Merge pull request #3571 from NikCharlebois/Dev

Release 1.23.809.1

CHANGELOG.md

@@ -1,5 +1,45 @@
 # Change log for Microsoft365DSC
 
+# 1.23.809.1
+
+* AADAuthorizationPolicy
+  * Added support for the AllowedToCreateTenants &
+    AllowedToReadBitlockerKeysForOwnedDevice properties.
+    FIXES [#3492](https://github.com/microsoft/Microsoft365DSC/issues/3492)
+* AADGroup, AADUser and O365Group
+  * Add support to use function endsWith as filter
+    FIXES [#3518](https://github.com/microsoft/Microsoft365DSC/issues/3518)
+* O365OrgSettings
+  * Added error handling for the Viva settings to handle task cancellation errors.
+  * Added improvements for the set to only call into APIs that need a PATCH request.
+* SCComplianceSearch
+  * Fixed an issue with the export when using CertificateThumbprint.
+    FIXES [#3499](https://github.com/microsoft/Microsoft365DSC/issues/3499)
+* SCComplianceSearchAction
+  * Adds support for the Preview action type.
+    FIXES [#3498](https://github.com/microsoft/Microsoft365DSC/issues/3498)
+* SCRetentionCompliancePolicy
+  * Fixes an issue where SPN auth parameters weren't returned from the Get-TargetResource
+    function.
+    FIXES [#3500](https://github.com/microsoft/Microsoft365DSC/issues/3500)
+* SPOTenantSettings
+  * Add support for new parameter HideSyncButtonOnTeamSite
+* TeamsGroupPolicyAssignment
+  * FIXES [#3559](https://github.com/microsoft/Microsoft365DSC/issues/3559)
+* TeamsShiftPolicy
+  * Deprecated the EnableShiftPresence parameter.
+* TeamsTemplatesPolicy
+  * Initial release.
+* MISC
+  * M365DscReverse: Fix exporting when $Filter var exists locally
+    FIXES [#3515](https://github.com/microsoft/Microsoft365DSC/issues/3515)
+  * Fix for the delta report function to handle deep nested CIM Instances.
+    FIXES [#3478](https://github.com/microsoft/Microsoft365DSC/issues/3478)
+* DEPENDENCIES
+  * Updated Microsoft.Graph.* dependencies to version 2.2.0.
+  * Updated MSCloudLoginAssistant to version 1.0.119.
+  * Updated dependency Microsoft.PowerApps.Administration.PowerShell to version 2.0.170.
+
 # 1.23.726.1
 
 * AADGroup

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.psm1

@@ -46,6 +46,14 @@ function Get-TargetResource
         [System.Boolean]
         $DefaultUserRoleAllowedToCreateSecurityGroups,
 
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice,
+
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToCreateTenants,
+
         [Parameter()]
         [System.Boolean]
         $DefaultUserRoleAllowedToReadOtherUsers,
@@ -143,26 +151,28 @@ function Get-TargetResource
         Write-Verbose -Message 'Get-TargetResource: Found existing authorization policy'
 
         $result = @{
-            IsSingleInstance                                  = 'Yes'
-            DisplayName                                       = $Policy.DisplayName
-            Description                                       = $Policy.Description
-            AllowedToSignUpEmailBasedSubscriptions            = $Policy.AllowedToSignUpEmailBasedSubscriptions
-            AllowedToUseSSPR                                  = $Policy.AllowedToUseSSPR
-            AllowEmailVerifiedUsersToJoinOrganization         = $Policy.AllowEmailVerifiedUsersToJoinOrganization
-            AllowInvitesFrom                                  = $Policy.AllowInvitesFrom
-            BlockMsolPowerShell                               = $Policy.BlockMsolPowerShell
-            DefaultUserRoleAllowedToCreateApps                = $Policy.DefaultUserRolePermissions.AllowedToCreateApps
-            DefaultUserRoleAllowedToCreateSecurityGroups      = $Policy.DefaultUserRolePermissions.AllowedToCreateSecurityGroups
-            DefaultUserRoleAllowedToReadOtherUsers            = $Policy.DefaultUserRolePermissions.AllowedToReadOtherUsers
-            PermissionGrantPolicyIdsAssignedToDefaultUserRole = $Policy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned
-            GuestUserRole                                     = Get-GuestUserRoleNameFromId -GuestUserRoleId $Policy.GuestUserRoleId
-            Ensure                                            = 'Present'
-            Credential                                        = $Credential
-            ApplicationSecret                                 = $ApplicationSecret
-            ApplicationId                                     = $ApplicationId
-            TenantId                                          = $TenantId
-            CertificateThumbprint                             = $CertificateThumbprint
-            Managedidentity                                   = $ManagedIdentity.IsPresent
+            IsSingleInstance                                        = 'Yes'
+            DisplayName                                             = $Policy.DisplayName
+            Description                                             = $Policy.Description
+            AllowedToSignUpEmailBasedSubscriptions                  = $Policy.AllowedToSignUpEmailBasedSubscriptions
+            AllowedToUseSSPR                                        = $Policy.AllowedToUseSSPR
+            AllowEmailVerifiedUsersToJoinOrganization               = $Policy.AllowEmailVerifiedUsersToJoinOrganization
+            AllowInvitesFrom                                        = $Policy.AllowInvitesFrom
+            BlockMsolPowerShell                                     = $Policy.BlockMsolPowerShell
+            DefaultUserRoleAllowedToCreateApps                      = $Policy.DefaultUserRolePermissions.AllowedToCreateApps
+            DefaultUserRoleAllowedToCreateSecurityGroups            = $Policy.DefaultUserRolePermissions.AllowedToCreateSecurityGroups
+            DefaultUserRoleAllowedToReadOtherUsers                  = $Policy.DefaultUserRolePermissions.AllowedToReadOtherUsers
+            DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice = $Policy.DefaultUserRolePermissions.AllowedToReadBitlockerKeysForOwnedDevice
+            DefaultUserRoleAllowedToCreateTenants                   = $Policy.DefaultUserRolePermissions.AllowedToCreateTenants
+            PermissionGrantPolicyIdsAssignedToDefaultUserRole       = $Policy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned
+            GuestUserRole                                           = Get-GuestUserRoleNameFromId -GuestUserRoleId $Policy.GuestUserRoleId
+            Ensure                                                  = 'Present'
+            Credential                                              = $Credential
+            ApplicationSecret                                       = $ApplicationSecret
+            ApplicationId                                           = $ApplicationId
+            TenantId                                                = $TenantId
+            CertificateThumbprint                                   = $CertificateThumbprint
+            Managedidentity                                         = $ManagedIdentity.IsPresent
         }
 
         Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)"
@@ -217,6 +227,14 @@ function Set-TargetResource
         [System.Boolean]
         $DefaultUserRoleAllowedToCreateSecurityGroups,
 
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice,
+
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToCreateTenants,
+
         [Parameter()]
         [System.Boolean]
         $DefaultUserRoleAllowedToReadOtherUsers,
@@ -289,7 +307,9 @@ function Set-TargetResource
     $currentParameters.Remove('ManagedIdentity') | Out-Null
 
     Write-Verbose -Message 'Set-Targetresource: Authorization Policy Ensure Present'
-    $UpdateParameters = @{}
+    $UpdateParameters = @{
+        AuthorizationPolicyId = 'authorizationPolicy'
+    }
     # update policy with supplied parameters that are different from existing policy
 
     # prepare object for default user role permissions
@@ -361,6 +381,7 @@ function Set-TargetResource
             -Credential $Credential
 
         Write-Verbose -Message "Set-Targetresource: Failed change policy $DisplayName"
+        Write-Verbose -Message $_
     }
     Write-Verbose -Message "Set-Targetresource: finished processing Policy $Displayname"
 }
@@ -413,6 +434,14 @@ function Test-TargetResource
         [System.Boolean]
         $DefaultUserRoleAllowedToCreateSecurityGroups,
 
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice,
+
+        [Parameter()]
+        [System.Boolean]
+        $DefaultUserRoleAllowedToCreateTenants,
+
         [Parameter()]
         [System.Boolean]
         $DefaultUserRoleAllowedToReadOtherUsers,

Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthorizationPolicy/MSFT_AADAuthorizationPolicy.schema.mof

@@ -11,6 +11,8 @@ class MSFT_AADAuthorizationPolicy : OMI_BaseResource
     [Write, Description("Boolean To disable the use of MSOL PowerShell, set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.")] Boolean BlockMsolPowershell;
     [Write, Description("Boolean Indicates whether the default user role can create applications.")] Boolean DefaultUserRoleAllowedToCreateApps;
     [Write, Description("Boolean Indicates whether the default user role can create security groups.")] Boolean DefaultUserRoleAllowedToCreateSecurityGroups;
+    [Write, Description("Indicates whether the registered owners of a device can read their own BitLocker recovery keys with default user role.")] Boolean DefaultUserRoleAllowedToReadBitlockerKeysForOwnedDevice;
+    [Write, Description("Indicates whether the default user role can create tenants. This setting corresponds to the Restrict non-admin users from creating tenants setting in the User settings menu in the Azure portal. When this setting is false, users assigned the Tenant Creator role can still create tenants.")] Boolean DefaultUserRoleAllowedToCreateTenants;
     [Write, Description("Boolean Indicates whether the default user role can read other users.")] Boolean DefaultUserRoleAllowedToReadOtherUsers;
     [Write, Description("The role that should be granted to guest users. Refer to List unifiedRoleDefinitions to find the list of available role templates. Only supported roles today are User, Guest User, and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b)."), ValueMap{"Guest","RestrictedGuest","User"}, Values{"Guest","RestrictedGuest","User"}] String GuestUserRole;
     [Write, Description("String collection Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.")] String PermissionGrantPolicyIdsAssignedToDefaultUserRole[];

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -1038,7 +1038,16 @@ function Export-TargetResource
     try
     {
         $Script:ExportMode = $true
-        [array] $Script:exportedGroups = Get-MgGroup -Filter $Filter -All:$true -ErrorAction Stop
+        $ExportParameters = @{
+            Filter      = $Filter
+            All         = [switch]$true
+            ErrorAction = 'Stop'
+        }
+        if ($Filter -like "*endsWith*") {
+            $ExportParameters.Add('CountVariable', 'count')
+            $ExportParameters.Add('ConsistencyLevel', 'eventual')
+        }
+        [array] $Script:exportedGroups = Get-MgGroup @ExportParameters
         $Script:exportedGroups = $Script:exportedGroups | Where-Object -FilterScript {
             -not ($_.MailEnabled -and ($null -eq $_.GroupTypes -or $_.GroupTypes.Length -eq 0)) -and `
                 -not ($_.MailEnabled -and $_.SecurityEnabled)

Modules/Microsoft365DSC/DSCResources/MSFT_AADUser/MSFT_AADUser.psm1

@@ -813,7 +813,17 @@ function Export-TargetResource
     {
         $Script:ExportMode = $true
         $propertiesToRetrieve = @('Id', 'UserPrincipalName', 'DisplayName', 'GivenName', 'Surname', 'UsageLocation', 'City', 'Country', 'Department', 'FacsimileTelephoneNumber', 'Mobile', 'OfficeLocation', 'TelephoneNumber', 'PostalCode', 'PreferredLanguage', 'State', 'StreetAddress', 'JobTitle', 'UserType', 'PasswordPolicies')
-        $Script:M365DSCExportInstances = Get-MgUser -Filter $Filter -All:$true -Property $propertiesToRetrieve -ErrorAction Stop
+        $ExportParameters = @{
+            Filter      = $Filter
+            All         = [switch]$true
+            Property    = $propertiesToRetrieve
+            ErrorAction = 'Stop'
+        }
+        if ($Filter -like "*endsWith*") {
+            $ExportParameters.Add('CountVariable', 'count')
+            $ExportParameters.Add('ConsistencyLevel', 'eventual')
+        }
+        $Script:M365DSCExportInstances = Get-MgUser @ExportParameters
 
         $dscContent = [System.Text.StringBuilder]::new()
         $i = 1

Modules/Microsoft365DSC/DSCResources/MSFT_O365Group/MSFT_O365Group.psm1

@@ -558,7 +558,16 @@ function Export-TargetResource
     try
     {
         $dscContent = ''
-        $groups = Get-MgGroup -All:$true -Filter $Filter | Where-Object -FilterScript {
+        $ExportParameters = @{
+            Filter      = $Filter
+            All         = [switch]$true
+            ErrorAction = 'Stop'
+        }
+        if ($Filter -like "*endsWith*") {
+            $ExportParameters.Add('CountVariable', 'count')
+            $ExportParameters.Add('ConsistencyLevel', 'eventual')
+        }
+        $groups = Get-MgGroup @ExportParameters | Where-Object -FilterScript {
             $_.MailNickName -ne '00000000-0000-0000-0000-000000000000'
         }