
{
$displayedKey = $config.name
}
Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline
$params = @{
DisplayName = $config.DisplayName
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.Definition)
{
$Results.Definition = Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString $Results.Definition
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($null -ne $Results.Definition)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'Definition'
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-M365DSCAADHomeRealDiscoveryPolicyDefinitionAsString
{
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$Definitions
)
$StringContent = [System.Text.StringBuilder]::new()
$StringContent.Append('@(') | Out-Null
foreach ($definition in $Definitions)
{
$StringContent.Append("`n MSFT_AADHomeRealDiscoveryPolicyDefinition {`r`n") | Out-Null
$StringContent.Append(" PreferredDomain = '" + $definition.PreferredDomain + "'`r`n") | Out-Null
if ($null -ne $definition.AccelerateToFederatedDomain) {
$StringContent.Append(" AccelerateToFederatedDomain = $" + $definition.AccelerateToFederatedDomain + "`r`n") | Out-Null
}
if ($null -ne $definition.AllowCloudPasswordValidation) {
$StringContent.Append(" AllowCloudPasswordValidation = $" + $definition.AllowCloudPasswordValidation + "`r`n") | Out-Null
}
$StringContent.Append(" AlternateIdLogin = MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin {`r`n") | Out-Null
$StringContent.Append(" Enabled = $" + $definition.AlternateIdLogin.Enabled + "`r`n") | Out-Null
$StringContent.Append(" }`r`n") | Out-Null
$StringContent.Append(" }`r`n") | Out-Null
}
$StringContent.Append(' )') | Out-Null
return $StringContent.ToString()
}
Export-ModuleMember -Function *-TargetResource

33
Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/MSFT_AADHomeRealmDiscoveryPolicy.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,33 @@
[ClassVersion("1.0.0")]
class MSFT_AADHomeRealDiscoveryPolicyDefinition
{
[Write, Description("Accelerate to Federated Domain.")] Boolean AccelerateToFederatedDomain;
[Write, Description("Allow cloud password validation.")] Boolean AllowCloudPasswordValidation;
[Write, Description("AlternateIdLogin complex object."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin")] String AlternateIdLogin;
[Write, Description("Preffered Domain value.")] String PreferredDomain;
};
[ClassVersion("1.0.0")]
class MSFT_AADHomeRealDiscoveryPolicyDefinitionAlternateIdLogin
{
[Write, Description("Boolean for whether AlternateIdLogin is enabled.")] Boolean Enabled;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADHomeRealmDiscoveryPolicy")]
class MSFT_AADHomeRealmDiscoveryPolicy : OMI_BaseResource
{
[Key, Description("Display name for this policy. Required.")] String DisplayName;
[Write, Description("A string collection containing a complex object array that defines the rules and settings for a policy. The syntax for the definition differs for each derived policy type. Required."), EmbeddedInstance("MSFT_AADHomeRealDiscoveryPolicyDefinition")] String Definition[];
[Write, Description("If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.")] Boolean IsOrganizationDefault;
[Write, Description("Description for this policy. Required.")] String Description;
[Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADHomeRealmDiscoveryPolicy
## Description
Azure AD Home Realm Discovery Policy

33
Modules/Microsoft365DSC/DSCResources/MSFT_AADHomeRealmDiscoveryPolicy/settings.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"resourceName": "AADHomeRealmDiscoveryPolicy",
"description": "This resource configures an Azure AD Home Realm Discovery Policy.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "Policy.Read.All"
}
],
"update": [
{
"name": "Policy.ReadWrite.ApplicationConfiguration"
}
]
},
"application": {
"read": [
{
"name": "Policy.Read.All"
}
],
"update": [
{
"name": "Policy.ReadWrite.ApplicationConfiguration"
}
]
}
}
}
}

589
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.psm1 Normal file
Просмотреть файл

@ -0,0 +1,589 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$CallbackConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$ClientConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$EndpointConfiguration,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id}
}
if ($null -eq $instance)
{
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
}
}
else
{
if (-not [System.String]::IsNullOrEmpty($Id))
{
$instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $Id
}
if ($null -eq $instance)
{
$instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -Filter "DisplayName eq '$($DisplayName)'"
}
}
if ($null -eq $instance)
{
return $nullResult
}
# Callback Configuration
$CallbackConfigurationValue = $null
if ($null -ne $instance.CallbackConfiguration.TimeoutDuration)
{
$CallbackConfigurationValue = @{
TimeoutDuration = "PT$($instance.CallbackConfiguration.TimeoutDuration.Minutes.ToString())M"
AuthorizedApps = @()
}
foreach ($app in $instance.CallbackConfiguration.AdditionalProperties.authorizedApps)
{
$appInstance = Get-MgApplication -Filter "AppId eq '$($app['id'])'" -ErrorAction SilentlyContinue
if ($null -ne $appInstance)
{
$CallbackConfigurationValue.AuthorizedApps += $appInstance.DisplayName
}
}
}
# Client Configuration
$ClientConfigurationValue = @{
MaximumRetries = $instance.ClientConfiguration.MaximumRetries
TimeoutInMilliseconds = $instance.ClientConfiguration.TimeoutInMilliseconds
}
# EndpointConfiguration
$EndpointConfigurationValue = @{
SubscriptionId = $instance.EndpointConfiguration.AdditionalProperties.subscriptionId
resourceGroupName = $instance.EndpointConfiguration.AdditionalProperties.resourceGroupName
logicAppWorkflowName = $instance.EndpointConfiguration.AdditionalProperties.logicAppWorkflowName
url = $instance.EndpointConfiguration.AdditionalProperties.url
}
$results = @{
DisplayName = $DisplayName
Id = $instance.Id
Description = $instance.Description
CallbackConfiguration = $CallbackConfigurationValue
ClientConfiguration = $ClientConfigurationValue
EndpointConfiguration = $EndpointConfigurationValue
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$CallbackConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$ClientConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$EndpointConfiguration,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$instanceParams = @{
displayName = $DisplayName
description = $Description
endpointConfiguration = @{
"@odata.type" = "#microsoft.graph.logicAppTriggerEndpointConfiguration"
subscriptionId = $EndpointConfiguration.subscriptionId
resourceGroupName = $EndpointConfiguration.resourceGroupName
logicAppWorkflowName = $EndpointConfiguration.logicAppWorkflowName
url = $EndpointConfiguration.url
}
clientConfiguration = @{
"@odata.type" = "#microsoft.graph.customExtensionClientConfiguration"
maximumRetries = $clientConfiguration.maximumRetries
timeoutInMilliseconds = $clientConfiguration.timeoutInMilliseconds
}
authenticationConfiguration = @{
"@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication"
}
}
if ($null -ne $CallbackConfiguration)
{
$instanceParams.Add('callbackConfiguration', @{
"@odata.type" = "#microsoft.graph.identityGovernance.customTaskExtensionCallbackConfiguration"
timeoutDuration = $CallbackConfiguration.timeoutDuration
})
if ($null -ne $CallbackConfiguration.AuthorizedApps)
{
$appsValue = @()
foreach ($app in $CallbackConfiguration.AuthorizedApps)
{
$appInfo = Get-MgApplication -Filter "DisplayName eq '$app'" -ErrorAction SilentlyContinue
if ($null -ne $appInfo)
{
$appsValue += $appInfo.Id
}
}
$instanceParams.callbackConfiguration.Add('authorizedApps', $appsValue)
}
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating new Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)"
New-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -BodyParameter $instanceParams
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating Workflow Custom Task Extension {$DisplayName} with parameters:`r`n$(ConvertTo-Json $instanceParams)"
Update-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id -BodyParameter $instanceParams
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing Workflow Custom Task Extension {$DisplayName}"
Remove-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -CustomTaskExtensionId $currentInstance.Id
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$CallbackConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$ClientConfiguration,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$EndpointConfiguration,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaIdentityGovernanceLifecycleWorkflowCustomTaskExtension -ErrorAction Stop
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $config.DisplayName
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
DisplayName = $config.DisplayName
Id = $config.Id
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.EndpointConfiguration)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.EndpointConfiguration `
-CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration'
if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.EndpointConfiguration = $complexTypeStringResult
}
else
{
$Results.Remove('EndpointConfiguration') | Out-Null
}
}
if ($null -ne $Results.ClientConfiguration)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.ClientConfiguration `
-CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration'
if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.ClientConfiguration = $complexTypeStringResult
}
else
{
$Results.Remove('ClientConfiguration') | Out-Null
}
}
if ($null -ne $Results.CallbackConfiguration)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.CallbackConfiguration `
-CIMInstanceName 'AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration'
if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.CallbackConfiguration = $complexTypeStringResult
}
else
{
$Results.Remove('CallbackConfiguration') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.EndpointConfiguration)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'EndpointConfiguration' -IsCIMArray:$False
}
if ($Results.ClientConfiguration)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ClientConfiguration' -IsCIMArray:$False
}
if ($Results.CallbackConfiguration)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'CallbackConfiguration' -IsCIMArray:$False
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

41
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,41 @@
[ClassVersion("1.0.0")]
class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration
{
[Write, Description("The max duration in milliseconds that Microsoft Entra ID waits for a response from the external app before it shuts down the connection. The valid range is between 200 and 2000 milliseconds. Default duration is 1000.")] UInt32 timeoutInMilliseconds;
[Write, Description("The max number of retries that Microsoft Entra ID makes to the external API. Values of 0 or 1 are supported. If null, the default for the service applies.")] UInt32 maximumRetries;
};
[ClassVersion("1.0.0")]
class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration
{
[Write, Description("The name of the logic app.")] String logicAppWorkflowName;
[Write, Description("The Azure resource group name for the logic app.")] String resourceGroupName;
[Write, Description("Identifier of the Azure subscription for the logic app.")] String subscriptionId;
[Write, Description("Url of the logic app.")] String url;
};
[ClassVersion("1.0.0")]
class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration
{
[Write, Description("Callback time out in ISO 8601 time duration. Accepted time durations are between five minutes to three hours. For example, PT5M for five minutes and PT3H for three hours. Inherited from customExtensionCallbackConfiguration.")] String timeoutDuration;
[Write, Description("List of apps names that are allowed to resume a task processing result.")] String authorizedApps[];
};
[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension")]
class MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension : OMI_BaseResource
{
[Key, Description("Display name of the custom extension.")] String DisplayName;
[Write, Description("Unique Id of the extension.")] String Id;
[Write, Description("Description of the extension.")] String Description;
[Write, Description("Client configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionClientConfiguration")] String ClientConfiguration;
[Write, Description("Endpoint configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionEndpointConfiguration")] String EndpointConfiguration;
[Write, Description("Callback configuration for the extension"), EmbeddedInstance("MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtensionCallbackConfiguration")] String CallbackConfiguration;
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension
## Description
Configures custom extensions for Lifecycle workflows in Entra id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension",
"description": "Configures custom extensions for Lifecycle workflows in Entra id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "LifecycleWorkflows.Read.All"
}
],
"update": [
{
"name": "LifecycleWorkflows.ReadWrite.All"
}
]
}
}
}
}

336
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.psm1 Normal file
Просмотреть файл

@ -0,0 +1,336 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsUserRiskClearedOnPasswordReset,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy"
$instance = Invoke-MgGraphRequest -Method Get -Uri $url
if ($null -eq $instance)
{
throw 'Could not retrieve the AAD Identity Protection Policy settings.'
}
$results = @{
IsSingleInstance = 'Yes'
IsUserRiskClearedOnPasswordReset = $instance.IsUserRiskClearedOnPasswordReset
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsUserRiskClearedOnPasswordReset,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$updateParameters = @{
IsUserRiskClearedOnPasswordReset = $IsUserRiskClearedOnPasswordReset
}
$updateJSON = ConvertTo-Json $updateParameters
Write-Verbose -Message "Updating the AAD Identity Protection Policy settings with values: $updateJSON"
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy"
Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $updateJSON
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.Boolean]
$IsUserRiskClearedOnPasswordReset,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/identityProtection/policy"
[array] $Script:exportedInstances = Invoke-MgGraphRequest -Method Get -Uri $url
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = 'AAD Identity Protection Policy Settings'
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

13
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/MSFT_AADIdentityProtectionPolicySettings.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,13 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityProtectionPolicySettings")]
class MSFT_AADIdentityProtectionPolicySettings : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("If true, user risk is cleared on password reset.")] Boolean IsUserRiskClearedOnPasswordReset;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADIdentityProtectionPolicySettings
## Description
Use this resource to monitor the identity protection policy settings in AAD.

36
Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityProtectionPolicySettings/settings.json Normal file
Просмотреть файл

@ -0,0 +1,36 @@
{
"resourceName": "AADIdentityProtectionPolicySettings",
"description": "Use this resource to monitor the identity protection policy settings in AAD",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "Policy.Read.IdentityProtection"
}
],
"update": [
{
"name": "Policy.ReadWrite.IdentityProtection"
}
]
},
"application": {
"read": [
{
"name": "Policy.Read.IdentityProtection"
}
],
"update": [
{
"name": "Policy.ReadWrite.IdentityProtection"
}
]
}
}
}
}

26
Modules/Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1
Просмотреть файл

@ -121,6 +121,8 @@ function Get-TargetResource
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullReturn
}
}
if ($null -eq $NamedLocation)
@ -252,6 +254,26 @@ function Set-TargetResource
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
if ($Id)
{
$NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -NamedLocationId $Id -ErrorAction Stop
}
}
catch
{
Write-Verbose -Message "Could not retrieve AAD Named Location by ID {$Id}"
}
if ($null -eq $NamedLocation)
{
$NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
if ($NamedLocation.Length -gt 1)
{
throw "More than one instance of a Named Location Policy with name {$DisplayName} was found. Please provide the ID parameter."
}
}
$currentAADNamedLocation = Get-TargetResource @PSBoundParameters
$desiredValues = @{
@ -293,7 +315,7 @@ function Set-TargetResource
Write-Verbose -Message "Creating New AAD Named Location {$Displayname)} with attributes: $VerboseAttributes"
$JSONValue = ConvertTo-Json $desiredValues | Out-String
Write-Verbose -Message "JSON: $JSONValue"
$APIUrl = 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations'
$APIUrl = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/identity/conditionalAccess/namedLocations"
Invoke-MgGraphRequest -Method POST `
-Uri $APIUrl `
-Body $JSONValue | Out-Null
@ -308,7 +330,7 @@ function Set-TargetResource
Write-Verbose -Message "Updating AAD Named Location {$Displayname)} with attributes: $VerboseAttributes"
$JSONValue = ConvertTo-Json $desiredValues | Out-String
Write-Verbose -Message "JSON: $JSONValue"
$APIUrl = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations/$($currentAADNamedLocation.Id)"
$APIUrl = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/identity/conditionalAccess/namedLocations/$($currentAADNamedLocation.Id)"
Invoke-MgGraphRequest -Method PATCH `
-Uri $APIUrl `
-Body $JSONValue | Out-Null

493
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.psm1 Normal file
Просмотреть файл

@ -0,0 +1,493 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PolicyRules,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
$instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name}
}
else
{
$instance = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name }
}
if ($null -eq $instance)
{
throw "Could not retrieve the Forwarding Policy with name: $Name"
}
$complexPolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules $instance.PolicyRules
$results = @{
Name = $instance.name
PolicyRules = $complexPolicyRules
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PolicyRules,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
$currentPolicy = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $setParameters.Name }
if ($Name -eq "Custom Bypass") {
foreach ($rule in $currentPolicy.PolicyRules) {
Remove-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -PolicyRuleId $rule.Id
}
foreach ($rule in $setParameters.PolicyRules) {
$complexDestinations = @()
foreach ($destination in $rule.Destinations) {
$complexDestinations += @{
"@odata.type" = "#microsoft.graph.networkaccess." + $rule.RuleType
value = $destination
}
}
$params = @{
"@odata.type" = "#microsoft.graph.networkaccess.internetAccessForwardingRule"
name = $rule.Name
action = $rule.ActionValue
ruleType = $rule.RuleType
ports = ($rule.Ports | ForEach-Object { $_.ToString() })
protocol = $rule.Protocol
destinations = $complexDestinations
}
New-MgBetaNetworkAccessForwardingPolicyRule -ForwardingPolicyId $currentPolicy.Id -BodyParameter $params
}
} elseif ($currentPolicy.TrafficForwardingType -eq "m365") {
$rulesParam = @()
foreach ($desiredRule in $setParameters.PolicyRules) {
$desiredRuleHashtable = Convert-M365DSCDRGComplexTypeToHashtable $desiredRule
$desiredRuleHashtable.Remove('actionValue')
$testResult = $false
foreach ($currentRule in $currentPolicy.PolicyRules) {
$currentRuleHashtable = Get-MicrosoftGraphNetworkAccessForwardingPolicyRules -PolicyRules @($currentRule)
$currentRuleHashtable.Remove('ActionValue');
$testResult = Compare-M365DSCComplexObject `
-Source ($currentRuleHashtable) `
-Target ($desiredRuleHashtable)
if ($testResult) {
Write-Verbose "Updating: $($currentRule.Name), $($currentRule.Id)"
$rulesParam += @{
ruleId = $currentRule.Id
action = $desiredRule.ActionValue
}
break
}
}
if($testResult -eq $false){
Write-Verbose "Could not find rule with the given specification: $(Convert-M365DscHashtableToString -Hashtable $desiredRuleHashtable), skipping set for this."
}
}
$updateParams = @{
rules = $rulesParam
}
Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/networkAccess/forwardingPolicies/$($currentPolicy.ID)/updatePolicyRules" -Method Post -Body $updateParams
}
else {
Write-Verbose "Can not modify the list of poilicy rules for the forwarding policy with name: $($setParameters.Name)"
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PolicyRules,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$testTargetResource = $true
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
$testTargetResource = $false
}
else {
$ValuesToCheck.Remove($key) | Out-Null
}
}
}
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys `
-IncludedDrifts $driftedParams
if(-not $TestResult)
{
$testTargetResource = $false
}
Write-Verbose -Message "Test-TargetResource returned $testTargetResource"
return $testTargetResource
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaNetworkAccessForwardingPolicy -Expand * -ErrorAction Stop
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$displayedKey = $config.Name
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
$params = @{
Name = $config.Name
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.PolicyRules)
{
$Results.PolicyRules = Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString -PolicyRules $Results.PolicyRules
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($null -ne $Results.PolicyRules)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'PolicyRules'
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-MicrosoftGraphNetworkAccessForwardingPolicyRules
{
[CmdletBinding()]
[OutputType([System.Collections.ArrayList])]
param(
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$PolicyRules
)
$newPolicyRules = @()
foreach ($rule in $PolicyRules) {
$destinations = @()
foreach ($destination in $rule.AdditionalProperties.destinations) {
$destinations += $destination.value
}
$newPolicyRules += @{
Name = $rule.Name
ActionValue = $rule.AdditionalProperties.action
RuleType = $rule.AdditionalProperties.ruleType
Ports = $rule.AdditionalProperties.ports
Protocol = $rule.AdditionalProperties.protocol
Destinations = $destinations
}
}
return $newPolicyRules
}
function Get-MicrosoftGraphNetworkAccessForwardingPolicyRulesAsString
{
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$PolicyRules
)
$StringContent = [System.Text.StringBuilder]::new()
$StringContent.Append('@(') | Out-Null
foreach ($rule in $PolicyRules)
{
$StringContent.Append("`n MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule {`r`n") | Out-Null
$StringContent.Append(" Name = '" + $rule.Name + "'`r`n") | Out-Null
$StringContent.Append(" ActionValue = '" + $rule.ActionValue + "'`r`n") | Out-Null
$StringContent.Append(" RuleType = '" + $rule.RuleType + "'`r`n") | Out-Null
$StringContent.Append(" Protocol = '" + $rule.Protocol + "'`r`n") | Out-Null
$StringContent.Append(" Ports = @(" + $($rule.Ports -join ", ") + ")`r`n") | Out-Null
$StringContent.Append(" Destinations = @(" + $(($rule.Destinations | ForEach-Object { "'$_'" }) -join ", ") + ")`r`n") | Out-Null
$StringContent.Append(" }`r`n") | Out-Null
}
$StringContent.Append(' )') | Out-Null
return $StringContent.ToString()
}
Export-ModuleMember -Function *-TargetResource

24
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/MSFT_AADNetworkAccessForwardingPolicy.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,24 @@
[ClassVersion("1.0.0")]
class MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule
{
[Write, Description("Policy Rule Name. Required")] String Name;
[Write, Description("Action value.")] String ActionValue;
[Write, Description("Type of Rule")] String RuleType;
[Write, Description("List of Ports.")] UInt32 Ports[];
[Write, Description("Protocol Value")] String Protocol;
[Write, Description("List of destinations.")] String Destinations[];
};
[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingPolicy")]
class MSFT_AADNetworkAccessForwardingPolicy : OMI_BaseResource
{
[Key, Description("Name of the forwarding policy")] String Name;
[Write, Description("List of rules associated to this forwarding policy."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkAccessForwardingPolicyRule")] String PolicyRules[];
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADNetworkAccessForwardingPolicy
## Description
Use this resource to monitor the forwarding policy rules associated with the forwarding policies.

32
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingPolicy/settings.json Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{
"resourceName": "AADNetworkAccessForwardingPolicy",
"description": "Use this resource to monitor the forwarding policy rules associated with the forwarding policies.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "NetworkAccessPolicy.Read.All"
}
],
"update": [
{
"name": "NetworkAccessPolicy.ReadWrite.All"
}
]
},
"application": {
"read": [
{
"name": "NetworkAccessPolicy.Read.All"
}
],
"update": [
{
"name": "NetworkAccessPolicy.ReadWrite.All"
}
]
}
}
}
}

534
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.psm1 Normal file
Просмотреть файл

@ -0,0 +1,534 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
#region resource generator code
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$State,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
#endregion
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
try
{
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$getValue = $null
#region resource generator code
if (-not [System.String]::IsNullOrEmpty($Id))
{
$getValue = Get-MgBetaNetworkAccessForwardingProfile -ForwardingProfileId $Id -ErrorAction SilentlyContinue
}
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with Id:{$Id}"
if (-not [System.String]::IsNullOrEmpty($Name))
{
$getValue = Get-MgBetaNetworkAccessForwardingProfile -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name }
}
}
#endregion
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Network Access Forwarding Profile with name {$Name}."
return $nullResult
}
Write-Verbose -Message "An Azure AD Network Access Forwarding Profile with {$Id} and {$Name} was found"
$forwardingProfilePolicies = Get-MgBetaNetworkAccessForwardingProfilePolicy -ForwardingProfileId $getValue.Id -ErrorAction SilentlyContinue
if ($null -ne $forwardingProfilePolicies)
{
Write-Verbose -Message "An Azure AD Network Access Forwarding Profile Policy with $($forwardingProfilePolicies.Id) and $($forwardingProfilePolicies.Name) was found"
}
$complexPolicies = @()
foreach ($currentPolicy in $forwardingProfilePolicies)
{
$myPolicies = @{}
$myPolicies.Add('Name', $currentPolicy.Policy.Name)
$myPolicies.Add('State', $currentPolicy.State)
$myPolicies.Add('PolicyLinkId', $currentPolicy.Id)
if ($myPolicies.values.Where({ $null -ne $_ }).Count -gt 0)
{
$complexPolicies += $myPolicies
}
}
$results = @{
Name = $getValue.Name
Id = $getValue.Id
State = $getValue.State
Policies = $complexPolicies
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
#region resource generator code
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$State,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
#endregion
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
# Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
if ($null -ne $currentInstance)
{
Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)}"
$updateParameters = ([Hashtable]$BoundParameters).Clone()
$updateParameters = Rename-M365DSCCimInstanceParameter -Properties $updateParameters
$updateParameters.Remove('Id') | Out-Null
$keys = (([Hashtable]$updateParameters).Clone()).Keys
foreach ($key in $keys)
{
if ($null -ne $updateParameters.$key -and $updateParameters.$key.GetType().Name -like '*CimInstance*')
{
$updateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $updateParameters.$key
}
}
Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile with {$($currentInstance.Id)} {$($currentInstance.Name)} State"
Update-MgBetaNetworkAccessForwardingProfile `
-ForwardingProfileId $currentInstance.Id `
-State $updateParameters.State
$currentPolicies = $currentInstance.Policies
$updatedPolicies = $updateParameters.Policies
# update the current policy's state with the updated policy's state.
foreach ($currentPolicy in $currentPolicies)
{
$updatedPolicy = $updatedPolicies | Where-Object { $_.Name -eq $currentPolicy.Name }
if ($null -ne $updatedPolicy)
{
Write-Verbose -Message "Updating the Azure AD Network Access Forwarding Profile Policy with Id {$($currentPolicy.PolicyLinkId)} {$($currentPolicy.Name)}"
Update-MgBetaNetworkAccessForwardingProfilePolicy `
-ForwardingProfileId $currentInstance.Id `
-PolicyLinkId $currentPolicy.PolicyLinkId `
-State $updatedPolicy.State
}
}
#endregion
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
#region resource generator code
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$State,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$Policies,
#endregion
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of the Azure AD Network Access Forwarding Profile with Id:{$Id} and Name:{$Name}"
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
if ($null -eq $CurrentValues)
{
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
$ValuesToCheck.Remove('Id') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
#region resource generator code
[array]$getValue = Get-MgBetaNetworkAccessForwardingProfile `
-Filter $Filter `
-All `
-ErrorAction Stop
#endregion
$i = 1
$dscContent = ''
if ($getValue.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $getValue)
{
$displayedKey = $config.Id
if (-not [string]::IsNullOrEmpty($config.name))
{
$displayedKey = $config.name
}
Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline
$params = @{
Id = $config.Id
Name = $config.Name
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($Results.Policies.Count -gt 0)
{
$Results.Policies = Get-PoliciesAsString $Results.Policies
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($null -ne $Results.Policies)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'Policies'
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-PoliciesAsString
{
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$Policies
)
$StringContent = '@('
foreach ($policy in $Policies)
{
$StringContent += "MSFT_MicrosoftGraphNetworkaccessPolicyLink {`r`n"
$StringContent += " State = '" + $policy.State + "'`r`n"
$StringContent += " PolicyLinkId = '" + $policy.PolicyLinkId + "'`r`n"
$StringContent += " Name = '" + $policy.Name + "'`r`n"
$StringContent += " }`r`n"
}
$StringContent += ' )'
return $StringContent
}
Export-ModuleMember -Function *-TargetResource

24
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/MSFT_AADNetworkAccessForwardingProfile.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,24 @@
[ClassVersion("1.0.0")]
class MSFT_MicrosoftGraphNetworkaccessPolicyLink
{
[Write, Description("Policy Name. Required")] String Name;
[Write, Description("Policy Link Id")] String PolicyLinkId;
[Write, Description("status")] String state;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessForwardingProfile")]
class MSFT_AADNetworkAccessForwardingProfile : OMI_BaseResource
{
[Key, Description("Profile Name. Required.")] String Name;
[Write, Description("Id of the profile. Unique Identifier")] String Id;
[Write, Description("status of the profile")] String State;
[Write, Description("Traffic forwarding policies associated with this profile."), EmbeddedInstance("MSFT_MicrosoftGraphNetworkaccessPolicyLink")] String Policies[];
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

7
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/readme.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# AADNetworkAccessForwardingProfile
## Description
This resource configure the Azure AD Network Access Forwarding Profile

33
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessForwardingProfile/settings.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"resourceName": "AADNetworkAccessForwardingProfile",
"description": "This resource configures an Azure AD Network Access Forwarding Profile.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

304
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.psm1 Normal file
Просмотреть файл

@ -0,0 +1,304 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.String]
$SignalingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
$instance = Get-MgBetaNetworkAccessSettingCOnditionalAccess
$results = @{
IsSingleInstance = 'Yes'
SignalingStatus = $instance.SignalingStatus
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter(Mandatory = $true)]
[System.String]
$SignalingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Updating the Conditional Access Settings"
Update-MgBetaNetworkAccessSettingConditionalAccess -SignalingStatus $SignalingStatus
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter(Mandatory = $true)]
[System.String]
$SignalingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$Global:M365DSCExportResourceInstancesCount++
$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

12
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/MSFT_AADNetworkAccessSettingConditionalAccess.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,12 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingConditionalAccess")]
class MSFT_AADNetworkAccessSettingConditionalAccess : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Enable CA Signaling for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String SignalingStatus;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADNetworkAccessSettingConditionalAccess
## Description
Configures the adaptive access settings in Entra Id

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingConditionalAccess/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADNetworkAccessSettingConditionalAccess",
"description": "Configures the adaptive access settings in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

304
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.psm1 Normal file
Просмотреть файл

@ -0,0 +1,304 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter()]
[System.String]
$NetworkPacketTaggingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
$instance = Get-MgBetaNetworkAccessSettingCrossTenantAccess
$results = @{
IsSingleInstance = 'Yes'
NetworkPacketTaggingStatus = $instance.NetworkPacketTaggingStatus
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter(Mandatory = $true)]
[System.String]
$NetworkPacketTaggingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Updating the Cross Tenant Access Settings"
Update-MgBetaNetworkAccessSettingCrossTenantAccess -NetworkPacketTaggingStatus $NetworkPacketTaggingStatus
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,
[Parameter(Mandatory = $true)]
[System.String]
$NetworkPacketTaggingStatus,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$Global:M365DSCExportResourceInstancesCount++
$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

12
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/MSFT_AADNetworkAccessSettingCrossTenantAccess.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,12 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingCrossTenantAccess")]
class MSFT_AADNetworkAccessSettingCrossTenantAccess : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String NetworkPacketTaggingStatus;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADNetworkAccessSettingCrossTenantAccess
## Description
Configures the universal tenant restrictions in Entra Id

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADNetworkAccessSettingCrossTenantAccess/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADNetworkAccessSettingCrossTenantAccess",
"description": "Configures the universal tenant restrictions in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

315
Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.psm1 Normal file
Просмотреть файл

@ -0,0 +1,315 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.Boolean]
$IsEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
try
{
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/onPremisesPublishingProfiles('applicationProxy')"
$instance = Invoke-MgGraphRequest -Uri $uri -Method Get
if ($null -eq $instance)
{
return $nullResult
}
$results = @{
IsSingleInstance = 'Yes'
IsEnabled = $instance.IsEnabled
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.Boolean]
$IsEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Updating the IsEnabled setting to {$($IsEnabled.ToString())}"
$settings = @{
isEnabled = $IsEnabled
}
$body = ConvertTo-Json $settings
$uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/onPremisesPublishingProfiles('applicationProxy')"
Invoke-MgGraphRequest -Uri $uri -Method PATCH -Body $Body | Out-Null
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance = 'Yes',
[Parameter()]
[System.Boolean]
$IsEnabled,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
$dscContent = ''
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
$params = @{
ISSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Write-Host $Global:M365DSCEmojiGreenCheckMark
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

13
Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/MSFT_AADOnPremisesPublishingProfilesSettings.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,13 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADOnPremisesPublishingProfilesSettings")]
class MSFT_AADOnPremisesPublishingProfilesSettings : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Enables of disables private net work connectors in Entra Id.")] Boolean IsEnabled;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADOnPremisesPublishingProfilesSettings
## Description
Configures the settings for the on-premises publishing profiles in Entra Id.

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADOnPremisesPublishingProfilesSettings/settings.json Normal file
Просмотреть файл

@ -0,0 +1,28 @@
{
"resourceName": "AADOnPremisesPublishingProfilesSettings",
"description": "Configures the settings for the on-premises publishing profiles in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "Directory.Read.All"
}
],
"update": [
{
"name": "Directory.ReadWrite.All"
}
]
}
}
}
}

4
Modules/Microsoft365DSC/DSCResources/MSFT_AADOrganizationCertificateBasedAuthConfiguration/MSFT_AADOrganizationCertificateBasedAuthConfiguration.psm1
Просмотреть файл

@ -201,7 +201,7 @@ function Set-TargetResource
# Delete the old configuration
Write-Verbose -Message "Removing the current Azure AD Organization Certificate Based Auth Configuration."
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/$CertificateBasedAuthConfigurationId" -Method DELETE
Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/organization/$OrganizationId/certificateBasedAuthConfiguration/$CertificateBasedAuthConfigurationId" -Method DELETE
if ($Ensure -eq 'Present')
{
@ -225,7 +225,7 @@ function Set-TargetResource
certificateAuthorities = $createCertAuthorities
}
$policy = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/organization/$OrganizationId/certificateBasedAuthConfiguration/" -Method POST -Body $params
$policy = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/organization/$OrganizationId/certificateBasedAuthConfiguration/" -Method POST -Body $params
}
}

2
Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"resourceName": "AADGroupsSettings",
"resourceName": "AADPasswordRuleSettings",
"description": "This resource configures the Azure Active Directory Password Rule Settings.",
"roles": {
"read": [],

680
Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.psm1 Normal file
Просмотреть файл

@ -0,0 +1,680 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Region,
[Parameter()]
[System.String[]]
$ForwardingProfiles,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DeviceLinks,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
try
{
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
$getValue = $null
#region resource generator code
if (-not [System.String]::IsNullOrEmpty($Id)) {
$getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $Id -ErrorAction SilentlyContinue
}
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Remote Network with Id {$Id}"
if (-not [System.String]::IsNullOrEmpty($Name))
{
$getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $Name }
}
}
#endregion
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Remote Network with Name {$Name}."
return $nullResult
}
$Id = $getValue.Id
Write-Verbose -Message "An Azure AD Remote Network with Id {$Id} and Name {$Name} was found"
#region resource generator code
$forwardingProfilesList = @()
foreach ($forwardingProfile in $getValue.ForwardingProfiles) {
$forwardingProfilesList += $forwardingProfile.Name
}
$complexDeviceLinks = Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtable -DeviceLinks $getValue.DeviceLinks
#endregion
$results = @{
Id = $getValue.Id
Name = $getValue.Name
Region = $getValue.Region
ForwardingProfiles = [Array]$forwardingProfilesList
DeviceLinks = [Array]$complexDeviceLinks
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Region,
[Parameter()]
[System.String[]]
$ForwardingProfiles,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DeviceLinks,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
# creating the device links property
$deviceLinksHashtable = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $BoundParameters.DeviceLinks
# renames the odataType property to @odata.type
$deviceLinksHashtable = Rename-M365DSCCimInstanceParameter -Properties $deviceLinksHashtable
#creating the forwarding policies list by getting the ids
$allForwardingProfiles = Get-MgBetaNetworkAccessForwardingProfile
$forwardingProfilesList = @()
foreach ($profileName in $BoundParameters.ForwardingProfiles) {
$matchedProfile = $allForwardingProfiles | Where-Object { $_.Name -eq $profileName }
$forwardingProfilesList += @{
id = $matchedProfile.Id
}
}
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating an Azure AD Remote Network with Name {$Name}"
$params = @{
name = $BoundParameters.Name
region = $BoundParameters.Region
deviceLinks = [Array]$deviceLinksHashtable
forwardingProfiles = [Array]$forwardingProfilesList
}
New-MgBetaNetworkAccessConnectivityRemoteNetwork -BodyParameter $params
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating the Azure AD Remote Network with Id {$($currentInstance.Id)}"
$currentRemoteNetwork = Get-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $currentInstance.Id
#removing the old device links
foreach ($deviceLinkItem in $currentRemoteNetwork.DeviceLinks) {
Remove-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -RemoteNetworkId $currentInstance.Id -DeviceLinkId $deviceLinkItem.Id
}
# updating the list of device links
foreach ($deviceLinkItem in $deviceLinksHashtable) {
Write-Verbose "Device Link Hashtable: $deviceLinksItem"
New-MgBetaNetworkAccessConnectivityRemoteNetworkDeviceLink -RemoteNetworkId $currentInstance.Id -BodyParameter $deviceLinkItem
}
# removing forwarding profiles
$params = @{
"@context" = '#$delta'
value = @(@{})
}
Invoke-MgGraphRequest -Uri https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles -Method Patch -Body $params
#adding forwarding profiles if required
if ($forwardingProfilesList.Count -gt 0) {
$params = @{
"@context" = '#$delta'
value = $forwardingProfilesList
}
Invoke-MgGraphRequest -Uri https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/$($currentInstance.Id)/forwardingProfiles -Method Patch -Body $params
}
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing the Azure AD Remote Network with Id {$($currentInstance.Id)}"
#region resource generator code
Remove-MgBetaNetworkAccessConnectivityRemoteNetwork -RemoteNetworkId $currentInstance.Id
#endregion
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$Name,
[Parameter()]
[System.String]
$Id,
[Parameter()]
[System.String]
$Region,
[Parameter()]
[System.String[]]
$ForwardingProfiles,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$DeviceLinks,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of the Azure AD Remote Network with Id {$Id} and Name {$Name}"
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
if ($CurrentValues.Ensure -ne $Ensure)
{
Write-Verbose -Message "Test-TargetResource returned $false"
return $false
}
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
$ValuesToCheck.Remove('Id') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
#region resource generator code
[array]$getValue = Get-MgBetaNetworkAccessConnectivityRemoteNetwork `
-Filter $Filter `
-All `
-ErrorAction Stop
#endregion
$i = 1
$dscContent = ''
if ($getValue.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
foreach ($config in $getValue)
{
$displayedKey = $config.Id
if (-not [String]::IsNullOrEmpty($config.Name))
{
$displayedKey = $config.Name
}
elseif (-not [string]::IsNullOrEmpty($config.name))
{
$displayedKey = $config.name
}
Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline
$params = @{
Id = $config.Id
Name = $config.Name
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.DeviceLinks -and $Results.DeviceLinks.Count -gt 0)
{
$Results.DeviceLinks = Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtableAsString -DeviceLinks $Results.DeviceLinks
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.DeviceLinks)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceLinks"
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtable {
[CmdletBinding()]
[OutputType([System.Collections.ArrayList])]
param (
[Parameter()]
[System.Collections.ArrayList]
$DeviceLinks
)
$newDeviceLinks = @()
foreach ($deviceLink in $DeviceLinks) {
$newDeviceLink = @{}
# Add main properties only if they are not null
if ($deviceLink.Name) { $newDeviceLink["Name"] = $deviceLink.Name }
if ($deviceLink.IpAddress) { $newDeviceLink["IPAddress"] = $deviceLink.IpAddress }
if ($deviceLink.BandwidthCapacityInMbps) { $newDeviceLink["BandwidthCapacityInMbps"] = $deviceLink.BandwidthCapacityInMbps }
if ($deviceLink.DeviceVendor) { $newDeviceLink["DeviceVendor"] = $deviceLink.DeviceVendor }
# BGP Configuration
if ($deviceLink.BgpConfiguration) {
$bgpConfig = @{}
if ($deviceLink.BgpConfiguration.Asn) { $bgpConfig["Asn"] = $deviceLink.BgpConfiguration.Asn }
if ($deviceLink.BgpConfiguration.LocalIPAddress) { $bgpConfig["LocalIPAddress"] = $deviceLink.BgpConfiguration.LocalIPAddress }
if ($deviceLink.BgpConfiguration.PeerIPAddress) { $bgpConfig["PeerIPAddress"] = $deviceLink.BgpConfiguration.PeerIPAddress }
if ($bgpConfig.Count -gt 0) { $newDeviceLink["BgpConfiguration"] = $bgpConfig }
}
# Redundancy Configuration
if ($deviceLink.RedundancyConfiguration) {
$redundancyConfig = @{}
if ($deviceLink.RedundancyConfiguration.RedundancyTier) { $redundancyConfig["RedundancyTier"] = $deviceLink.RedundancyConfiguration.RedundancyTier }
if ($deviceLink.RedundancyConfiguration.ZoneLocalIPAddress) { $redundancyConfig["ZoneLocalIPAddress"] = $deviceLink.RedundancyConfiguration.ZoneLocalIPAddress }
if ($redundancyConfig.Count -gt 0) { $newDeviceLink["RedundancyConfiguration"] = $redundancyConfig }
}
# Tunnel Configuration
if ($deviceLink.TunnelConfiguration) {
$tunnelConfig = @{}
if ($deviceLink.TunnelConfiguration.PreSharedKey) { $tunnelConfig["PreSharedKey"] = $deviceLink.TunnelConfiguration.PreSharedKey }
if ($deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey) { $tunnelConfig["ZoneRedundancyPreSharedKey"] = $deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey }
# Additional Properties
if ($deviceLink.TunnelConfiguration.AdditionalProperties) {
if ($deviceLink.TunnelConfiguration.AdditionalProperties.saLifeTimeSeconds) { $tunnelConfig["SaLifeTimeSeconds"] = $deviceLink.TunnelConfiguration.AdditionalProperties.saLifeTimeSeconds }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.ipSecEncryption) { $tunnelConfig["IPSecEncryption"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ipSecEncryption }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.ipSecIntegrity) { $tunnelConfig["IPSecIntegrity"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ipSecIntegrity }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.ikeEncryption) { $tunnelConfig["IKEEncryption"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ikeEncryption }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.ikeIntegrity) { $tunnelConfig["IKEIntegrity"] = $deviceLink.TunnelConfiguration.AdditionalProperties.ikeIntegrity }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.dhGroup) { $tunnelConfig["DHGroup"] = $deviceLink.TunnelConfiguration.AdditionalProperties.dhGroup }
if ($deviceLink.TunnelConfiguration.AdditionalProperties.pfsGroup) { $tunnelConfig["PFSGroup"] = $deviceLink.TunnelConfiguration.AdditionalProperties.pfsGroup }
if ($deviceLink.TunnelConfiguration.AdditionalProperties["@odata.type"]) { $tunnelConfig["ODataType"] = $deviceLink.TunnelConfiguration.AdditionalProperties["@odata.type"] }
}
if ($tunnelConfig.Count -gt 0) { $newDeviceLink["TunnelConfiguration"] = $tunnelConfig }
}
# Add the device link to the collection if it has any properties
if ($newDeviceLink.Count -gt 0) { $newDeviceLinks += $newDeviceLink }
}
return $newDeviceLinks
}
function Get-MicrosoftGraphRemoteNetworkDeviceLinksHashtableAsString {
[CmdletBinding()]
[OutputType([System.String])]
param (
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]
$DeviceLinks
)
$StringContent = [System.Text.StringBuilder]::new()
$StringContent.Append('@(') | Out-Null
foreach ($deviceLink in $DeviceLinks) {
$StringContent.Append("`n MSFT_AADRemoteNetworkDeviceLink {`r`n") | Out-Null
# Append main properties if not null
if ($deviceLink.Name) { $StringContent.Append(" Name = '" + $deviceLink.Name + "'`r`n") | Out-Null }
if ($deviceLink.IPAddress) { $StringContent.Append(" IPAddress = '" + $deviceLink.IPAddress + "'`r`n") | Out-Null }
if ($deviceLink.BandwidthCapacityInMbps) { $StringContent.Append(" BandwidthCapacityInMbps = '" + $deviceLink.BandwidthCapacityInMbps + "'`r`n") | Out-Null }
if ($deviceLink.DeviceVendor) { $StringContent.Append(" DeviceVendor = '" + $deviceLink.DeviceVendor + "'`r`n") | Out-Null }
# BGP Configuration
if ($deviceLink.BgpConfiguration) {
$bgpConfigAdded = $false
$StringContent.Append(" BgpConfiguration = MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration {`r`n") | Out-Null
if ($deviceLink.BgpConfiguration.Asn) { $StringContent.Append(" Asn = " + $deviceLink.BgpConfiguration.Asn + "`r`n") | Out-Null; $bgpConfigAdded = $true }
if ($deviceLink.BgpConfiguration.LocalIPAddress) { $StringContent.Append(" LocalIPAddress = '" + $deviceLink.BgpConfiguration.LocalIPAddress + "'`r`n") | Out-Null; $bgpConfigAdded = $true }
if ($deviceLink.BgpConfiguration.PeerIPAddress) { $StringContent.Append(" PeerIPAddress = '" + $deviceLink.BgpConfiguration.PeerIPAddress + "'`r`n") | Out-Null; $bgpConfigAdded = $true }
if ($bgpConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null }
}
# Redundancy Configuration
if ($deviceLink.RedundancyConfiguration) {
$redundancyConfigAdded = $false
$StringContent.Append(" RedundancyConfiguration = MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration {`r`n") | Out-Null
if ($deviceLink.RedundancyConfiguration.RedundancyTier) { $StringContent.Append(" RedundancyTier = '" + $deviceLink.RedundancyConfiguration.RedundancyTier + "'`r`n") | Out-Null; $redundancyConfigAdded = $true }
if ($deviceLink.RedundancyConfiguration.ZoneLocalIPAddress) { $StringContent.Append(" ZoneLocalIPAddress = '" + $deviceLink.RedundancyConfiguration.ZoneLocalIPAddress + "'`r`n") | Out-Null; $redundancyConfigAdded = $true }
if ($redundancyConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null }
}
# Tunnel Configuration
if ($deviceLink.TunnelConfiguration) {
$tunnelConfigAdded = $false
$StringContent.Append(" TunnelConfiguration = MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration {`r`n") | Out-Null
if ($deviceLink.TunnelConfiguration.PreSharedKey) { $StringContent.Append(" PreSharedKey = '" + $deviceLink.TunnelConfiguration.PreSharedKey + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey) { $StringContent.Append(" ZoneRedundancyPreSharedKey = '" + $deviceLink.TunnelConfiguration.ZoneRedundancyPreSharedKey + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.SaLifeTimeSeconds) { $StringContent.Append(" SaLifeTimeSeconds = " + $deviceLink.TunnelConfiguration.SaLifeTimeSeconds + "`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.IpSecEncryption) { $StringContent.Append(" IPSecEncryption = '" + $deviceLink.TunnelConfiguration.IpSecEncryption + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.IpSecIntegrity) { $StringContent.Append(" IPSecIntegrity = '" + $deviceLink.TunnelConfiguration.IpSecIntegrity + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.IkeEncryption) { $StringContent.Append(" IKEEncryption = '" + $deviceLink.TunnelConfiguration.IkeEncryption + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.IkeIntegrity) { $StringContent.Append(" IKEIntegrity = '" + $deviceLink.TunnelConfiguration.IkeIntegrity + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.DhGroup) { $StringContent.Append(" DHGroup = '" + $deviceLink.TunnelConfiguration.DhGroup + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.PfsGroup) { $StringContent.Append(" PFSGroup = '" + $deviceLink.TunnelConfiguration.PfsGroup + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($deviceLink.TunnelConfiguration.ODataType) { $StringContent.Append(" ODataType = '" + $deviceLink.TunnelConfiguration.ODataType + "'`r`n") | Out-Null; $tunnelConfigAdded = $true }
if ($tunnelConfigAdded) { $StringContent.Append(" }`r`n") | Out-Null }
}
$StringContent.Append(" }`r`n") | Out-Null
}
$StringContent.Append(' )') | Out-Null
return $StringContent.ToString()
}
Export-ModuleMember -Function *-TargetResource

60
Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/MSFT_AADRemoteNetwork.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,60 @@
[ClassVersion("1.0.0")]
class MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration
{
[Write, Description("LocalIpAddress.")] String LocalIPAddress;
[Write, Description("PeerIpAddress.")] String PeerIPAddress;
[Write, Description("Asn.")] UInt32 Asn;
};
[ClassVersion("1.0.0")]
class MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration
{
[Write, Description("ZoneLocalIpAddress.")] String ZoneLocalIPAddress;
[Write, Description("RedundancyTier.")] String RedundancyTier;
};
[ClassVersion("1.0.0")]
class MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration
{
[Write, Description("PreSharedKey")] String PreSharedKey;
[Write, Description("ZoneRedundancyPreSharedKey")] String ZoneRedundancyPreSharedKey;
[Write, Description("SaLifeTimeSeconds")] UInt32 SaLifeTimeSeconds;
[Write, Description("IpSecEncryption")] String IPSecEncryption;
[Write, Description("IpSecIntegrity")] String IPSecIntegrity;
[Write, Description("IkeEncryption")] String IKEEncryption;
[Write, Description("IkeIntegrity")] String IKEIntegrity;
[Write, Description("DhGroup")] String DHGroup;
[Write, Description("PfsGroup")] String PFSGroup;
[Write, Description("ODataType")] String ODataType;
};
[ClassVersion("1.0.0")]
class MSFT_AADRemoteNetworkDeviceLink
{
[Write, Description("Name of the Device Link")] String Name;
[Write, Description("IP Address")] String IPAddress;
[Write, Description("Bandwidth Capacity in Mbps")] String BandwidthCapacityInMbps;
[Write, Description("Device Vendor")] String DeviceVendor;
[Write, Description("BgpConfiguration."), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkbgpConfiguration")] String BgpConfiguration;
[Write, Description("redundancyConfiguration."), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkRedundancyConfiguration")] String RedundancyConfiguration;
[Write, Description("tunnelConfiguration"), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLinkTunnelConfiguration")] String TunnelConfiguration;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADRemoteNetwork")]
class MSFT_AADRemoteNetwork : OMI_BaseResource
{
[Key, Description("Name of the remote network.")] String Name;
[Write, Description("Id of the remote network")] String Id;
[Write, Description("Region")] String Region;
[Write, Description("List of the forwarding profile names associated to this remote network")] String ForwardingProfiles[];
[Write, Description("Device Links associated to this remote network"), EmbeddedInstance("MSFT_AADRemoteNetworkDeviceLink")] String DeviceLinks[];
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADRemoteNetwork
## Description
Use this resource to manage the Entra's Network Access Remote Networks, and related Device links.

32
Modules/Microsoft365DSC/DSCResources/MSFT_AADRemoteNetwork/settings.json Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{
"resourceName": "AADRemoteNetwork",
"description": "Use this resource to manage the Entra's Network Access Remote Networks, and related Device links.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}

18
Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1
Просмотреть файл

@ -181,11 +181,16 @@
return $nullResult
}
Write-Verbose -Message "Found Principal {$PrincipalId}"
$RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
Write-Verbose -Message "Found Role {$RoleDefinitionId}"
$schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'"
[Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" | Sort-Object -Property CompletedDateTime -Descending
$schedulesForPrincipal = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId'"
foreach ($instance in $schedulesForPrincipal)
{
$roleInfo = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $instance.RoleDefinitionId
if ($roleInfo.DisplayName -eq $RoleDefinition)
{
$schedule = $instance
}
}
[Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$($schedule.RoleDefinitionId)'" | Sort-Object -Property CompletedDateTime -Descending
`
if ($request.Length -gt 1)
{
@ -195,6 +200,7 @@
}
else
{
Write-Verbose -Message "Request is not null: $request"
$ObjectGuid = [System.Guid]::empty
if ($PrincipalType -eq 'User')
{
@ -581,7 +587,7 @@ function Set-TargetResource
{
Write-Verbose -Message "Creating a Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
$ParametersOps.Remove("Id") | Out-Null
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $ParametersOps)"
Write-Verbose -Message "Values: $(Convert-M365DscHashtableToString -Hashtable $ParametersOps)"
New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest @ParametersOps
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')

829
Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.psm1 Normal file
Просмотреть файл

@ -0,0 +1,829 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$roleDisplayName,
[Parameter()]
[System.String]
$ruleType,
[Parameter()]
[System.String]
$policyId,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$expirationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$notificationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$enablementRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$approvalRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$authenticationContextRule,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
try
{
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$getValue = $null
$role = Get-MgBetaRoleManagementDirectoryRoleDefinition -All -Filter "DisplayName eq '$($roleDisplayName)'"
if($null -eq $role)
{
Write-Verbose -Message "Could not find an Azure AD Role Management Definition with DisplayName {$roleDisplayName}"
return $nullResult
}
$assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'"
if($null -eq $assignment)
{
Write-Verbose -Message "Could not find an Azure AD Role Management Policy Assignment with RoleDefinitionId {$role.Id}"
return $nullResult
}
$policyId = $assignment.PolicyId
$getValue = Get-MgBetaPolicyRoleManagementPolicyRule `
-UnifiedRoleManagementPolicyId $policyId `
-UnifiedRoleManagementPolicyRuleId $id -ErrorAction SilentlyContinue
if ($null -eq $getValue)
{
Write-Verbose -Message "Could not find an Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId}."
return $nullResult
}
Write-Verbose -Message "An Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId} was found"
$rule = Get-M365DSCRoleManagementPolicyRuleObject -Rule $getValue
$results = @{
id = $id
policyId = $policyId
roleDisplayName = $roleDisplayName
ruleType = $rule.ruleType
expirationRule = $rule.expirationRule
notificationRule = $rule.notificationRule
enablementRule = $rule.enablementRule
approvalRule = $rule.approvalRule
authenticationContextRule = $rule.authenticationContextRule
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$roleDisplayName,
[Parameter()]
[System.String]
$ruleType,
[Parameter()]
[System.String]
$policyId,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$expirationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$notificationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$enablementRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$approvalRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$authenticationContextRule,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
Write-Verbose -Message "Updating the Azure AD Role Management Policy Rule with Id {$($currentInstance.Id)}"
$body = @{
'@odata.type' = $ruleType
}
if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule')
{
$expirationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $expirationRule
# add all the properties to the body
foreach($key in $expirationRuleHashmap.Keys)
{
$body.Add($key, $expirationRuleHashmap.$key)
}
}
if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule')
{
$notificationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $notificationRule
# add all the properties to the body
foreach($key in $notificationRuleHashmap.Keys)
{
$body.Add($key, $notificationRuleHashmap.$key)
}
}
if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule')
{
$enablementRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $enablementRule
# add all the properties to the body
foreach($key in $enablementRuleHashmap.Keys)
{
$body.Add($key, $enablementRuleHashmap.$key)
}
}
if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule')
{
$approvalRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $approvalRule
# add all the properties to the body
foreach($key in $approvalRuleHashmap.Keys)
{
$body.Add($key, $approvalRuleHashmap.$key)
}
}
if($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule')
{
$authenticationContextRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $authenticationContextRule
# add all the properties to the body
foreach($key in $authenticationContextRuleHashmap.Keys)
{
$body.Add($key, $authenticationContextRuleHashmap.$key)
}
}
Update-MgBetaPolicyRoleManagementPolicyRule `
-UnifiedRoleManagementPolicyId $currentInstance.policyId `
-UnifiedRoleManagementPolicyRuleId $currentInstance.Id `
-BodyParameter $body
#endregion
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$roleDisplayName,
[Parameter()]
[System.String]
$ruleType,
[Parameter()]
[System.String]
$policyId,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$expirationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$notificationRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$enablementRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$approvalRule,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$authenticationContextRule,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of the Azure AD Role Management Policy Rule with Id {$Id} and DisplayName {$DisplayName}"
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$testResult = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
break
}
$ValuesToCheck.Remove($key) | Out-Null
}
}
$ValuesToCheck.Remove('Id') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
if ($testResult)
{
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
}
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$dscContent = [System.Text.StringBuilder]::new()
Write-Host "`r`n" -NoNewline
try
{
[array] $roles = Get-MgBetaRoleManagementDirectoryRoleDefinition -All
$j = 1
foreach ($role in $roles)
{
$assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'"
$policyId = $assignment.PolicyId
$rules = Get-MgBetaPolicyRoleManagementPolicyRule `
-UnifiedRoleManagementPolicyId $policyId
Write-Host " |---[$j/$($roles.Count)] $($role.displayName)"
$i = 1
foreach($rule in $rules)
{
Write-Host " |---[$i/$($rules.Count)] $($role.displayName)_$($rule.id)" -NoNewline
$Params = @{
roleDisplayName = $role.displayName
id = $rule.id
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
Credential = $Credential
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.expirationRule)
{
$complexMapping = @(
@{
Name = 'expirationRule'
CimInstanceName = 'AADRoleManagementPolicyExpirationRule'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.expirationRule`
-CIMInstanceName 'AADRoleManagementPolicyExpirationRule' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.expirationRule = $complexTypeStringResult
}
else
{
$Results.Remove('expirationRule') | Out-Null
}
}
if ($null -ne $Results.notificationRule)
{
$complexMapping = @(
@{
Name = 'notificationRule'
CimInstanceName = 'AADRoleManagementPolicyNotificationRule'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.notificationRule`
-CIMInstanceName 'AADRoleManagementPolicyNotificationRule' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.notificationRule = $complexTypeStringResult
}
else
{
$Results.Remove('notificationRule') | Out-Null
}
}
if ($null -ne $Results.enablementRule)
{
$complexMapping = @(
@{
Name = 'enablementRule'
CimInstanceName = 'AADRoleManagementPolicyEnablementRule'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.enablementRule`
-CIMInstanceName 'AADRoleManagementPolicyEnablementRule' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.enablementRule = $complexTypeStringResult
}
else
{
$Results.Remove('enablementRule') | Out-Null
}
}
if ($null -ne $Results.authenticationContextRule)
{
$complexMapping = @(
@{
Name = 'authenticationContextRule'
CimInstanceName = 'AADRoleManagementPolicyAuthenticationContextRule'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.authenticationContextRule`
-CIMInstanceName 'AADRoleManagementPolicyAuthenticationContextRule' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.authenticationContextRule = $complexTypeStringResult
}
else
{
$Results.Remove('authenticationContextRule') | Out-Null
}
}
if ($null -ne $Results.approvalRule)
{
$complexMapping = @(
@{
Name = 'approvalRule'
CimInstanceName = 'AADRoleManagementPolicyApprovalRule'
IsRequired = $False
}
@{
Name = 'setting'
CimInstanceName = 'AADRoleManagementPolicyApprovalSettings'
IsRequired = $False
}
@{
Name = 'approvalStages'
CimInstanceName = 'AADRoleManagementPolicyApprovalStage'
IsRequired = $False
}
@{
Name = 'escalationApprovers'
CimInstanceName = 'AADRoleManagementPolicySubjectSet'
IsRequired = $False
}
@{
Name = 'primaryApprovers'
CimInstanceName = 'AADRoleManagementPolicySubjectSet'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.approvalRule`
-CIMInstanceName 'AADRoleManagementPolicyApprovalRule' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.approvalRule = $complexTypeStringResult
}
else
{
$Results.Remove('approvalRule') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.expirationRule)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "expirationRule" -IsCIMArray:$false
}
if ($Results.notificationRule)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "notificationRule" -IsCIMArray:$false
}
if ($Results.enablementRule)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "enablementRule" -IsCIMArray:$false
}
if ($Results.approvalRule)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "approvalRule" -IsCIMArray:$false
}
if ($Results.authenticationContextRule)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "authenticationContextRule" -IsCIMArray:$false
}
$dscContent.Append($currentDSCBlock) | Out-Null
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Write-Host $Global:M365DSCEmojiGreenCheckMark
$i++
}
$j++
}
return $dscContent.ToString()
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-M365DSCRoleManagementPolicyRuleObject
{
[CmdletBinding()]
[OutputType([PSCustomObject])]
param(
[Parameter()]
$Rule
)
if ($null -eq $Rule)
{
return $null
}
$odataType = "@odata.type"
$values = @{
id = $Rule.id
ruleType = $Rule.AdditionalProperties.$odataType
}
if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule')
{
$expirationRule = @{
isExpirationRequired = $Rule.AdditionalProperties.isExpirationRequired
maximumDuration = $Rule.AdditionalProperties.maximumDuration
}
$values.Add('expirationRule', $expirationRule)
}
if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule')
{
$notificationRule = @{
notificationType = $Rule.AdditionalProperties.notificationType
recipientType = $Rule.AdditionalProperties.recipientType
notificationLevel = $Rule.AdditionalProperties.notificationLevel
isDefaultRecipientsEnabled = $Rule.AdditionalProperties.isDefaultRecipientsEnabled
notificationRecipients = [array]$Rule.AdditionalProperties.notificationRecipients
}
$values.Add('notificationRule', $notificationRule)
}
if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule')
{
$enablementRule = @{
enabledRules = [array]$Rule.AdditionalProperties.enabledRules
}
$values.Add('enablementRule', $enablementRule)
}
if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule')
{
$approvalStages = @()
foreach($stage in $Rule.AdditionalProperties.setting.approvalStages)
{
$primaryApprovers = @()
foreach($approver in $stage.primaryApprovers)
{
$primaryApprover = @{
odataType = $approver.$odataType
}
$primaryApprovers += $primaryApprover
}
$escalationApprovers = @()
foreach($approver in $stage.escalationApprovers)
{
$escalationApprover = @{
odataType = $approver.$odataType
}
$escalationApprovers += $escalationApprover
}
$approvalStage = @{
approvalStageTimeOutInDays = $stage.approvalStageTimeOutInDays
escalationTimeInMinutes = $stage.escalationTimeInMinutes
isApproverJustificationRequired = $stage.isApproverJustificationRequired
isEscalationEnabled = $stage.isEscalationEnabled
escalationApprovers = [array]$escalationApprovers
primaryApprovers = [array]$primaryApprovers
}
$approvalStages += $approvalStage
}
$setting = @{
approvalMode = $Rule.AdditionalProperties.setting.approvalMode;
isApprovalRequired = $Rule.AdditionalProperties.setting.isApprovalRequired
isApprovalRequiredForExtension = $Rule.AdditionalProperties.setting.isApprovalRequiredForExtension
isRequestorJustificationRequired = $Rule.AdditionalProperties.setting.isRequestorJustificationRequired
approvalStages = [array]$approvalStages
}
$approvalRule = @{
setting = $setting
}
$values.Add('approvalRule', $approvalRule)
}
if($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule')
{
$authenticationContextRule = @{
isEnabled = $Rule.AdditionalProperties.isEnabled
claimValue = $Rule.AdditionalProperties.claimValue
}
$values.Add('authenticationContextRule', $authenticationContextRule)
}
return $values
}
Export-ModuleMember -Function *-TargetResource

85
Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,85 @@
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyExpirationRule
{
[Write, Description("Specifies if expiration is required.")] Boolean isExpirationRequired;
[Write, Description("The maximum duration for the expiration.")] String maximumDuration;
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyNotificationRule
{
[Write, Description("Notification type for the rule.")] String notificationType;
[Write, Description("Type of the recipient for the notification.")] String recipientType;
[Write, Description("Level of the notification.")] String notificationLevel;
[Write, Description("Indicates if default recipients are enabled.")] Boolean isDefaultRecipientsEnabled;
[Write, Description("List of notification recipients.")] String notificationRecipients[];
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyEnablementRule
{
[Write, Description("List of enabled rules.")] String enabledRules[];
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicySubjectSet
{
[Write, Description("The type of the subject set.")] String odataType;
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyApprovalStage
{
[Write, Description("The number of days that a request can be pending a response before it is automatically denied.")] UInt32 approvalStageTimeOutInDays;
[Write, Description("The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers.")] UInt32 escalationTimeInMinutes;
[Write, Description("Indicates whether the approver must provide justification for their reponse.")] Boolean isApproverJustificationRequired;
[Write, Description("Indicates whether escalation if enabled.")] Boolean isEscalationEnabled;
[Write, Description("The escalation approvers for this stage when the primary approvers don't respond."), EmbeddedInstance("MSFT_AADRoleManagementPolicySubjectSet")] String escalationApprovers[];
[Write, Description("The primary approvers of this stage."), EmbeddedInstance("MSFT_AADRoleManagementPolicySubjectSet")] String primaryApprovers[];
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyApprovalSettings
{
[Write, Description("One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false.")] String approvalMode;
[Write, Description("If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalStage")] String approvalStages[];
[Write, Description("Indicates whether approval is required for requests in this policy.")] Boolean isApprovalRequired;
[Write, Description("Indicates whether approval is required for a user to extend their assignment.")] Boolean isApprovalRequiredForExtension;
[Write, Description("Indicates whether the requestor is required to supply a justification in their request.")] Boolean isRequestorJustificationRequired;
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyApprovalRule
{
[Write, Description("Settings for approval requirements."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalSettings")] String setting;
};
[ClassVersion("1.0.0.0")]
class MSFT_AADRoleManagementPolicyAuthenticationContextRule
{
[Write, Description("Indicates if the authentication context rule is enabled.")] Boolean isEnabled;
[Write, Description("Claim value associated with the rule.")] String claimValue;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADRoleManagementPolicyRule")]
class MSFT_AADRoleManagementPolicyRule : OMI_BaseResource
{
[Key, Description("The unique identifier for an entity. Read-only.")] String id;
[Key, Description("Role display name.")] String roleDisplayName;
[Write, Description("Rule Type.")] String ruleType;
[Write, Description("Policy Id.")] String policyId;
[Write, Description("Expiration Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyExpirationRule")] String expirationRule;
[Write, Description("Notification Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyNotificationRule")] String notificationRule;
[Write, Description("Enablement Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyEnablementRule")] String enablementRule;
[Write, Description("Approval Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyApprovalRule")] String approvalRule;
[Write, Description("Authentication Context Rule."), EmbeddedInstance("MSFT_AADRoleManagementPolicyAuthenticationContextRule")] String authenticationContextRule;
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

6
Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/readme.md Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# AADRoleManagementPolicyRule
## Description
Azure AD Role Management Policy Rule

51
Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleManagementPolicyRule/settings.json Normal file
Просмотреть файл

@ -0,0 +1,51 @@
{
"resourceName": "AADRoleManagementPolicyRule",
"description": "This resource configures an Azure AD Role Management Policy Rule.",
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "RoleManagementPolicy.Read.Directory"
},
{
"name": "RoleManagement.Read.Directory"
},
{
"name": "RoleManagement.Read.All"
}
],
"update": [
{
"name": "RoleManagementPolicy.ReadWrite.Directory"
},
{
"name": "RoleManagement.ReadWrite.Directory"
}
]
},
"application": {
"read": [
{
"name": "RoleManagementPolicy.Read.Directory"
},
{
"name": "RoleManagement.Read.Directory"
},
{
"name": "RoleManagement.Read.All"
}
],
"update": [
{
"name": "RoleManagementPolicy.ReadWrite.Directory"
},
{
"name": "RoleManagement.ReadWrite.Directory"
}
]
}
}
}
}

193
Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1
Просмотреть файл

@ -52,10 +52,18 @@ function Get-TargetResource
[System.String]
$LogoutUrl,
[Parameter()]
[System.String]
$Notes,
[Parameter()]
[System.String[]]
$Owners,
[Parameter()]
[System.String]
$PreferredSingleSignOnMode,
[Parameter()]
[System.String]
$PublisherName,
@ -80,6 +88,14 @@ function Get-TargetResource
[System.String[]]
$Tags,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@ -221,7 +237,8 @@ function Get-TargetResource
}
[Array]$complexDelegatedPermissionClassifications = @()
$permissionClassifications = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$AppId')/delegatedPermissionClassifications" -Method Get
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals/$($AADServicePrincipal.Id)/delegatedPermissionClassifications"
$permissionClassifications = Invoke-MgGraphRequest -Uri $Uri -Method Get
foreach ($permissionClassification in $permissionClassifications.Value){
$hashtable = @{
classification = $permissionClassification.Classification
@ -230,13 +247,67 @@ function Get-TargetResource
$complexDelegatedPermissionClassifications += $hashtable
}
$complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -AppId $AppId)
$complexKeyCredentials = @()
foreach ($currentkeyCredentials in $AADServicePrincipal.keyCredentials)
{
$mykeyCredentials = @{}
if($null -ne $currentkeyCredentials.customKeyIdentifier)
{
$mykeyCredentials.Add('CustomKeyIdentifier', [convert]::ToBase64String($currentkeyCredentials.customKeyIdentifier))
}
$mykeyCredentials.Add('DisplayName', $currentkeyCredentials.displayName)
if ($null -ne $currentkeyCredentials.endDateTime)
{
$mykeyCredentials.Add('EndDateTime', ([DateTimeOffset]$currentkeyCredentials.endDateTime).ToString('o'))
}
$mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId)
if($null -ne $currentkeyCredentials.Key)
{
$mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key))
}
if ($null -ne $currentkeyCredentials.startDateTime)
{
$mykeyCredentials.Add('StartDateTime', ([DateTimeOffset]$currentkeyCredentials.startDateTime).ToString('o'))
}
$mykeyCredentials.Add('Type', $currentkeyCredentials.type)
$mykeyCredentials.Add('Usage', $currentkeyCredentials.usage)
if ($mykeyCredentials.values.Where({$null -ne $_}).Count -gt 0)
{
$complexKeyCredentials += $mykeyCredentials
}
}
$complexPasswordCredentials = @()
foreach ($currentpasswordCredentials in $AADServicePrincipal.passwordCredentials)
{
$mypasswordCredentials = @{}
$mypasswordCredentials.Add('DisplayName', $currentpasswordCredentials.displayName)
if ($null -ne $currentpasswordCredentials.endDateTime)
{
$mypasswordCredentials.Add('EndDateTime', ([DateTimeOffset]$currentpasswordCredentials.endDateTime).ToString('o'))
}
$mypasswordCredentials.Add('Hint', $currentpasswordCredentials.hint)
$mypasswordCredentials.Add('KeyId', $currentpasswordCredentials.keyId)
if ($null -ne $currentpasswordCredentials.startDateTime)
{
$mypasswordCredentials.Add('StartDateTime', ([DateTimeOffset]$currentpasswordCredentials.startDateTime).ToString('o'))
}
if ($mypasswordCredentials.values.Where({$null -ne $_}).Count -gt 0)
{
$complexPasswordCredentials += $mypasswordCredentials
}
}
$complexCustomSecurityAttributes = [Array](Get-CustomSecurityAttributes -ServicePrincipalId $AADServicePrincipal.Id)
if ($null -eq $complexCustomSecurityAttributes) {
$complexCustomSecurityAttributes = @()
}
$result = @{
AppId = $AADServicePrincipal.AppId
AppId = $appInstance.DisplayName
AppRoleAssignedTo = $AppRoleAssignedToValues
ObjectID = $AADServicePrincipal.Id
DisplayName = $AADServicePrincipal.DisplayName
@ -248,13 +319,17 @@ function Get-TargetResource
ErrorUrl = $AADServicePrincipal.ErrorUrl
Homepage = $AADServicePrincipal.Homepage
LogoutUrl = $AADServicePrincipal.LogoutUrl
Notes = $AADServicePrincipal.Notes
Owners = $ownersValues
PreferredSingleSignOnMode = $AADServicePrincipal.PreferredSingleSignOnMode
PublisherName = $AADServicePrincipal.PublisherName
ReplyURLs = $AADServicePrincipal.ReplyURLs
SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL
ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames
ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType
Tags = $AADServicePrincipal.Tags
KeyCredentials = $complexKeyCredentials
PasswordCredentials = $complexPasswordCredentials
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
@ -334,10 +409,18 @@ function Set-TargetResource
[System.String]
$LogoutUrl,
[Parameter()]
[System.String]
$Notes,
[Parameter()]
[System.String[]]
$Owners,
[Parameter()]
[System.String]
$PreferredSingleSignOnMode,
[Parameter()]
[System.String]
$PublisherName,
@ -362,6 +445,14 @@ function Set-TargetResource
[System.String[]]
$Tags,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@ -423,6 +514,7 @@ function Set-TargetResource
$currentParameters.Remove('ObjectID') | Out-Null
$currentParameters.Remove('ApplicationSecret') | Out-Null
$currentParameters.Remove('AccessTokens') | Out-Null
$currentParameters.Remove('Owners') | Out-Null
# update the custom security attributes to be cmdlet comsumable
if ($null -ne $currentParameters.CustomSecurityAttributes -and $currentParameters.CustomSecurityAttributes -gt 0) {
@ -436,7 +528,7 @@ function Set-TargetResource
{
if ($null -ne $AppRoleAssignedTo)
{
$currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue
$currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValues
}
# removing Delegated permission classifications from this new call, as adding below separately
$currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
@ -456,20 +548,21 @@ function Set-TargetResource
{
$userInfo = Get-MgUser -UserId $owner
$body = @{
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($userInfo.Id)"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($userInfo.Id)"
}
Write-Verbose -Message "Adding new owner {$owner}"
$newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body
}
#adding delegated permissions classifications
# Adding delegated permissions classifications
if($null -ne $DelegatedPermissionClassifications){
foreach ($permissionClassification in $DelegatedPermissionClassifications){
$params = @{
classification = $permissionClassification.Classification
permissionName = $permissionClassification.permissionName
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications"
Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $params
}
}
}
@ -486,20 +579,31 @@ function Set-TargetResource
Write-Verbose -Message "CurrentParameters: $($currentParameters | Out-String)"
Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)"
$currentParameters.Remove('AppRoleAssignedTo') | Out-Null
$currentParameters.Remove('Owners') | Out-Null
$currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
if ($PreferredSingleSignOnMode -eq 'saml')
{
$IdentifierUris = $ServicePrincipalNames | Where-Object { $_ -notmatch $AppId }
$currentParameters.Remove('ServicePrincipalNames')
}
#removing the current custom security attributes
if ($currentAADServicePrincipal.CustomSecurityAttributes.Count -gt 0) {
$currentAADServicePrincipal.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsCmdletHashtable -CustomSecurityAttributes $currentAADServicePrincipal.CustomSecurityAttributes -GetForDelete $true
$CSAParams = @{
customSecurityAttributes = $currentAADServicePrincipal.CustomSecurityAttributes
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($currentParameters.AppId)')" -Method Patch -Body $CSAParams
Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/servicePrincipals(appId='$($currentParameters.AppId)')" -Method Patch -Body $CSAParams
}
Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters
if ($IdentifierUris)
{
Write-Verbose -Message "Updating the Application ID Uri on the application instance."
$appInstance = Get-MgApplication -Filter "AppId eq '$AppId'"
Update-MgApplication -ApplicationId $appInstance.Id -IdentifierUris $IdentifierUris
}
if ($AppRoleAssignedTo)
{
[Array]$currentPrincipals = $currentAADServicePrincipal.AppRoleAssignedTo.Identity
@ -597,7 +701,7 @@ function Set-TargetResource
if ($diff.SideIndicator -eq '=>')
{
$body = @{
'@odata.id' = "https://graph.microsoft.com/v1.0/directoryObjects/$($userInfo.Id)"
'@odata.id' = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/directoryObjects/$($userInfo.Id)"
}
Write-Verbose -Message "Adding owner {$($userInfo.Id)}"
New-MgServicePrincipalOwnerByRef -ServicePrincipalId $currentAADServicePrincipal.ObjectId `
@ -616,9 +720,10 @@ function Set-TargetResource
if ($null -ne $DelegatedPermissionClassifications)
{
# removing old perm classifications
$permissionClassificationList = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Get
$Uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications"
$permissionClassificationList = Invoke-MgGraphRequest -Uri $Uri -Method Get
foreach($permissionClassification in $permissionClassificationList.Value){
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications/$($permissionClassification.Id)" -Method Delete
Invoke-MgGraphRequest -Uri "$($Uri)/$($permissionClassification.Id)" -Method Delete
}
# adding new perm classifications
@ -627,7 +732,7 @@ function Set-TargetResource
classification = $permissionClassification.Classification
permissionName = $permissionClassification.permissionName
}
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params
Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $params
}
}
}
@ -693,10 +798,18 @@ function Test-TargetResource
[System.String]
$LogoutUrl,
[Parameter()]
[System.String]
$Notes,
[Parameter()]
[System.String[]]
$Owners,
[Parameter()]
[System.String]
$PreferredSingleSignOnMode,
[Parameter()]
[System.String]
$PublisherName,
@ -721,6 +834,14 @@ function Test-TargetResource
[System.String[]]
$Tags,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$KeyCredentials,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$PasswordCredentials,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
@ -851,6 +972,7 @@ function Export-TargetResource
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
@ -909,6 +1031,34 @@ function Export-TargetResource
{
$Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications
}
if ($null -ne $Results.KeyCredentials)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.KeyCredentials `
-CIMInstanceName 'MicrosoftGraphkeyCredential'
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.KeyCredentials = $complexTypeStringResult
}
else
{
$Results.Remove('KeyCredentials') | Out-Null
}
}
if ($null -ne $Results.PasswordCredentials)
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.PasswordCredentials `
-CIMInstanceName 'MicrosoftGraphpasswordCredential'
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.PasswordCredentials = $complexTypeStringResult
}
else
{
$Results.Remove('PasswordCredentials') | Out-Null
}
}
if ($Results.CustomSecurityAttributes.Count -gt 0)
{
$Results.CustomSecurityAttributes = Get-M365DSCAADServicePrincipalCustomSecurityAttributesAsString -CustomSecurityAttributes $Results.CustomSecurityAttributes
@ -928,11 +1078,24 @@ function Export-TargetResource
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'DelegatedPermissionClassifications'
}
if ($null -ne $Results.KeyCredentials)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName "KeyCredentials" -IsCIMArray:$True
}
if ($null -ne $Results.PasswordCredentials)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName "PasswordCredentials" -IsCIMArray:$True
}
if ($null -ne $Results.CustomSecurityAttributes)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock `
-ParameterName 'CustomSecurityAttributes'
}
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
@ -1057,10 +1220,10 @@ function Create-AttributeValue {
function Get-CustomSecurityAttributes {
[OutputType([System.Array])]
param (
[String]$AppId
[String]$ServicePrincipalId
)
$customSecurityAttributes = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$AppId')`?`$select=customSecurityAttributes" -Method Get
$customSecurityAttributes = Invoke-MgGraphRequest -Uri $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/servicePrincipals/$($ServicePrincipalId)`?`$select=customSecurityAttributes" -Method Get
$customSecurityAttributes = $customSecurityAttributes.customSecurityAttributes
$newCustomSecurityAttributes = @()

27
Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof
Просмотреть файл

@ -43,8 +43,10 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
[Write, Description("Specifies the error URL of the ServicePrincipal.")] String ErrorUrl;
[Write, Description("Specifies the homepage of the ServicePrincipal.")] String Homepage;
[Write, Description("Specifies the LogoutURL of the ServicePrincipal.")] String LogoutUrl;
[Write, Description("Notes associated with the ServicePrincipal.")] String Notes;
[Write, Description("Specifies the PublisherName of the ServicePrincipal.")] String PublisherName;
[Write, Description("List of the owners of the service principal.")] String Owners[];
[Write, Description("Specifies the signle sign-on mode configured for this application.")] String PreferredSingleSignOnMode;
[Write, Description("The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.")] String ReplyUrls[];
[Write, Description("The URL for the SAML metadata of the ServicePrincipal.")] String SamlMetadataUrl;
[Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[];
@ -61,4 +63,29 @@ class MSFT_AADServicePrincipal : OMI_BaseResource
[Write, Description("Credentials of the Azure AD Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
[Write, Description("The collection of password credentials associated with the service principal. Not nullable."), EmbeddedInstance("MSFT_MicrosoftGraphpasswordCredential")] String PasswordCredentials[];
[Write, Description("The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le)."), EmbeddedInstance("MSFT_MicrosoftGraphkeyCredential")] String KeyCredentials[];
};
[ClassVersion("1.0.0")]
class MSFT_MicrosoftGraphKeyCredential
{
[Write, Description("A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate.")] String CustomKeyIdentifier;
[Write, Description("Friendly name for the key. Optional.")] String DisplayName;
[Write, Description("The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String EndDateTime;
[Write, Description("The unique identifier (GUID) for the key.")] String KeyId;
[Write, Description("The certificate's raw data in byte array converted to Base64 string.")] String Key;
[Write, Description("The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.")] String StartDateTime;
[Write, Description("The type of key credential for example, Symmetric, AsymmetricX509Cert.")] String Type;
[Write, Description("A string that describes the purpose for which the key can be used for example, Verify.")] String Usage;
};
[ClassVersion("1.0.0")]
class MSFT_MicrosoftGraphPasswordCredential
{
[Write, Description("Friendly name for the password. Optional.")] String DisplayName;
[Write, Description("The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String EndDateTime;
[Write, Description("Contains the first three characters of the password. Read-only.")] String Hint;
[Write, Description("The unique identifier for the password.")] String KeyId;
[Write, Description("The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional.")] String StartDateTime;
};

444
Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.psm1 Normal file
Просмотреть файл

@ -0,0 +1,444 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter()]
[System.String]
$Id,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$DataType,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
Write-Verbose -Message "Getting configuration of user flow attribute: $DisplayName"
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
Write-Verbose -Message 'Getting configuration of user flow attribute'
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullReturn = $PSBoundParameters
$nullReturn.Ensure = 'Absent'
$userFlowAttribute = $null
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
$userFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.Id -eq $Id }
}
elseif (-not [System.String]::IsNullOrEmpty($Id))
{
$UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -ErrorAction SilentlyContinue
}
if ($null -eq $UserFlowAttribute -and -not [System.String]::IsNullOrEmpty($DisplayName))
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
$UserFlowAttribute = $Script:exportedInstances | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
}
else
{
$UserFlowAttribute = Get-MgBetaIdentityUserFlowAttribute -Filter "displayName eq '$DisplayName'"
}
}
if ($null -eq $UserFlowAttribute)
{
return $nullReturn
}
try
{
Write-Verbose -Message "Found configuration of user flow attribute $($DisplayName)"
$result = @{
Id = $UserFlowAttribute.Id
DisplayName = $UserFlowAttribute.DisplayName
Description = $UserFlowAttribute.Description
DataType = $UserFlowAttribute.DataType
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
Credential = $Credential
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)"
return $result
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullReturn
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter()]
[System.String]
$Id,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$DataType,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
Write-Verbose -Message "Setting configuration of user flow attribute: $DisplayName"
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentUserFlowAttribute = Get-TargetResource @PSBoundParameters
# doesn't exist but it should
if ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Absent')
{
Write-Verbose -Message "The user flow attribute '$($DisplayName)' does not exist but it should. Creating it."
try
{
New-MgBetaIdentityUserFlowAttribute -DataType $DataType -Description $Description -DisplayName $DisplayName
}
catch
{
Write-Error -ErrorRecord $_
}
}
#exists but shouldn't
elseif ($Ensure -eq 'Absent' -and $currentUserFlowAttribute.Ensure -eq 'Present')
{
Write-Verbose -Message "User flow attribute '$($DisplayName)' exists but shouldn't. Removing it."
Remove-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id
}
elseif ($Ensure -eq 'Present' -and $currentUserFlowAttribute.Ensure -eq 'Present')
{
Write-Verbose -Message "User flow attribute '$($DisplayNameName)' already exists. Updating settings"
if ($currentUserFlowAttribute.DisplayName -ne $DisplayName -or $currentUserFlowAttribute.DataType -ne $DataType)
{
Write-Warning -Message "There is a deviation in display name and data type for the resource with ID '$($Id)' but these values are not settable so cannot update them."
}
Write-Verbose -Message "Updating description of user flow attribute with display name '$($DisplayName)'"
Update-MgBetaIdentityUserFlowAttribute -IdentityUserFlowAttributeId $Id -Description $Description
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter()]
[System.String]
$Id,
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter()]
[System.String]
$Description,
[Parameter()]
[System.String]
$DataType,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$Script:ExportMode = $false
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of User flow attribute : $DisplayName"
$CurrentValues = Get-TargetResource @PSBoundParameters
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
$ValuesToCheck = $PSBoundParameters
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $TestResult"
return $TestResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.String]
$Filter,
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
[array] $Script:exportedInstances = Get-MgBetaIdentityUserFlowAttribute -Filter "userFlowAttributeType ne 'builtIn'" -Sort DisplayName -ErrorAction Stop
$i = 1
$dscContent = ''
Write-Host "`r`n" -NoNewline
foreach ($userFlowAttribute in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($userFlowAttribute.DisplayName)" -NoNewline
$Params = @{
Id = $userFlowAttribute.Id
DisplayName = $userFlowAttribute.DisplayName
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
ApplicationSecret = $ApplicationSecret
Credential = $Credential
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
if ($Results.Ensure -eq 'Present')
{
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
}
Write-Host $Global:M365DSCEmojiGreenCheckMark
$i++
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

16
Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/MSFT_AADUserFlowAttribute.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,16 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADUserFlowAttribute")]
class MSFT_AADUserFlowAttribute : OMI_BaseResource
{
[Write, Description("User flow attribute Id.")] String Id;
[Key, Description("Display name of the user flow attribute.")] String DisplayName;
[Write, Description("Description of the user flow attribute.")] String Description;
[Write, Description("Defines the user flow attribute data type.")] String DataType;
[Write, Description("Specify if the Azure AD role setting should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
[Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

5
Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
# AADUserFlowAttribute
## Description
This resource configure User flow attributes which are custom attributes that you can define and use in your user flows, which are predefined, configurable policies that control the user experience during sign-up, sign-in, and profile editing processes.

29
Modules/Microsoft365DSC/DSCResources/MSFT_AADUserFlowAttribute/settings.json Normal file
Просмотреть файл

@ -0,0 +1,29 @@
{
"resourceName": "AADUserflowAttribute",
"description": "This resource configures an Azure User Flow attribute..",
"roles": {
"read": [],
"update": [
"External ID User Flow Attribute Administrator"
]
},
"permissions": {
"graph": {
"delegated": {
"read": [
{
"name": "IdentityUserFlow.Read.All"
},
{
"name": "IdentityUserFlow.ReadWrite.All"
}
],
"update": [
{
"name": "IdentityUserFlow.ReadWrite.All"
}
]
}
}
}
}

591
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.psm1 Normal file
Просмотреть файл

@ -0,0 +1,591 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[System.String]
$Id,
[Parameter()]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$LinkedDomainUrl,
[Parameter()]
[System.String]
$DidMethod,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$KeyVaultMetadata,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
$instances = $Script:exportedInstances
}
else
{
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
$instances = $response.value
}
if ($null -eq $instances)
{
return $nullResult
}
$instance = Get-M365DSCVerifiedIdAuthorityObject -Authority ($instances | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $LinkedDomainUrl})
if ($null -eq $instance)
{
return $nullResult
}
$results = @{
Id = $instance.Id
Name = $instance.Name
LinkedDomainUrl = $instance.LinkedDomainUrl
DidMethod = $instance.DidMethod
KeyVaultMetadata = $instance.KeyVaultMetadata
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[System.String]
$Id,
[Parameter()]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$LinkedDomainUrl,
[Parameter()]
[System.String]
$DidMethod,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$KeyVaultMetadata,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters | Out-Null
$currentInstance = Get-TargetResource @PSBoundParameters
Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)"
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/" + $currentInstance.Id
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)"
$body = @{
name = $Name
linkedDomainUrl = $LinkedDomainUrl
didMethod = $DidMethod
keyVaultMetadata = @{
subscriptionId = $KeyVaultMetadata.SubscriptionId
resourceGroup = $KeyVaultMetadata.ResourceGroup
resourceName = $KeyVaultMetadata.ResourceName
resourceUrl = $KeyVaultMetadata.ResourceUrl
}
}
Write-Verbose -Message "Creating VerifiedId Authority with body $($body | ConvertTo-Json -Depth 5)"
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating an VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)"
Write-Warning -Message "You can only update Name of the VerifiedId Authority, if you want to update other properties, please delete and recreate the VerifiedId Authority."
$body = @{
name = $Name
}
Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing VerifiedId Authority with Name {$Name} and Id $($currentInstance.Id)"
$uri = "https://verifiedid.did.msidentity.com/beta/verifiableCredentials/authorities/" + $currentInstance.Id
Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'DELETE'
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[System.String]
$Id,
[Parameter()]
[System.String]
$Name,
[Parameter(Mandatory = $true)]
[System.String]
$LinkedDomainUrl,
[Parameter()]
[System.String]
$DidMethod,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$KeyVaultMetadata,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthority'
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$testTargetResource = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*' -and $source -notlike '*Permission*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
Write-Verbose "TestResult returned False for $source"
$testTargetResource = $false
}
else {
$ValuesToCheck.Remove($key) | Out-Null
}
}
}
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys `
-IncludedDrifts $driftedParams
if(-not $TestResult)
{
$testTargetResource = $false
}
Write-Verbose -Message "Test-TargetResource returned $testTargetResource"
return $testTargetResource
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$dscContent = [System.Text.StringBuilder]::new()
$i = 1
Write-Host "`r`n" -NoNewline
try
{
$Script:ExportMode = $true
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
[array] $Script:exportedInstances = $response.value
foreach ($authority in $Script:exportedInstances)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($authority.didModel.linkedDomainUrls[0])" -NoNewline
$Params = @{
LinkedDomainUrl = $authority.didModel.linkedDomainUrls[0]
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
Credential = $Credential
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
if ($Results.Ensure -eq 'Present')
{
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.KeyVaultMetadata)
{
$complexMapping = @(
@{
Name = 'KeyVaultMetadata'
CimInstanceName = 'AADVerifiedIdAuthorityKeyVaultMetadata'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.KeyVaultMetadata `
-CIMInstanceName 'AADVerifiedIdAuthorityKeyVaultMetadata' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.KeyVaultMetadata = $complexTypeStringResult
}
else
{
$Results.Remove('KeyVaultMetadata') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.KeyVaultMetadata)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "KeyVaultMetadata" -IsCIMArray:$False
}
$dscContent.Append($currentDSCBlock) | Out-Null
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Write-Host $Global:M365DSCEmojiGreenCheckMark
$i++
}
}
return $dscContent.ToString()
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-M365DSCVerifiedIdAuthorityObject
{
[CmdletBinding()]
[OutputType([PSCustomObject])]
param(
[Parameter()]
$Authority
)
if ($null -eq $Authority)
{
return $null
}
Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}"
$did = ($Authority.didModel.did -split ":")[1]
$values = @{
Id = $Authority.Id
Name = $Authority.Name
LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0]
DidMethod = $did
}
if ($null -ne $Authority.KeyVaultMetadata)
{
$KeyVaultMetadata = @{
SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId
ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup
ResourceName = $Authority.KeyVaultMetadata.ResourceName
ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl
}
$values.Add('KeyVaultMetadata', $KeyVaultMetadata)
}
return $values
}
function Invoke-M365DSCVerifiedIdWebRequest
{
[OutputType([PSCustomObject])]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[System.String]
$Uri,
[Parameter()]
[System.String]
$Method = 'GET',
[Parameter()]
[System.Collections.Hashtable]
$Body
)
$headers = @{
Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken
"Content-Type" = "application/json"
}
if($Method -eq 'PATCH' -or $Method -eq 'POST')
{
$BodyJson = $body | ConvertTo-Json
$response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson
}
else {
$response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers
}
if($Method -eq 'DELETE')
{
return $null
}
$result = ConvertFrom-Json $response.Content
return $result
}
Export-ModuleMember -Function *-TargetResource

28
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/MSFT_AADVerifiedIdAuthority.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,28 @@
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityKeyVaultMetadata
{
[Write, Description("Subscription ID of the Key Vault.")] String SubscriptionId;
[Write, Description("Resource group of the Key Vault.")] String ResourceGroup;
[Write, Description("Resource name of the Key Vault.")] String ResourceName;
[Write, Description("Resource URL of the Key Vault.")] String ResourceUrl;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthority")]
class MSFT_AADVerifiedIdAuthority : OMI_BaseResource
{
[Write, Description("Name of the Verified ID Authority.")] String Name;
[Write, Description("Id of the Verified ID Authority.")] String Id;
[Key, Description("URL of the linked domain.")] String LinkedDomainUrl;
[Write, Description("DID method used by the Verified ID Authority.")] String DidMethod;
[Write, Description("Key Vault metadata for the Verified ID Authority."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityKeyVaultMetadata")] String KeyVaultMetadata;
[Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

8
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/readme.md Normal file
Просмотреть файл

@ -0,0 +1,8 @@
# AADVerifiedIdAuthority
## Description
Azure AD Verified Identity Authority
Use the VerifiableCredential.Authority.ReadWrite permission to read and write the authority.
Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#authorities

17
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthority/settings.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"resourceName": "AADVerifiedIdAuthority",
"description": "This resource configures an Azure AD Verified Identity Authority.",
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [],
"update": []
}
}
}
}

938
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.psm1 Normal file
Просмотреть файл

@ -0,0 +1,938 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter()]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$linkedDomainUrl,
[Parameter()]
[System.String]
$authorityId,
[Parameter(Mandatory = $true)]
[System.String]
$name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$displays,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$rules,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
{
$instances = $Script:exportedInstances
}
else
{
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
$authorities = $response.value
if ($null -eq $authorities)
{
return $nullResult
}
$authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl})
if ($null -eq $authority)
{
return $nullResult
}
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
$contracts = $response.value
}
if ($null -eq $contracts)
{
return $nullResult
}
$contract = Get-M365DSCVerifiedIdAuthorityContractObject -Contract ($contracts | Where-Object -FilterScript {$_.name -eq $name})
if ($null -eq $contract)
{
return $nullResult
}
$results = @{
id = $contract.id
name = $contract.name
linkedDomainUrl = $linkedDomainUrl
authorityId = $authority.Id
displays = $contract.displays
rules = $contract.rules
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter()]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$linkedDomainUrl,
[Parameter()]
[System.String]
$authorityId,
[Parameter(Mandatory = $true)]
[System.String]
$name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$displays,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$rules,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters | Out-Null
$currentInstance = Get-TargetResource @PSBoundParameters
Write-Verbose -Message "Retrieved current instance: $($currentInstance.Name) with Id $($currentInstance.Id)"
$BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
$rulesHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $rules
$displaysHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $displays
if($rulesHashmap.attestations.idTokens -ne $null)
{
foreach($idToken in $rulesHashmap.attestations.idTokens)
{
if($idToken.scopeValue -ne $null)
{
$idToken.Add('scope', $idToken.scopeValue)
$idToken.Remove('scopeValue') | Out-Null
}
}
}
$body = @{
name = $Name
rules = $rulesHashmap
displays = $displaysHashmap
}
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
$authorities = $response.value
$authority = Get-M365DSCVerifiedIdAuthorityObject -Authority ($authorities | Where-Object -FilterScript {$_.didModel.linkedDomainUrls[0] -eq $linkedDomainUrl})
Write-Verbose -Message "Creating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)"
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts"
Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'POST' -Body $body
}
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating an VerifiedId Authority Contract with Name {$name} for Authority Id $($authority.Id)"
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts/$($currentInstance.id)"
$body.Remove('name') | Out-Null
Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'PATCH' -Body $body
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Warning -Message "Removal of Contracts is not supported"
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter()]
[System.String]
$id,
[Parameter(Mandatory = $true)]
[System.String]
$linkedDomainUrl,
[Parameter()]
[System.String]
$authorityId,
[Parameter(Mandatory = $true)]
[System.String]
$name,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance[]]
$displays,
[Parameter()]
[Microsoft.Management.Infrastructure.CimInstance]
$rules,
[Parameter()]
[System.String]
[ValidateSet('Absent', 'Present')]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', ''
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message 'Testing configuration of AADVerifiedIdAuthorityContract'
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$testTargetResource = $true
#Compare Cim instances
foreach ($key in $PSBoundParameters.Keys)
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
{
$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)
if (-not $testResult)
{
Write-Verbose "TestResult returned False for $source"
$testTargetResource = $false
}
else {
$ValuesToCheck.Remove($key) | Out-Null
}
}
}
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"
$TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys `
-IncludedDrifts $driftedParams
if(-not $TestResult)
{
$testTargetResource = $false
}
Write-Verbose -Message "Test-TargetResource returned $testTargetResource"
return $testTargetResource
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'AdminAPI' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$dscContent = [System.Text.StringBuilder]::new()
$i = 1
Write-Host "`r`n" -NoNewline
try
{
$Script:ExportMode = $true
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
[array] $authorities = $response.value
[array] $Script:exportedInstances = $()
foreach ($authority in $authorities)
{
$uri = "https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/authorities/$($authority.Id)/contracts"
$response = Invoke-M365DSCVerifiedIdWebRequest -Uri $uri -Method 'GET'
$contracts = $response.value
foreach($contract in $contracts)
{
$Script:exportedInstances += $contract
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
Write-Host " |---[$i/$($Script:exportedInstances.Count)] $($contract.name)" -NoNewline
$Params = @{
linkedDomainUrl = $authority.didModel.linkedDomainUrls[0]
name = $contract.name
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ApplicationSecret = $ApplicationSecret
Credential = $Credential
Managedidentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
if ($Results.Ensure -eq 'Present')
{
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
if ($null -ne $Results.displays)
{
$complexMapping = @(
@{
Name = 'displays'
CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayModel'
IsRequired = $False
}
@{
Name = 'logo'
CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCredentialLogo'
IsRequired = $False
}
@{
Name = 'card'
CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayCard'
IsRequired = $False
}
@{
Name = 'consent'
CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayConsent'
IsRequired = $False
}
@{
Name = 'claims'
CimInstanceName = 'AADVerifiedIdAuthorityContractDisplayClaims'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.displays `
-CIMInstanceName 'AADVerifiedIdAuthorityContractDisplayModel' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.displays = $complexTypeStringResult
}
else
{
$Results.Remove('displays') | Out-Null
}
}
if ($null -ne $Results.rules)
{
$complexMapping = @(
@{
Name = 'rules'
CimInstanceName = 'AADVerifiedIdAuthorityContractRulesModel'
IsRequired = $False
}
@{
Name = 'attestations'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestations'
IsRequired = $False
}
@{
Name = 'vc'
CimInstanceName = 'AADVerifiedIdAuthorityContractVcType'
IsRequired = $False
}
@{
Name = 'customStatusEndpoint'
CimInstanceName = 'AADVerifiedIdAuthorityContractCustomStatusEndpoint'
IsRequired = $False
}
@{
Name = 'idTokenHints'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues'
IsRequired = $False
}
@{
Name = 'idTokens'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues'
IsRequired = $False
}
@{
Name = 'presentations'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues'
IsRequired = $False
}
@{
Name = 'selfIssued'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues'
IsRequired = $False
}
@{
Name = 'accessTokens'
CimInstanceName = 'AADVerifiedIdAuthorityContractAttestationValues'
IsRequired = $False
}
@{
Name = 'mapping'
CimInstanceName = 'AADVerifiedIdAuthorityContractClaimMapping'
IsRequired = $False
}
)
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.rules`
-CIMInstanceName 'AADVerifiedIdAuthorityContractRulesModel' `
-ComplexTypeMapping $complexMapping
if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.rules = $complexTypeStringResult
}
else
{
$Results.Remove('rules') | Out-Null
}
}
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
if ($Results.displays)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "displays" -IsCIMArray:$true
}
if ($Results.rules)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "rules" -IsCIMArray:$false
}
$dscContent.Append($currentDSCBlock) | Out-Null
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
Write-Host $Global:M365DSCEmojiGreenCheckMark
$i++
}
}
}
return $dscContent.ToString()
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
function Get-M365DSCVerifiedIdAuthorityContractObject
{
[CmdletBinding()]
[OutputType([PSCustomObject])]
param(
[Parameter()]
$Contract
)
if ($null -eq $Contract)
{
return $null
}
Write-Verbose -Message "Retrieving values for contract {$($Contract.name)}"
$values = @{
id = $Contract.id
name = $Contract.name
}
if ($null -ne $Contract.displays)
{
$displays = @()
foreach ($display in $Contract.displays)
{
$claims = @()
foreach ($claim in $display.claims)
{
$claims += @{
claim = $claim.claim
label = $claim.label
type = $claim.type
}
}
$displays += @{
locale = $display.locale
card = @{
title = $display.card.title
issuedBy = $display.card.issuedBy
backgroundColor = $display.card.backgroundColor
textColor = $display.card.textColor
logo = @{
uri = $display.card.logo.uri
description = $display.card.logo.description
}
description = $display.card.description
}
consent = @{
title = $display.consent.title
instructions = $display.consent.instructions
}
claims = $claims
}
}
$values.Add('displays', $displays)
}
if ($null -ne $Contract.rules)
{
$rules = @{}
$attestations = @{}
if($null -ne $Contract.rules.attestations.idTokenHints)
{
$idTokenHints = @()
foreach($idTokenHint in $Contract.rules.attestations.idTokenHints)
{
$mapping = @()
foreach($map in $idTokenHint.mapping)
{
$mapping += @{
outputClaim = $map.outputClaim
inputClaim = $map.inputClaim
required = $map.required
indexed = $map.indexed
type = $map.type
}
}
$idTokenHints += @{
required = $idTokenHint.required
mapping = $mapping
trustedIssuers = $idTokenHint.trustedIssuers
}
}
$attestations.Add('idTokenHints', $idTokenHints)
}
if($null -ne $Contract.rules.attestations.idTokens)
{
$idTokens = @()
foreach($idToken in $Contract.rules.attestations.idTokens)
{
$mapping = @()
foreach($map in $idToken.mapping)
{
$mapping += @{
outputClaim = $map.outputClaim
inputClaim = $map.inputClaim
required = $map.required
indexed = $map.indexed
type = $map.type
}
}
$idTokens += @{
required = $idToken.required
mapping = $mapping
configuration = $idToken.configuration
clientId = $idToken.clientId
redirectUri = $idToken.redirectUri
scopeValue = $idToken.scope
}
}
$attestations.Add('idTokens', $idTokens)
}
if($null -ne $Contract.rules.attestations.presentations)
{
$presentations = @()
foreach($presentation in $Contract.rules.attestations.presentations)
{
$mapping = @()
foreach($map in $presentation.mapping)
{
$mapping += @{
outputClaim = $map.outputClaim
inputClaim = $map.inputClaim
required = $map.required
indexed = $map.indexed
type = $map.type
}
}
$presentations += @{
required = $presentation.required
mapping = $mapping
trustedIssuers = $presentation.trustedIssuers
credentialType = $presentation.credentialType
}
}
$attestations.Add('presentations', $presentations)
}
if($null -ne $Contract.rules.attestations.selfIssued)
{
$mySelfIssueds = @()
foreach($mySelfIssued in $Contract.rules.attestations.selfIssued)
{
$mapping = @()
foreach($map in $mySelfIssued.mapping)
{
$mapping += @{
outputClaim = $map.outputClaim
inputClaim = $map.inputClaim
required = $map.required
indexed = $map.indexed
type = $map.type
}
}
$mySelfIssueds += @{
required = $mySelfIssued.required
mapping = $mapping
}
}
$attestations.Add('selfIssued', $mySelfIssueds)
}
if($null -ne $Contract.rules.attestations.accessTokens)
{
$accessTokens = @()
foreach($accessToken in $Contract.rules.attestations.accessTokens)
{
$mapping = @()
foreach($map in $accessToken.mapping)
{
$mapping += @{
outputClaim = $map.outputClaim
inputClaim = $map.inputClaim
required = $map.required
indexed = $map.indexed
type = $map.type
}
}
$accessTokens += @{
required = $accessToken.required
mapping = $mapping
}
}
$attestations.Add('accessTokens', $accessTokens)
}
$rules.Add('attestations', $attestations)
$rules.Add('vc', @{
type = $Contract.rules.vc.type
})
$rules.Add('validityInterval', $Contract.rules.validityInterval)
$values.Add('rules', $rules)
}
return $values
}
function Get-M365DSCVerifiedIdAuthorityObject
{
[CmdletBinding()]
[OutputType([PSCustomObject])]
param(
[Parameter()]
$Authority
)
if ($null -eq $Authority)
{
return $null
}
Write-Verbose -Message "Retrieving values for authority {$($Authority.didModel.linkedDomainUrls[0])}"
$did = ($Authority.didModel.did -split ":")[1]
$values = @{
Id = $Authority.Id
Name = $Authority.Name
LinkedDomainUrl = $Authority.didModel.linkedDomainUrls[0]
DidMethod = $did
}
if ($null -ne $Authority.KeyVaultMetadata)
{
$KeyVaultMetadata = @{
SubscriptionId = $Authority.KeyVaultMetadata.SubscriptionId
ResourceGroup = $Authority.KeyVaultMetadata.ResourceGroup
ResourceName = $Authority.KeyVaultMetadata.ResourceName
ResourceUrl = $Authority.KeyVaultMetadata.ResourceUrl
}
$values.Add('KeyVaultMetadata', $KeyVaultMetadata)
}
return $values
}
function Invoke-M365DSCVerifiedIdWebRequest
{
[OutputType([PSCustomObject])]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[System.String]
$Uri,
[Parameter()]
[System.String]
$Method = 'GET',
[Parameter()]
[System.Collections.Hashtable]
$Body
)
$headers = @{
Authorization = $Global:MSCloudLoginConnectionProfile.AdminAPI.AccessToken
"Content-Type" = "application/json"
}
if($Method -eq 'PATCH' -or $Method -eq 'POST')
{
$BodyJson = $body | ConvertTo-Json -Depth 10
$response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $BodyJson
}
else {
$response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers
}
if($Method -eq 'DELETE')
{
return $null
}
$result = ConvertFrom-Json $response.Content
return $result
}
Export-ModuleMember -Function *-TargetResource

105
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/MSFT_AADVerifiedIdAuthorityContract.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,105 @@
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo {
[Write, Description("URI of the logo. If this is a URL, it must be reachable over the public internet anonymously.")] String uri;
[Write, Description("Description of the logo.")] String description;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractDisplayCard {
[Write, Description("Title of the credential.")] String title;
[Write, Description("The name of the issuer of the credential.")] String issuedBy;
[Write, Description("Background color of the credential in hex, for example, #FFAABB.")] String backgroundColor;
[Write, Description("Text color of the credential in hex, for example, #FFAABB.")] String textColor;
[Write, Description("Supplemental text displayed alongside each credential.")] String description;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCredentialLogo"), Description("The logo to use for the credential.")] String logo;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractDisplayConsent {
[Write, Description("Title of the consent.")] String title;
[Write, Description("Supplemental text to use when displaying consent.")] String instructions;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractDisplayClaims {
[Write, Description("The label of the claim in display.")] String label;
[Write, Description("The name of the claim to which the label applies.")] String claim;
[Write, Description("The type of the claim.")] String type;
[Write, Description("The description of the claim.")] String description;
};
[ClassVersion("1.0.0.0")]
class MSFT_AADVerifiedIdAuthorityContractDisplayModel {
[Write, Description("The locale of this display.")] String locale;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayCard"), Description("The display properties of the verifiable credential.")] String card;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayConsent"), Description("Supplemental data when the verifiable credential is issued.")] String consent;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayClaims"), Description("Labels for the claims included in the verifiable credential.")] String claims[];
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractClaimMapping {
[Write, Description("The name of the claim to use from the input.")] String inputClaim;
[Write, Description("The name of the claim in the verifiable credential.")] String outputClaim;
[Write, Description("Indicating whether the value of this claim is used for searching.")] Boolean indexed;
[Write, Description("Indicating whether this mapping is required or not.")] Boolean required;
[Write, Description("Type of claim.")] String type;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractAttestationValues {
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractClaimMapping"), Description("Rules to map input claims into output claims in the verifiable credential.")] String mapping[];
[Write, Description("Indicating whether this attestation is required or not.")] Boolean required;
[Write, Description("A list of DIDs allowed to issue the verifiable credential for this contract.")] String trustedIssuers[];
[Write, Description("Required credential type of the input.")] String credentialType;
[Write, Description("Location of the identity provider's configuration document.")] String configuration;
[Write, Description("Client ID to use when obtaining the ID token.")] String clientId;
[Write, Description("Redirect URI to use when obtaining the ID token. MUST BE vcclient://openid/")] String redirectUri;
[Write, Description("Space delimited list of scopes to use when obtaining the ID token.")] String scopeValue;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractAttestations {
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token hints attestations.")] String idTokenHints[];
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Id token attestations.")] String idTokens[];
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Presentations attestations.")] String presentations[];
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Self Issued attestations.")] String selfIssued[];
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestationValues"), Description("Access Token attestations.")] String accessTokens[];
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint {
[Write, Description("The URL of the custom status endpoint.")] String url;
[Write, Description("The type of the endpoint.")] String type;
};
[ClassVersion("1.0.0")]
class MSFT_AADVerifiedIdAuthorityContractVcType {
[Write, Description("The type of the vc.")] String type[];
};
[ClassVersion("1.0.0.0")]
class MSFT_AADVerifiedIdAuthorityContractRulesModel {
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractAttestations"), Description("Describing supported inputs for the rules.")] String attestations;
[Write, Description("This value shows the lifespan of the credential.")] UInt32 validityInterval;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractVcType"), Description("Types for this contract.")] String vc;
[Write, EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractCustomStatusEndpoint"), Description("Status endpoint to include in the verifiable credential for this contract.")] String customStatusEndpoint;
};
[ClassVersion("1.0.0.0"), FriendlyName("AADVerifiedIdAuthorityContract")]
class MSFT_AADVerifiedIdAuthorityContract : OMI_BaseResource
{
[Write, Description("Id of the Verified ID Authority Contract.")] String id;
[Key, Description("URL of the linked domain of the authority.")] String linkedDomainUrl;
[Write, Description("Id of the Verified ID Authority.")] String authorityId;
[Key, Description("Name of the Verified ID Authority Contract.")] String name;
[Write, Description("Display settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractDisplayModel")] String displays[];
[Write, Description("Rules settings of the Authority Contract."), EmbeddedInstance("MSFT_AADVerifiedIdAuthorityContractRulesModel")] String rules;
[Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
[Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

7
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/readme.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# AADVerifiedIdAuthorityContract
## Description
Azure AD Verified Identity Authority Contract
Use the VerifiableCredential.Contract.ReadWrite permission to read and write the authority contract.
Documentation Link: https://learn.microsoft.com/en-us/entra/verified-id/admin-api#contracts

20
Modules/Microsoft365DSC/DSCResources/MSFT_AADVerifiedIdAuthorityContract/settings.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"resourceName": "AADVerifiedIdAuthorityContract",
"description": "This resource configures an Azure AD Verified Identity Authority Contracts.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [],
"update": []
}
}
}
}

1
Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1
Просмотреть файл

@ -457,7 +457,6 @@ function Export-TargetResource
$AccessTokens
)
##TODO - Replace workload
$ConnectionMode = New-M365DSCConnection -Workload 'AzureDevOPS' `
-InboundParameters $PSBoundParameters

434
Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.psm1 Normal file
Просмотреть файл

@ -0,0 +1,434 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter(Mandatory = $true)]
[System.String]
$BillingAccount,
[Parameter(Mandatory = $true)]
[System.String]
$AssociatedTenantId,
[Parameter()]
[System.String]
$BillingManagementState,
[Parameter()]
[System.String]
$ProvisioningManagementState,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
New-M365DSCConnection -Workload 'Azure' `
-InboundParameters $PSBoundParameters | Out-Null
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'
try
{
$accounts = Get-M365DSCAzureBillingAccount
$currentAccount = $accounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount}
if ($null -ne $currentAccount)
{
$instances = Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $currentAccount.Name -ErrorAction Stop
$instance = $instances.value | Where-Object -FilterScript {$_.properties.displayName -eq $DisplayName}
}
if ($null -eq $instance)
{
return $nullResult
}
$results = @{
BillingAccount = $BillingAccount
DisplayName = $DisplayName
AssociatedTenantId = $instance.properties.tenantId
BillingManagementState = $instance.properties.billingManagementState
ProvisioningManagementState = $instance.properties.provisioningManagementState
Ensure = 'Present'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return $nullResult
}
}
function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter(Mandatory = $true)]
[System.String]
$BillingAccount,
[Parameter(Mandatory = $true)]
[System.String]
$AssociatedTenantId,
[Parameter()]
[System.String]
$BillingManagementState,
[Parameter()]
[System.String]
$ProvisioningManagementState,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$currentInstance = Get-TargetResource @PSBoundParameters
$billingAccounts = Get-M365DSCAzureBillingAccount
$account = $billingAccounts.value | Where-Object -FilterScript {$_.properties.displayName -eq $BillingAccount}
$instanceParams = @{
properties = @{
displayName = $DisplayName
tenantId = $AssociatedTenantId
billingManagementState = $BillingManagementState
provisioningManagementState = $ProvisioningManagementState
}
}
# CREATE
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Adding associated tenant {$AssociatedTenantId}"
New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name `
-AssociatedTenantId $AssociatedTenantId `
-Body $instanceParams
}
# UPDATE
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating associated tenant {$AssociatedTenantId}"
New-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name `
-AssociatedTenantId $AssociatedTenantId `
-Body $instanceParams
}
# REMOVE
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing associated tenant {$AssociatedTenantId}"
Remove-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $account.Name `
-AssociatedTenantId $AssociatedTenantId
}
}
function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$DisplayName,
[Parameter(Mandatory = $true)]
[System.String]
$BillingAccount,
[Parameter(Mandatory = $true)]
[System.String]
$AssociatedTenantId,
[Parameter()]
[System.String]
$BillingManagementState,
[Parameter()]
[System.String]
$ProvisioningManagementState,
[Parameter()]
[ValidateSet('Present', 'Absent')]
[System.String]
$Ensure = 'Present',
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()
Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys
Write-Verbose -Message "Test-TargetResource returned $testResult"
return $testResult
}
function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,
[Parameter()]
[System.String]
$CertificateThumbprint,
[Parameter()]
[Switch]
$ManagedIdentity,
[Parameter()]
[System.String[]]
$AccessTokens
)
$ConnectionMode = New-M365DSCConnection -Workload 'Azure' `
-InboundParameters $PSBoundParameters
#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies
#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
try
{
$Script:ExportMode = $true
#Get all billing account
$accounts = Get-M365DSCAzureBillingAccount
$i = 1
$dscContent = ''
if ($Script:exportedInstances.Length -eq 0)
{
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
else
{
Write-Host "`r`n" -NoNewline
}
[array] $Script:exportedInstances = @()
foreach ($config in $accounts.value)
{
$displayedKey = $config.properties.displayName
Write-Host " |---[$i/$($accounts.Count)] $displayedKey"
$associatedTenants += Get-M365DSCAzureBillingAccountsAssociatedTenant -BillingAccountId $config.name
$j = 1
foreach ($associatedTenant in $associatedTenants.value)
{
if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}
Write-Host " |---[$j/$($associatedTenants.value.Length)] $($associatedTenant.properties.DisplayName)" -NoNewline
$params = @{
BillingAccount = $config.properties.displayName
DisplayName = $associatedTenant.properties.displayName
AssociatedTenantId = $associatedTenant.properties.tenantId
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results
$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$j++
Write-Host $Global:M365DSCEmojiGreenCheckMark
}
$i++
}
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX
New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential
return ''
}
}
Export-ModuleMember -Function *-TargetResource

17
Modules/Microsoft365DSC/DSCResources/MSFT_AzureBillingAccountsAssociatedTenant/MSFT_AzureBillingAccountsAssociatedTenant.schema.mof Normal file
Просмотреть файл

@ -0,0 +1,17 @@
[ClassVersion("1.0.0.0"), FriendlyName("AzureBillingAccountsAssociatedTenant")]
class MSFT_AzureBillingAccountsAssociatedTenant : OMI_BaseResource
{
[Key, Description("The ID that uniquely identifies a tenant.")] String AssociatedTenantId;
[Write, Description("The name of the associated tenant.")] String DisplayName;
[Write, Description("Name of the billing account.")] String BillingAccount;
[Write, Description("The state determines whether users from the associated tenant can be assigned roles for commerce activities like viewing and downloading invoices, managing payments, and making purchases.")] String BillingManagementState;
[Write, Description("The state determines whether subscriptions and licenses can be provisioned in the associated tenant. It can be set to 'Pending' to initiate a billing request.")] String ProvisioningManagementState;
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше